Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google/Yahoo searches are redirected


  • This topic is locked This topic is locked
22 replies to this topic

#1 slacker35

slacker35

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 26 May 2010 - 01:53 PM

When I click on search results from Google or Yahoo (haven't tried other browsers) the links get redirected to unknown ads. After I ran Malwarebytes and Superantispyware they found and removed some stuff but the redirecting links are still happening.
I have searched for the "C:/Windows/system32/wdmaud.sys" according to other posts, but it was only in the 'drivers' folder as it's supposed to be.
I tried to run the GMER log but before the scan is complete I get the blue screen of death (2 times). However, I didn't write down the exact wording (doh), but it was something like "physical memory dump". If you guys need this, I'll try to run it again.
Anyway, here are the other logs, I appeciate any help w/ this matter..
Thanks!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 12:20:04.48 on Wed 05/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1174 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\FarStone\DriveClone Pro\EFB\efbfs.exe
C:\Program Files\FarStone\DriveClone Pro\CBP\DCSchdler.exe
C:\Program Files\FarStone\DriveClone Pro\fsloader.exe
C:\Program Files\FarStone\DriveClone Pro\EFB\EfbSchedule.exe
C:\Program Files\FarStone\DriveClone Pro\VerChk.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Canon\OpwareSE4.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\HP\Button Manager\BM.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Setup_bootstrap] "d:\\setup.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\canon\OpwareSE4.exe"
mRun: [<NO NAME>]
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpbutt~1.lnk - c:\program files\hp\button manager\BM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: disa.mil\amc.csd
Trusted Zone: intuit.com\ttlc
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1228284722765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: 54080f0e922 - c:\windows\system32\els32.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\els32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 dcsnap;dcsnap;c:\windows\system32\drivers\dcsnap.sys [2008-5-7 108544]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 385536]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [2008-5-7 213120]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 efbfs;Restore FarStone File Event Manager;c:\program files\farstone\driveclone pro\efb\efbfs.exe [2008-5-7 24576]
R2 FarStone RestoreIT Loader;FarStone RestoreIT Loader;c:\program files\farstone\driveclone pro\fsloader.exe [2007-4-27 90112]
R2 flbdisk;flbdisk;c:\windows\system32\drivers\flbdisk.sys [2008-5-7 16896]
R2 flbrc;flbrc;c:\windows\system32\drivers\flbrc.sys [2008-5-7 37632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-5-1 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-5-1 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-5-1 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-5-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-1 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-1 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-5-1 40552]
R3 SCRx31 USB Reader;SCRx31 USB Reader;c:\windows\system32\drivers\stc2.sys [2009-1-11 56320]
S1 efbDisk;efbDisk; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S2 DCScheduler;DriveClone Scheduler;c:\program files\farstone\driveclone pro\cbp\DCSchdlerSRVC.exe [2008-5-7 98304]
S2 MSSQL$MSSQLTMS;MSSQL$MSSQLTMS;c:\program files\microsoft sql server\mssql$mssqltms\binn\sqlservr.exe -smssqltms --> c:\program files\microsoft sql server\mssql$mssqltms\binn\sqlservr.exe -sMSSQLTMS [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-5-1 34248]
S3 REMOVE;REMOVE;\??\c:\windows\system32\drivers\remove.sys --> c:\windows\system32\drivers\REMOVE.SYS [?]
S3 SQLAgent$MSSQLTMS;SQLAgent$MSSQLTMS;c:\program files\microsoft sql server\mssql$mssqltms\binn\sqlagent.exe -i mssqltms --> c:\program files\microsoft sql server\mssql$mssqltms\binn\sqlagent.EXE -i MSSQLTMS [?]

=============== Created Last 30 ================

2010-05-26 05:05:15 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-26 04:26:03 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-26 04:26:03 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-26 04:26:03 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-05-26 03:24:10 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-26 03:23:46 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-26 03:23:46 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-05-26 03:22:33 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-26 02:23:30 24576 ----a-w- c:\windows\system32\drivers\KBDCLASS.SYS
2010-05-26 00:12:46 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-25 06:12:19 0 d-----w- c:\program files\SpywareBlaster
2010-05-24 00:09:28 0 d-----w- c:\docume~1\admini~1\applic~1\Gradkell Systems, Inc
2010-05-23 20:09:14 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-05-23 20:08:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-23 20:08:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-23 20:08:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 20:08:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 06:56:11 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2010-05-23 06:55:04 0 d-----w- c:\docume~1\admini~1\applic~1\F9775AE385973A915E6351E155C35F91
2010-05-02 02:32:31 12987 ----a-w- c:\windows\system32\Config.MPF
2010-05-02 02:24:23 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-05-02 02:24:23 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-05-02 02:24:23 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-05-02 02:24:17 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-05-02 02:23:44 0 d-----w- c:\program files\McAfee.com
2010-05-02 02:19:56 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

==================== Find3M ====================

2010-05-26 15:22:27 15360 ---h--w- C:\logicinf.bin
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 12:20:52.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:34 PM

Posted 28 May 2010 - 06:24 AM

Hello and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have
since resolved your issues I would appreciate if you would let me no so I can close this topic.


We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Thanks

unite.jpg


#3 slacker35

slacker35
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 28 May 2010 - 10:13 AM

Thank you for your help!! Here are the logs;


OTL logfile created on: 5/28/2010 10:00:39 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1700 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 51.93 Gb Free Space | 69.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 5.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 973.17 Mb Total Space | 174.08 Mb Free Space | 17.89% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGCOMPUTER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/28 09:58:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/03/29 17:12:18 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2010/03/29 17:11:50 | 002,145,000 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/26 12:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2007/06/13 10:39:12 | 000,073,728 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Canon\OpWareSE4.exe
PRC - [2007/05/15 16:08:40 | 000,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe
PRC - [2007/05/15 16:08:38 | 000,095,024 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe
PRC - [2007/05/15 16:08:08 | 000,293,168 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
PRC - [2007/05/15 16:08:00 | 000,130,864 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
PRC - [2007/04/27 19:56:26 | 000,176,128 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\CBP\DCSchdler.exe
PRC - [2007/04/27 19:56:14 | 000,049,214 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\EFB\EfbSchedule.exe
PRC - [2007/04/27 19:56:12 | 000,024,576 | ---- | M] (FarStone Technology, Inc.) -- C:\Program Files\FarStone\DriveClone Pro\EFB\efbfs.exe
PRC - [2007/04/27 19:54:12 | 000,049,152 | ---- | M] (FarStone Technology, Inc.) -- C:\Program Files\FarStone\DriveClone Pro\VerChk.exe
PRC - [2007/04/27 19:54:06 | 000,090,112 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\fsloader.exe
PRC - [2005/09/08 07:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/02/16 16:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/10/14 16:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2002/12/17 18:23:32 | 000,074,308 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/05/28 09:58:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/06/13 10:39:22 | 000,139,264 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Canon\OpHookSE4.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/29 17:16:36 | 000,033,560 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2010/03/29 17:12:18 | 000,810,120 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/05/15 16:08:40 | 000,182,576 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca)
SRV - [2007/04/27 19:56:26 | 000,098,304 | ---- | M] () [Auto | Stopped] -- C:\Program Files\FarStone\DriveClone Pro\CBP\DCSchdlerSRVC.exe -- (DCScheduler)
SRV - [2007/04/27 19:56:12 | 000,024,576 | ---- | M] (FarStone Technology, Inc.) [Auto | Running] -- C:\Program Files\FarStone\DriveClone Pro\EFB\efbfs.exe -- (efbfs)
SRV - [2007/04/27 19:54:06 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\FarStone\DriveClone Pro\fsloader.exe -- (FarStone RestoreIT Loader)
SRV - [2002/12/17 18:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MSSQLTMS\Binn\sqlservr.exe -- (MSSQL$MSSQLTMS)
SRV - [2002/12/17 18:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MSSQLTMS\Binn\sqlagent.EXE -- (SQLAgent$MSSQLTMS)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/03/29 17:13:44 | 000,095,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2010/03/29 17:12:00 | 000,114,984 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/03/29 17:07:30 | 000,140,216 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/09/19 10:28:44 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/09/19 10:28:43 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/04/13 13:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:40:10 | 000,080,128 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\parport.sys -- (Parport)
DRV - [2007/07/20 03:39:50 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/07/18 19:44:00 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/07/18 19:39:38 | 000,490,776 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2007/07/02 18:08:08 | 000,015,616 | ---- | M] (ArcSoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\arcsoftvirtualcapture.sys -- (ARCSOFTVIRTUALCAPTURE)
DRV - [2007/04/27 19:56:36 | 000,213,120 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DCDisk.sys -- (DCDisk)
DRV - [2007/04/27 19:56:36 | 000,108,544 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\dcsnap.sys -- (dcsnap)
DRV - [2007/04/27 19:56:14 | 000,037,632 | ---- | M] () [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\flbrc.sys -- (flbrc)
DRV - [2007/04/27 19:56:14 | 000,016,896 | ---- | M] (FarStone Technology, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\flbdisk.sys -- (flbdisk)
DRV - [2006/11/10 18:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/05/10 17:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/09/12 05:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 07:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 07:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 07:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 07:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 07:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 07:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 07:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 14:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 14:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 07:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2004/09/17 11:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2002/07/03 21:32:02 | 000,056,320 | R--- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stc2.sys -- (SCRx31 USB Reader)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-725345543-448539723-2147145749-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-725345543-448539723-2147145749-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/27 18:39:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/27 18:39:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/05/27 14:13:43 | 000,000,000 | ---D | M]

[2010/05/27 18:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/05/27 18:43:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ni38olh.default\extensions
[2010/05/27 18:43:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ni38olh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/27 18:39:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/27 20:11:15 | 000,000,698 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-725345543-448539723-2147145749-500\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\Canon\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKU\S-1-5-21-725345543-448539723-2147145749-500..\RunOnce: [Setup_bootstrap] D:\setup.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe (ActivIdentity)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk = C:\Program Files\HP\Button Manager\BM.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 00 00 00 01 [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-725345543-448539723-2147145749-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKU\S-1-5-21-725345543-448539723-2147145749-500\..Trusted Domains: disa.mil ([amc.csd] https in Trusted sites)
O15 - HKU\S-1-5-21-725345543-448539723-2147145749-500\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/sit...b?1228284722765 (MUCatalogWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\els32.dll) - C:\WINDOWS\System32\els32.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\54080f0e922: DllName - C:\WINDOWS\system32\els32.dll - C:\WINDOWS\System32\els32.dll File not found
O20 - Winlogon\Notify\ackpbsc: DllName - C:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/06 00:06:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/05/11 17:13:39 | 000,000,279 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{c8f3cd20-1e42-11df-9feb-00156097a147}\Shell - "" = AutoRun
O33 - MountPoints2\{c8f3cd20-1e42-11df-9feb-00156097a147}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c8f3cd20-1e42-11df-9feb-00156097a147}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2006/04/18 16:33:36 | 000,950,272 | R--- | M] ()
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2006/04/18 16:33:36 | 000,950,272 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/05/06 00:05:35 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


Drivers32: MIDI4 - C:\WINDOWS\System32\Syncor11.dll (SoundMAX)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465003472846848)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/28 09:58:28 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/05/27 18:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2010/05/27 18:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010/05/27 18:39:38 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/05/27 16:32:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ESET
[2010/05/27 14:13:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/27 14:13:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/05/26 22:27:19 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/05/26 22:27:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/26 22:26:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Threat Expert
[2010/05/26 22:26:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/26 14:21:14 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/26 00:05:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2010/05/25 23:26:03 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/05/25 23:26:03 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/05/25 22:23:46 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/25 01:12:19 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/05/23 19:09:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Gradkell Systems, Inc
[2010/05/23 15:09:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/05/23 15:08:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/23 15:08:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/23 15:08:45 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/23 15:08:45 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/23 15:02:12 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/05/23 12:15:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/23 11:47:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/23 11:47:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/23 01:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Server
[2010/05/23 01:55:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\F9775AE385973A915E6351E155C35F91
[2010/05/07 10:52:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\My Albums
[2010/05/01 21:58:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2010/05/01 21:27:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2010/05/01 17:12:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\C-17 EPUBS
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/28 09:58:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/05/28 09:38:57 | 000,539,054 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/28 09:38:57 | 000,453,420 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/28 09:38:57 | 000,075,874 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/28 09:34:57 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/28 09:34:54 | 000,015,360 | -H-- | M] () -- C:\logicinf.bin
[2010/05/28 09:34:53 | 000,001,048 | RH-- | M] () -- C:\dcindkrn.dc3
[2010/05/28 09:34:53 | 000,001,024 | -H-- | M] () -- C:\diskfile1
[2010/05/28 09:34:31 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/28 09:34:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/28 09:34:27 | 2138,574,848 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/28 01:14:29 | 005,505,024 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/05/28 01:14:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/27 18:39:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/05/27 18:39:43 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/27 14:09:01 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/05/26 23:03:24 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu.rar
[2010/05/23 15:08:49 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/23 15:02:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/05/23 14:59:31 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/05/23 14:34:16 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/05/23 12:24:39 | 000,003,321 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922P.manifest
[2010/05/23 11:36:53 | 000,000,013 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922C.manifest
[2010/05/23 11:36:53 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922S.manifest
[2010/05/23 11:36:53 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922O.manifest
[2010/05/21 14:14:28 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/12 08:57:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/03 12:32:11 | 000,041,472 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\mama-doctor.doc
[2010/05/02 19:48:32 | 000,213,504 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Itinerary.doc
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/27 18:39:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/27 18:39:43 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/26 23:03:23 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu.rar
[2010/05/23 15:08:49 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/23 14:59:15 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/05/23 01:55:34 | 000,003,321 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922P.manifest
[2010/05/23 01:55:34 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922C.manifest
[2010/05/23 01:55:34 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922S.manifest
[2010/05/23 01:55:34 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922O.manifest
[2010/05/02 19:48:32 | 000,213,504 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Itinerary.doc
[2009/10/28 17:50:47 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2009/10/28 17:42:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/08/23 12:44:13 | 000,000,382 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/08/22 22:57:54 | 000,000,502 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP34.INI
[2009/08/12 22:30:09 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI
[2009/08/12 21:41:11 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2009/02/14 20:00:15 | 000,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2008/12/09 01:38:54 | 000,058,163 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/12/08 18:28:35 | 000,000,222 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2008/05/07 22:17:36 | 000,213,120 | ---- | C] () -- C:\WINDOWS\System32\drivers\DCDisk.sys
[2008/05/07 22:17:36 | 000,108,544 | ---- | C] () -- C:\WINDOWS\System32\drivers\dcsnap.sys
[2008/05/07 22:17:34 | 000,037,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\flbrc.sys
[2008/05/07 21:24:22 | 000,000,175 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/11/18 13:47:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/03 17:59:08 | 000,080,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\parport.sys
[2000/10/25 21:15:00 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/05/05 16:56:03 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/05/05 16:56:03 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/05/05 16:56:03 | 000,905,216 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\*. /mp /s >

< %SYSTEMDRIVE%\*.exe >

< >
< End of report >
---------------------------------------------------------------------------------






OTL Extras logfile created on: 5/28/2010 10:00:39 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1700 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 51.93 Gb Free Space | 69.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 5.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 973.17 Mb Total Space | 174.08 Mb Free Space | 17.89% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGCOMPUTER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-725345543-448539723-2147145749-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD DX\PowerDVD.exe:*:Enabled:CyberLink PowerDVD DX -- (CyberLink Corp.)
"C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" = C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:*:Enabled:CyberLink PowerDVD DX Resident Program -- (CyberLink Corp.)
"C:\Program Files\uTorrent\utorrent.exe" = C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent -- ()
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Bing Maps 3D
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35599970-EAA2-012B-ACE9-000000000000}" = TurboTax 2009 waliper
"{35725FBC-A136-4A46-9F29-091759D9BB93}" = MVision
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}" = Microsoft Money Shared Libraries
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66B4C110-8BEB-49B5-824E-C70AEEB20ECD}" = ScanSoft OmniPage SE 4
"{6767DFEE-8909-453A-B553-C7693912B2EB}" = Canon MF Toolbox 4.9.1.1.mf07
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{689E15D3-E10C-4CDA-852E-1776D1B7266A}" = TMS on CD-ROM
"{719842F9-FF69-4BA6-A6FE-52244575E0B3}" = ArcSoft VideoImpression 2
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7E369B27-13E2-41A5-9879-358EE1C8B5AD}" = Broadcom Gigabit Integrated Controller
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = iSEEK AnswerWorks English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC194855-F7AC-4D04-B4C9-07BA46FCB697}" = ActivClient CAC 6.1 AFR
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B91B4988-2671-4C7A-9B84-5FE9E38EDDE0}" = ESET NOD32 Antivirus
"{B93A5C71-1F05-47c6-A9CD-DB6183CC8B30}" = Canon MF4360-4390
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA634931-0CC3-4067-ABCC-7182E1DC23B7}" = HP Button Manager
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D31612BB-C6D7-4142-96AE-16DB062354CF}" = HP Webcam User’s Guide
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MSSQLTMS)
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F522E59E-7168-4B4A-885E-1030009BEE56}" = DBsign Web Signer
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ATT-HSI" = ATT-HSI
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dell AIO Printer A920" = Dell AIO Printer A920
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Grammar" = Grammar
"ie8" = Windows Internet Explorer 8
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2007b" = Microsoft Money 2007
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSNINST" = MSN
"Oregon Trail 5" = Oregon Trail 5
"Phonics" = Phonics
"QcDrv" = Logitech® Camera Driver
"Reading" = Reading
"RestoreIT!" = DriveClone Pro
"Science Trek 4, 5, 6" = Science Trek 4, 5, 6
"Spelling" = Spelling
"SpywareBlaster_is1" = SpywareBlaster 4.3
"TurboTax 2009" = TurboTax 2009
"uTorrent" = µTorrent
"Vocabulary" = Vocabulary
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = ????????? WinRAR
"Writing" = Writing
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/25/2010 8:34:06 PM | Computer Name = BIGCOMPUTER | Source = Application Error | ID = 1000
Description = Faulting application _iu14d2n.tmp, version 51.49.0.0, faulting module
_iu14d2n.tmp, version 51.49.0.0, fault address 0x0008fbc1.

Error - 5/25/2010 8:34:10 PM | Computer Name = BIGCOMPUTER | Source = Application Error | ID = 1000
Description = Faulting application _iu14d2n.tmp, version 51.49.0.0, faulting module
_iu14d2n.tmp, version 51.49.0.0, fault address 0x00001bd0.

Error - 5/25/2010 8:34:19 PM | Computer Name = BIGCOMPUTER | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 5/25/2010 8:53:00 PM | Computer Name = BIGCOMPUTER | Source = MPSampleSubmission | ID = 5000
Description =

Error - 5/25/2010 8:53:14 PM | Computer Name = BIGCOMPUTER | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 5/25/2010 8:55:39 PM | Computer Name = BIGCOMPUTER | Source = MPSampleSubmission | ID = 5000
Description =

Error - 5/25/2010 8:55:55 PM | Computer Name = BIGCOMPUTER | Source = MSSecurityEssentials | ID = 5000
Description =

Error - 5/26/2010 2:38:28 PM | Computer Name = BIGCOMPUTER | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/26/2010 4:08:52 PM | Computer Name = BIGCOMPUTER | Source = MPSampleSubmission | ID = 5000
Description =

Error - 5/28/2010 2:02:32 AM | Computer Name = BIGCOMPUTER | Source = MsiInstaller | ID = 1013
Description = Product: Adobe Reader 9.2 -- A process is running that cannot be shut
down by Setup. Please either close all applications and run Setup again, or restart
your computer and run Setup again.

[ System Events ]
Error - 5/27/2010 7:53:25 AM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%2001

Error - 5/27/2010 7:53:25 AM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 5/27/2010 3:09:40 PM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%2001

Error - 5/27/2010 3:09:40 PM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 5/27/2010 5:36:15 PM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%2001

Error - 5/27/2010 5:36:15 PM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 5/27/2010 9:17:11 PM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%2001

Error - 5/27/2010 9:17:11 PM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 5/28/2010 10:36:05 AM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%2001

Error - 5/28/2010 10:36:05 AM | Computer Name = BIGCOMPUTER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt


< End of report >


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:34 PM

Posted 28 May 2010 - 10:58 AM

Hi slacker35,

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :OTL
    O3 - HKU\S-1-5-21-725345543-448539723-2147145749-500\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\S-1-5-21-725345543-448539723-2147145749-500..\RunOnce: [Setup_bootstrap] D:\setup.exe File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\WINDOWS\explorer.exe"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\WINDOWS\explorer.exe"=-
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run a new OTL scan without the bold text, and post the new OTL log.



Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading.
Select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Then

Please click this link-->Virustotal
When the Virustotal page has finished loading, click the Browse button and navigate to the following files one
by one and click Submit.

C:\logicinf.bin
C:\dcindkrn.dc3

Please post back with the link to the scan results, in your next post.
If Virustotal is busy, try the same at Jotti: http://virusscan.jotti.org/



Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe from.
  • Copy and paste the contents of mbr.log on your next reply.


Then please post back here with the following logs:
  • OTL results
  • New OTL log
  • Links to VT results
  • mbr.log

Thanks

unite.jpg


#5 slacker35

slacker35
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 28 May 2010 - 11:58 AM

Alright...



All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-725345543-448539723-2147145749-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-725345543-448539723-2147145749-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Setup_bootstrap deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\WINDOWS\explorer.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\explorer.exe deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1247154524 bytes
->Temporary Internet Files folder emptied: 417498385 bytes
->Java cache emptied: 73314783 bytes
->FireFox cache emptied: 4994745 bytes
->Flash cache emptied: 103366 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33664 bytes

User: NetworkService
->Temp folder emptied: 51162 bytes
->Temporary Internet Files folder emptied: 29198337 bytes
->Flash cache emptied: 11039 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 37041101 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 33961256 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 511 bytes

Total Files Cleaned = 1,760.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.5.0 log created on 05282010_111845

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\VQB4SG46\StvqmMTfaD440000ZhJXHwu4XPdx39vlbgPlDdsHiaMGwWYJL7a3=00dfV9K2cm5kGucYjEe1c62Se0EWn9gM53UIhl7-29sTQmYP1g2GV991VWG0=RwbkhPK2cm5kGpA9a9ihc62SfoCuR9gDm9Ab5fK4dPP4gPa2e90WJa5[1] not found!
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\U58GM4ZN\index[5].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5NKYQAVA\iframe[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...


---------------------------------------------------------------------------------------------------------------



OTL logfile created on: 5/28/2010 11:34:11 AM - Run 2
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1700 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 53.66 Gb Free Space | 72.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 5.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 973.17 Mb Total Space | 174.08 Mb Free Space | 17.89% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGCOMPUTER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/28 09:58:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/03/29 17:12:18 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2010/03/29 17:11:50 | 002,145,000 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2010/03/24 14:58:22 | 000,309,760 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 12:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/06/17 22:04:42 | 000,249,856 | ---- | M] () -- C:\Program Files\HP\Button Manager\BM.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/26 12:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2007/06/13 10:39:12 | 000,073,728 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Canon\OpWareSE4.exe
PRC - [2007/05/15 16:08:40 | 000,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe
PRC - [2007/05/15 16:08:38 | 000,095,024 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe
PRC - [2007/05/15 16:08:08 | 000,293,168 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
PRC - [2007/05/15 16:08:00 | 000,130,864 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
PRC - [2007/04/27 19:56:26 | 000,176,128 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\CBP\DCSchdler.exe
PRC - [2007/04/27 19:56:14 | 000,049,214 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\EFB\EfbSchedule.exe
PRC - [2007/04/27 19:56:12 | 000,024,576 | ---- | M] (FarStone Technology, Inc.) -- C:\Program Files\FarStone\DriveClone Pro\EFB\efbfs.exe
PRC - [2007/04/27 19:54:12 | 000,049,152 | ---- | M] (FarStone Technology, Inc.) -- C:\Program Files\FarStone\DriveClone Pro\VerChk.exe
PRC - [2007/04/27 19:54:06 | 000,090,112 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\fsloader.exe
PRC - [2005/09/08 07:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/02/16 16:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/10/14 16:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2002/12/17 18:23:32 | 000,074,308 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/05/28 09:58:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/06/13 10:39:22 | 000,139,264 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Canon\OpHookSE4.dll


VT Links

http://www.virustotal.com/analisis/63b397d...0528-1275064993

http://www.virustotal.com/analisis/608a1a6...344b-1275065306

MBR

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:34 PM

Posted 28 May 2010 - 12:07 PM

You have only posted half of the OTl log can you post the whole log please. Also can you tell me what problems
you are currently having?

unite.jpg


#7 slacker35

slacker35
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 28 May 2010 - 12:31 PM

The only problem I am noticing is that when I do a Google search (from search box on tool bar) or Yahoo search from (anywhere), then click on a result to go to the page, the brower seems to "hang-up" for about 6 seconds, then I get redirected to another website. I've installed FireFox and the same thing happened. But, if I go directly to Google from the URL box (not from tool bar search) and do a search, select a result, I hear two 'clicks' and the requested site loads fast and I don't get redirected, as if Google blocks this redirect somehow (but I have no idea really).

Sorry.. the entire OTL log;



OTL logfile created on: 5/28/2010 11:34:11 AM - Run 2
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1700 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 53.66 Gb Free Space | 72.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 5.49 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 973.17 Mb Total Space | 174.08 Mb Free Space | 17.89% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGCOMPUTER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/28 09:58:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/03/29 17:12:18 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2010/03/29 17:11:50 | 002,145,000 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2010/03/24 14:58:22 | 000,309,760 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 12:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/06/17 22:04:42 | 000,249,856 | ---- | M] () -- C:\Program Files\HP\Button Manager\BM.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/26 12:57:28 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2007/06/13 10:39:12 | 000,073,728 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Canon\OpWareSE4.exe
PRC - [2007/05/15 16:08:40 | 000,182,576 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe
PRC - [2007/05/15 16:08:38 | 000,095,024 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe
PRC - [2007/05/15 16:08:08 | 000,293,168 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
PRC - [2007/05/15 16:08:00 | 000,130,864 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
PRC - [2007/04/27 19:56:26 | 000,176,128 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\CBP\DCSchdler.exe
PRC - [2007/04/27 19:56:14 | 000,049,214 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\EFB\EfbSchedule.exe
PRC - [2007/04/27 19:56:12 | 000,024,576 | ---- | M] (FarStone Technology, Inc.) -- C:\Program Files\FarStone\DriveClone Pro\EFB\efbfs.exe
PRC - [2007/04/27 19:54:12 | 000,049,152 | ---- | M] (FarStone Technology, Inc.) -- C:\Program Files\FarStone\DriveClone Pro\VerChk.exe
PRC - [2007/04/27 19:54:06 | 000,090,112 | ---- | M] () -- C:\Program Files\FarStone\DriveClone Pro\fsloader.exe
PRC - [2005/09/08 07:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/02/16 16:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/10/14 16:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2002/12/17 18:23:32 | 000,074,308 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/05/28 09:58:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/06/13 10:39:22 | 000,139,264 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Canon\OpHookSE4.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/29 17:16:36 | 000,033,560 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2010/03/29 17:12:18 | 000,810,120 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2010/03/18 12:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2007/05/15 16:08:40 | 000,182,576 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient\accoca.exe -- (accoca)
SRV - [2007/04/27 19:56:26 | 000,098,304 | ---- | M] () [Auto | Stopped] -- C:\Program Files\FarStone\DriveClone Pro\CBP\DCSchdlerSRVC.exe -- (DCScheduler)
SRV - [2007/04/27 19:56:12 | 000,024,576 | ---- | M] (FarStone Technology, Inc.) [Auto | Running] -- C:\Program Files\FarStone\DriveClone Pro\EFB\efbfs.exe -- (efbfs)
SRV - [2007/04/27 19:54:06 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\FarStone\DriveClone Pro\fsloader.exe -- (FarStone RestoreIT Loader)
SRV - [2002/12/17 18:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MSSQLTMS\Binn\sqlservr.exe -- (MSSQL$MSSQLTMS)
SRV - [2002/12/17 18:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$MSSQLTMS\Binn\sqlagent.EXE -- (SQLAgent$MSSQLTMS)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2010/03/29 17:13:44 | 000,095,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2010/03/29 17:12:00 | 000,114,984 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2010/03/29 17:07:30 | 000,140,216 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2008/09/19 10:28:44 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/09/19 10:28:43 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/04/13 13:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 13:40:10 | 000,080,128 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\parport.sys -- (Parport)
DRV - [2007/07/20 03:39:50 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/07/18 19:44:00 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/07/18 19:39:38 | 000,490,776 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2007/07/02 18:08:08 | 000,015,616 | ---- | M] (ArcSoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\arcsoftvirtualcapture.sys -- (ARCSOFTVIRTUALCAPTURE)
DRV - [2007/04/27 19:56:36 | 000,213,120 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DCDisk.sys -- (DCDisk)
DRV - [2007/04/27 19:56:36 | 000,108,544 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\dcsnap.sys -- (dcsnap)
DRV - [2007/04/27 19:56:14 | 000,037,632 | ---- | M] () [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\flbrc.sys -- (flbrc)
DRV - [2007/04/27 19:56:14 | 000,016,896 | ---- | M] (FarStone Technology, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\flbdisk.sys -- (flbdisk)
DRV - [2006/11/10 18:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2006/05/10 17:00:16 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/09/12 05:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 07:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 07:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 07:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 07:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 07:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 07:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 07:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 14:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 14:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 07:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2004/09/17 11:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2002/07/03 21:32:02 | 000,056,320 | R--- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stc2.sys -- (SCRx31 USB Reader)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/27 18:39:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/27 18:39:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/05/27 14:13:43 | 000,000,000 | ---D | M]

[2010/05/27 18:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/05/27 18:43:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ni38olh.default\extensions
[2010/05/27 18:43:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ni38olh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/27 18:39:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/27 20:11:15 | 000,000,698 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe (ActivIdentity)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\Canon\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ActivClient Agent.lnk = C:\Program Files\ActivIdentity\ActivClient\acsagent.exe (ActivIdentity)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk = C:\Program Files\HP\Button Manager\BM.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 00 00 00 01 [binary data]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: disa.mil ([amc.csd] https in Trusted sites)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/sit...b?1228284722765 (MUCatalogWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\els32.dll) - C:\WINDOWS\System32\els32.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\54080f0e922: DllName - C:\WINDOWS\system32\els32.dll - C:\WINDOWS\System32\els32.dll File not found
O20 - Winlogon\Notify\ackpbsc: DllName - C:\WINDOWS\system32\ackpbsc.dll - C:\WINDOWS\system32\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll (ActivIdentity)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/05/06 00:06:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/05/11 17:13:39 | 000,000,279 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{c8f3cd20-1e42-11df-9feb-00156097a147}\Shell - "" = AutoRun
O33 - MountPoints2\{c8f3cd20-1e42-11df-9feb-00156097a147}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c8f3cd20-1e42-11df-9feb-00156097a147}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2006/04/18 16:33:36 | 000,950,272 | R--- | M] ()
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- [2006/04/18 16:33:36 | 000,950,272 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/28 11:18:45 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/28 09:58:28 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/05/27 18:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
[2010/05/27 18:39:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
[2010/05/27 18:39:38 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/05/27 16:32:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ESET
[2010/05/27 14:13:42 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/27 14:13:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET
[2010/05/26 22:27:19 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2010/05/26 22:27:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/26 22:26:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Threat Expert
[2010/05/26 22:26:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/26 14:21:14 | 000,221,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/26 00:05:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2010/05/25 23:26:03 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/05/25 23:26:03 | 000,016,736 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/05/25 22:23:46 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/25 01:12:19 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/05/23 19:09:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Gradkell Systems, Inc
[2010/05/23 15:09:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/05/23 15:08:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/23 15:08:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/23 15:08:45 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/23 15:08:45 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/23 15:02:12 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/05/23 12:15:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/23 11:47:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/23 11:47:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/23 01:55:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Windows Server
[2010/05/23 01:55:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\F9775AE385973A915E6351E155C35F91
[2010/05/07 10:52:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\My Albums
[2010/05/01 21:58:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2010/05/01 21:27:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2010/05/01 17:12:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\C-17 EPUBS

========== Files - Modified Within 30 Days ==========

[2010/05/28 11:32:48 | 000,453,420 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/28 11:32:48 | 000,075,874 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/28 11:32:47 | 000,539,054 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/28 11:28:48 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/28 11:28:42 | 000,015,360 | -H-- | M] () -- C:\logicinf.bin
[2010/05/28 11:28:42 | 000,001,024 | -H-- | M] () -- C:\diskfile1
[2010/05/28 11:28:41 | 000,001,048 | RH-- | M] () -- C:\dcindkrn.dc3
[2010/05/28 11:28:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/28 11:28:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/28 11:28:26 | 2138,574,848 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/28 11:27:35 | 005,505,024 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/05/28 11:27:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/05/28 09:58:50 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/05/27 18:39:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/05/27 18:39:43 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/27 14:09:01 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/05/26 23:03:24 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu.rar
[2010/05/23 15:08:49 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/23 15:02:22 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/05/23 14:59:31 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/05/23 14:34:16 | 000,001,316 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2010/05/23 12:24:39 | 000,003,321 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922P.manifest
[2010/05/23 11:36:53 | 000,000,013 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922C.manifest
[2010/05/23 11:36:53 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922S.manifest
[2010/05/23 11:36:53 | 000,000,011 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922O.manifest
[2010/05/21 14:14:28 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/05/12 08:57:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/03 12:32:11 | 000,041,472 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\mama-doctor.doc
[2010/05/02 19:48:32 | 000,213,504 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Itinerary.doc
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2010/05/27 18:39:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/27 18:39:43 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/05/26 23:03:23 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu.rar
[2010/05/23 15:08:49 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/23 14:59:15 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/05/23 01:55:34 | 000,003,321 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922P.manifest
[2010/05/23 01:55:34 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922C.manifest
[2010/05/23 01:55:34 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922S.manifest
[2010/05/23 01:55:34 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\02000000a83e535d922O.manifest
[2010/05/02 19:48:32 | 000,213,504 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Itinerary.doc
[2009/10/28 17:50:47 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2009/10/28 17:42:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/08/23 12:44:13 | 000,000,382 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2009/08/22 22:57:54 | 000,000,502 | ---- | C] () -- C:\WINDOWS\System32\CNCMFP34.INI
[2009/08/12 22:30:09 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI
[2009/08/12 21:41:11 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2009/02/14 20:00:15 | 000,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2008/12/09 01:38:54 | 000,058,163 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/12/08 18:28:35 | 000,000,222 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2008/05/07 22:17:36 | 000,213,120 | ---- | C] () -- C:\WINDOWS\System32\drivers\DCDisk.sys
[2008/05/07 22:17:36 | 000,108,544 | ---- | C] () -- C:\WINDOWS\System32\drivers\dcsnap.sys
[2008/05/07 22:17:34 | 000,037,632 | ---- | C] () -- C:\WINDOWS\System32\drivers\flbrc.sys
[2008/05/07 21:24:22 | 000,000,175 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/11/18 13:47:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/03 17:59:08 | 000,080,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\parport.sys
[2000/10/25 21:15:00 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll
< End of report >

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:34 PM

Posted 28 May 2010 - 12:51 PM

I would like to try and get a Gmer scan, I know you said in your first post it wouldn't work but I would like you to
give it one more go.

  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Devices
    Processes
    Threads
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.

unite.jpg


#9 slacker35

slacker35
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 28 May 2010 - 01:18 PM

Syler,
GMER worked this time. Here's the log;




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-28 13:06:02
Windows 5.1.2600 Service Pack 3
Running: 2pp3kweb.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugdcyaog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0x99DC2610]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0x99DC2C10]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0x99DC2730]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0x99DC24B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0x99DC2570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0x99DC26D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0x99DC2690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0x99DC2650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0x99DC27D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0x99DC2510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0x99DC2590]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0x99DC24D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0x99DC25D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0x99DC2750]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1468] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- EOF - GMER 1.0.15 ----


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:34 PM

Posted 28 May 2010 - 01:30 PM

Nothing is showing there, let's have a look with something else.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#11 slacker35

slacker35
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 28 May 2010 - 01:56 PM

Ok, this is what I have...



ComboFix 10-05-28.01 - Administrator 05/28/2010 13:41:12.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1583 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\02000000a83e535d922C.manifest
c:\documents and settings\Administrator\Application Data\02000000a83e535d922O.manifest
c:\documents and settings\Administrator\Application Data\02000000a83e535d922P.manifest
c:\documents and settings\Administrator\Application Data\02000000a83e535d922S.manifest
c:\documents and settings\Administrator\Application Data\F9775AE385973A915E6351E155C35F91
c:\documents and settings\Administrator\Application Data\F9775AE385973A915E6351E155C35F91\enemies-names.txt
c:\documents and settings\Administrator\Application Data\F9775AE385973A915E6351E155C35F91\lsrslt.ini
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat
C:\feed.txt
c:\windows\jestertb.dll
c:\windows\system32\hlp.dat

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-28 16:18 . 2010-05-28 16:18 -------- d-----w- C:\_OTL
2010-05-27 23:39 . 2010-05-27 23:39 0 ----a-w- c:\windows\nsreg.dat
2010-05-27 23:39 . 2010-05-27 23:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-27 21:32 . 2010-05-27 21:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2010-05-27 19:13 . 2010-05-27 19:13 -------- d-----w- c:\program files\ESET
2010-05-27 19:13 . 2010-05-27 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-05-27 03:27 . 2010-05-27 03:27 -------- d--h--w- c:\windows\PIF
2010-05-27 03:27 . 2010-05-27 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-27 03:26 . 2010-05-27 03:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert
2010-05-27 03:26 . 2010-05-27 03:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 19:21 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-26 05:05 . 2010-05-27 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-26 04:26 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-26 04:26 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-26 03:23 . 2010-05-27 19:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-25 06:12 . 2010-05-27 03:26 -------- d-----w- c:\program files\SpywareBlaster
2010-05-24 00:09 . 2010-05-24 00:09 86792 ----a-w- c:\documents and settings\Administrator\Application Data\Gradkell Systems, Inc\DBsign Data Security Suite\UWC\lib\1.4.8.0\DcaJce.dll
2010-05-24 00:09 . 2010-05-24 00:09 333576 ----a-w- c:\documents and settings\Administrator\Application Data\Gradkell Systems, Inc\DBsign Data Security Suite\UWC\lib\1.4.8.0\GuiUtils.dll
2010-05-24 00:09 . 2010-05-24 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gradkell Systems, Inc
2010-05-23 20:09 . 2010-05-23 20:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-23 20:08 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-23 20:08 . 2010-05-23 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-23 20:08 . 2010-05-27 03:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 20:08 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 17:15 . 2010-05-23 17:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-23 16:47 . 2010-05-23 16:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-23 06:56 . 2001-08-17 18:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2010-05-02 02:58 . 2010-05-02 02:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-02 02:27 . 2010-05-02 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 18:47 . 2008-05-08 03:17 15360 ---h--w- C:\logicinf.bin
2010-05-27 21:28 . 2008-12-04 22:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-05-27 19:08 . 2008-12-03 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-27 18:27 . 2008-12-04 22:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-05-26 05:06 . 2008-05-08 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-26 02:23 . 2004-08-04 12:00 24576 ----a-w- c:\windows\system32\drivers\KBDCLASS.SYS
2010-04-29 00:37 . 2008-12-06 03:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-04-02 07:25 . 2010-02-20 18:58 755776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-31 00:31 . 2008-05-14 03:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 22:13 . 2010-03-29 22:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-03-29 22:12 . 2010-03-29 22:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-29 22:07 . 2010-03-29 22:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\Canon\OpwareSE4.exe" [2007-06-13 73728]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-28 149280]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-5-15 130864]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-1-6 249856]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-15 21:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 21:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 dcsnap;dcsnap;c:\windows\system32\drivers\dcsnap.sys [5/7/2008 10:17 PM 108544]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [5/7/2008 10:17 PM 213120]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/29/2010 5:12 PM 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/29/2010 5:13 PM 95872]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 4:08 PM 182576]
R2 efbfs;Restore FarStone File Event Manager;c:\program files\FarStone\DriveClone Pro\EFB\efbfs.exe [5/7/2008 10:17 PM 24576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/29/2010 5:12 PM 810120]
R2 FarStone RestoreIT Loader;FarStone RestoreIT Loader;c:\program files\FarStone\DriveClone Pro\fsloader.exe [4/27/2007 7:54 PM 90112]
R2 flbdisk;flbdisk;c:\windows\system32\drivers\flbdisk.sys [5/7/2008 10:17 PM 16896]
R2 flbrc;flbrc;c:\windows\system32\drivers\flbrc.sys [5/7/2008 10:17 PM 37632]
R3 SCRx31 USB Reader;SCRx31 USB Reader;c:\windows\system32\drivers\stc2.sys [1/11/2009 9:39 PM 56320]
S1 efbDisk;efbDisk; [x]
S2 DCScheduler;DriveClone Scheduler;c:\program files\FarStone\DriveClone Pro\CBP\DCSchdlerSRVC.exe [5/7/2008 10:17 PM 98304]
S2 MSSQL$MSSQLTMS;MSSQL$MSSQLTMS;c:\program files\Microsoft SQL Server\MSSQL$MSSQLTMS\Binn\sqlservr.exe -sMSSQLTMS --> c:\program files\Microsoft SQL Server\MSSQL$MSSQLTMS\Binn\sqlservr.exe -sMSSQLTMS [?]
S3 REMOVE;REMOVE;\??\c:\windows\system32\drivers\REMOVE.SYS --> c:\windows\system32\drivers\REMOVE.SYS [?]
S3 SQLAgent$MSSQLTMS;SQLAgent$MSSQLTMS;c:\program files\Microsoft SQL Server\MSSQL$MSSQLTMS\Binn\sqlagent.EXE -i MSSQLTMS --> c:\program files\Microsoft SQL Server\MSSQL$MSSQLTMS\Binn\sqlagent.EXE -i MSSQLTMS [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: disa.mil\amc.csd
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ni38olh.default\
FF - plugin: c:\program files\Gradkell Systems, Inc\DBsign Data Security Suite\Common\Lib\npDbsGscInfo.dll
FF - plugin: c:\program files\Gradkell Systems, Inc\DBsign Data Security Suite\Common\Lib\npDBsignWeb.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-54080f0e922 - c:\windows\system32\els32.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Dell AIO Printer A920 - c:\windows\system32\spool\drivers\w32x86\3\DLBKUN5C.EXE
AddRemove-Science Trek 4, 5, 6 - c:\strek456\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-28 13:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-448539723-2147145749-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,2a,b1,5d,50,74,4b,4f,92,da,c9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,2a,b1,5d,50,74,4b,4f,92,da,c9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll

- - - - - - - > 'explorer.exe'(216)
c:\windows\system32\WININET.dll
c:\program files\Canon\OpHookSE4.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\FarStone\DriveClone Pro\CBP\DCSchdler.exe
c:\program files\FarStone\DriveClone Pro\EFB\EfbSchedule.exe
c:\program files\FarStone\DriveClone Pro\VerChk.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-28 13:52:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-28 18:52

Pre-Run: 57,517,518,848 bytes free
Post-Run: 57,503,555,584 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A2A2D9128EC96DD7F0659B89B6AF7990


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:34 PM

Posted 28 May 2010 - 02:12 PM

Ok that shows the problem, please let me know in your next reply if the redirects have stopped.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
FCopy::
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll
Driver::
efbDisk
MSSQL$MSSQLTMS
REMOVE
SQLAgent$MSSQLTMS
RegLock::
[HKEY_USERS\S-1-5-21-725345543-448539723-2147145749-500\Software\Microsoft\Internet Explorer\User Preferences]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#13 slacker35

slacker35
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 28 May 2010 - 02:39 PM

Syler,
I worked!! No more redirects!!:))
May I ask what the problem was in laymens terms? What was it about my problem did regular Anti-Mal/Spyware not able to find?
Am I clear to delete the diagnostic tools you had me download and install?
If I make a donation, do you know under what name the charge will be listed as on my bill?

Below is the last report from Combofix.

Thanks so much for the help!!! Wow!



ComboFix 10-05-28.01 - Administrator 05/28/2010 14:18:31.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1441 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSQL$MSSQLTMS
-------\Legacy_REMOVE
-------\Service_efbDisk
-------\Service_MSSQL$MSSQLTMS
-------\Service_REMOVE
-------\Service_SQLAgent$MSSQLTMS


((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-28 )))))))))))))))))))))))))))))))
.

2010-05-28 16:18 . 2010-05-28 16:18 -------- d-----w- C:\_OTL
2010-05-27 23:39 . 2010-05-27 23:39 0 ----a-w- c:\windows\nsreg.dat
2010-05-27 23:39 . 2010-05-27 23:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-27 21:32 . 2010-05-27 21:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ESET
2010-05-27 19:13 . 2010-05-27 19:13 -------- d-----w- c:\program files\ESET
2010-05-27 19:13 . 2010-05-27 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2010-05-27 03:27 . 2010-05-27 03:27 -------- d--h--w- c:\windows\PIF
2010-05-27 03:27 . 2010-05-27 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-27 03:26 . 2010-05-27 03:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Threat Expert
2010-05-27 03:26 . 2010-05-27 03:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-26 19:21 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-26 05:05 . 2010-05-27 03:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-26 04:26 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-26 04:26 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-26 03:23 . 2010-05-27 19:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-25 06:12 . 2010-05-27 03:26 -------- d-----w- c:\program files\SpywareBlaster
2010-05-24 00:09 . 2010-05-24 00:09 86792 ----a-w- c:\documents and settings\Administrator\Application Data\Gradkell Systems, Inc\DBsign Data Security Suite\UWC\lib\1.4.8.0\DcaJce.dll
2010-05-24 00:09 . 2010-05-24 00:09 333576 ----a-w- c:\documents and settings\Administrator\Application Data\Gradkell Systems, Inc\DBsign Data Security Suite\UWC\lib\1.4.8.0\GuiUtils.dll
2010-05-24 00:09 . 2010-05-24 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gradkell Systems, Inc
2010-05-23 20:09 . 2010-05-23 20:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-23 20:08 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-23 20:08 . 2010-05-23 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-23 20:08 . 2010-05-27 03:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 20:08 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 17:15 . 2010-05-23 17:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-23 16:47 . 2010-05-23 16:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-23 06:56 . 2001-08-17 18:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2010-05-02 02:58 . 2010-05-02 02:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-02 02:27 . 2010-05-02 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 19:23 . 2008-05-08 03:17 15360 ---h--w- C:\logicinf.bin
2010-05-27 21:28 . 2008-12-04 22:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-05-27 19:08 . 2008-12-03 04:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-27 18:27 . 2008-12-04 22:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2010-05-26 05:06 . 2008-05-08 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-26 02:23 . 2004-08-04 12:00 24576 ----a-w- c:\windows\system32\drivers\KBDCLASS.SYS
2010-04-29 00:37 . 2008-12-06 03:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-04-02 07:25 . 2010-02-20 18:58 755776 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-31 00:31 . 2008-05-14 03:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 22:13 . 2010-03-29 22:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-03-29 22:12 . 2010-03-29 22:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-03-29 22:07 . 2010-03-29 22:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-28_18.47.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-28 19:23 . 2010-05-28 19:23 16384 c:\windows\Temp\Perflib_Perfdata_7a8.dat
- 2004-08-04 12:00 . 2010-05-28 18:16 75874 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-05-28 18:51 75874 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-05-28 18:51 453420 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-05-28 18:16 453420 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\Canon\OpwareSE4.exe" [2007-06-13 73728]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-28 149280]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-5-15 130864]
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-1-6 249856]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-15 21:08 112640 ----a-w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 21:08 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 dcsnap;dcsnap;c:\windows\system32\drivers\dcsnap.sys [5/7/2008 10:17 PM 108544]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [5/7/2008 10:17 PM 213120]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/29/2010 5:12 PM 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/29/2010 5:13 PM 95872]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 4:08 PM 182576]
R2 efbfs;Restore FarStone File Event Manager;c:\program files\FarStone\DriveClone Pro\EFB\efbfs.exe [5/7/2008 10:17 PM 24576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/29/2010 5:12 PM 810120]
R2 FarStone RestoreIT Loader;FarStone RestoreIT Loader;c:\program files\FarStone\DriveClone Pro\fsloader.exe [4/27/2007 7:54 PM 90112]
R2 flbdisk;flbdisk;c:\windows\system32\drivers\flbdisk.sys [5/7/2008 10:17 PM 16896]
R2 flbrc;flbrc;c:\windows\system32\drivers\flbrc.sys [5/7/2008 10:17 PM 37632]
R3 SCRx31 USB Reader;SCRx31 USB Reader;c:\windows\system32\drivers\stc2.sys [1/11/2009 9:39 PM 56320]
S2 DCScheduler;DriveClone Scheduler;c:\program files\FarStone\DriveClone Pro\CBP\DCSchdlerSRVC.exe [5/7/2008 10:17 PM 98304]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: disa.mil\amc.csd
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ni38olh.default\
FF - plugin: c:\program files\Gradkell Systems, Inc\DBsign Data Security Suite\Common\Lib\npDbsGscInfo.dll
FF - plugin: c:\program files\Gradkell Systems, Inc\DBsign Data Security Suite\Common\Lib\npDBsignWeb.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-28 14:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll

- - - - - - - > 'explorer.exe'(844)
c:\windows\system32\WININET.dll
c:\program files\Canon\OpHookSE4.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\System32\SCardSvr.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\FarStone\DriveClone Pro\CBP\DCSchdler.exe
c:\program files\FarStone\DriveClone Pro\EFB\EfbSchedule.exe
c:\program files\FarStone\DriveClone Pro\VerChk.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-28 14:26:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-28 19:26
ComboFix2.txt 2010-05-28 18:52

Pre-Run: 57,497,198,592 bytes free
Post-Run: 57,387,278,336 bytes free

- - End Of File - - C51116B38074E32577F710B292947570



#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:03:34 PM

Posted 28 May 2010 - 03:40 PM

That great news thumbup2.gif

QUOTE
May I ask what the problem was in laymens terms? What was it about my problem did regular Anti-Mal/Spyware not able to find?


Basically it was a legitimate file that was patched by the malware this makes it more difficult
for Anti-Mal/Spyware to find and fix because the file can't just be removed, it has to be replace
with a good copy.

QUOTE
Am I clear to delete the diagnostic tools you had me download and install?


I would like to do one more check to make sure their is nothing else lurking, after that it will
be fine to remove any tools we have used, and I will give you some instructions on how to
do so.

QUOTE
If I make a donation, do you know under what name the charge will be listed as on my bill?


I am not really certain but I think it would show up as a paypal transaction.


You don't have the latest version of Java, you should run JavaRa to clean up any older Java, then
download and install the latest version from here.

Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:
    Remove Useless JRE Files
    Remove Startup Entry
  • Click Go then ok to all the prompts, once done restart your computer.



Please run a BitDefender Online Scan

Note: Only works with internet explorer
  • Click on the Start Scanner button.
  • Check I Agree to agree to the EULA, then click start here.
  • Allow the ActiveX control to install when prompted.
  • Click Start scan to begin scanning.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on more details, then click the detected problems tab and click, click here to export the scan report.
  • Save the report to your desktop as results.txt and post it in your next reply.


Then please post back here with the following logs:
  • Bitdefender report
  • New DDS log

Thanks

unite.jpg


#15 slacker35

slacker35
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 28 May 2010 - 11:48 PM

Syler,
I had to leave for my Mother in-laws house for the weekend:( Will you please leave this thread open at least until Tuesday so I can finish up as you suggested in your last post?

Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users