Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible keylogger?


  • This topic is locked This topic is locked
10 replies to this topic

#1 eal5b

eal5b

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 30 May 2010 - 10:39 PM

One of my friends was trying to get me back into bittorrent and was loading up one of the sites he uses when my computer got slammed with a number of things...trojan.fraudpack, AV Suite, and a couple other items...Backdoor.tidserv!inf was the most painstaking to remove.

After following a lot of the advice on this site and some others, those things seem to be gone (malwarebytes and norton antivirus scans now come up clean); and things seem to be working for the most part. Already spent about two days trying to clean it all up. Throughout the process, HijackThis scans never really turned up anything unusual.

However, I ran a GMER scan during part of the process and when I run it now it still comes up with some entries in the rootkit section--mainly items related to the keyboard from what I understand. Some google searches suggest that this indicates a keylogger.

Can someone help me sort this out? The GMER results are below. Thanks in advance...



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-30 21:09:50
Windows 5.1.2600 Service Pack 3
Running: t4x2ptzq.exe; Driver: C:\DOCUME~1\ERIC~1.SAM\LOCALS~1\Temp\ugtdypod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7535112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF75142D6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF75144C8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7535900]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7535BB4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7533E12]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7536020]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF75353D2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7513F44]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 31 May 2010 - 08:38 PM.
Move to log forum given presences of GMER log and tidserve. ~ OB


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 02 June 2010 - 06:52 PM

Hello, .
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!
Backdoor Warning
One or more of the identified infections that you cleaned is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and is likely killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.
In your reply, please post both OTL logs.

Edited by etavares, 02 June 2010 - 06:53 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 eal5b

eal5b
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 03 June 2010 - 07:26 PM

OK, OTL scan results below:



OTL logfile created on: 6/3/2010 7:40:41 PM - Run 2
OTL by OldTimer - Version 3.2.5.1 Folder = C:\Documents and Settings\Eric.SAMIAM\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 479.00 Mb Available Physical Memory | 47.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.81 Gb Total Space | 7.25 Gb Free Space | 24.33% Space Free | Partition Type: NTFS
Drive D: | 14.96 Gb Total Space | 0.15 Gb Free Space | 0.97% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAMIAM
Current User Name: Eric
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/30 11:24:54 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\OTL.exe
PRC - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/04/07 13:53:32 | 000,030,440 | ---- | M] () -- C:\Program Files\dcmsvc\dcmsvc.exe
PRC - [2008/10/20 10:32:54 | 002,768,896 | ---- | M] () -- C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
PRC - [2008/10/06 18:07:26 | 000,679,936 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 18:00:10 | 000,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/10/30 18:29:28 | 000,036,864 | ---- | M] () -- C:\Program Files\Samsung\Samsung Network Manager\SNMWLANService.exe
PRC - [2003/05/21 01:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
PRC - [2003/05/21 01:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
PRC - [2003/05/21 01:21:18 | 000,090,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe


========== Modules (SafeList) ==========

MOD - [2010/05/30 11:24:54 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\OTL.exe
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - [2010/04/04 00:24:47 | 001,265,264 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/09/03 12:41:06 | 000,025,704 | R--- | M] (Amazon.com) [On_Demand | Stopped] -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService)
SRV - [2008/05/13 12:44:00 | 000,077,480 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe -- (Samsung Update Plus)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/10/30 18:29:28 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe -- (SNM WLAN Service)
SRV - [2003/05/21 01:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2003/05/21 01:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)


========== Driver Services (SafeList) ==========

DRV - [2010/06/02 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100602.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/06/02 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100602.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/02/04 11:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/01/06 15:09:40 | 001,596,768 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/23 16:23:58 | 000,238,464 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMC326.sys -- (VMC326)
DRV - [2008/08/28 14:18:14 | 000,224,736 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/08/26 19:35:00 | 004,753,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/06/27 04:02:00 | 000,289,024 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/04/22 14:44:08 | 000,073,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 16:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/01/14 23:01:02 | 000,030,208 | ---- | M] (Samsung Electronics,.LTD) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SamsungEDS.SYS -- (DNSeFilter)
DRV - [2007/03/31 16:02:42 | 000,876,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/03/23 13:50:42 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/10/30 18:29:28 | 000,019,840 | ---- | M] (Samsung) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SUE_PD.sys -- (SUEPD)
DRV - [2005/10/27 00:18:05 | 000,004,300 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\MEMIO.SYS -- (DOSMEMIO)
DRV - [2003/05/02 21:08:22 | 000,030,208 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navapel.sys -- (NAVAPEL)
DRV - [2003/05/02 21:08:18 | 000,224,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navap.sys -- (NAVAP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3518292144-488959563-767666870-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.mc532.mail.yahoo.com/mc/welcome?...d=8nt39d8afg4vo
IE - HKU\S-1-5-21-3518292144-488959563-767666870-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3518292144-488959563-767666870-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://us.mc532.mail.yahoo.com/mc/welcome?.gx=1&.rand=8nt39d8afg4vo"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/31 12:21:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/01 12:44:24 | 000,000,000 | ---D | M]

[2010/05/31 12:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Mozilla\Extensions
[2010/06/03 19:37:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Mozilla\Firefox\Profiles\xjyyu047.default\extensions
[2010/06/01 13:03:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Mozilla\Firefox\Profiles\xjyyu047.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/31 12:18:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/30 11:20:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe ()
O4 - HKLM..\Run: [dcmsvc] C:\Program Files\dcmsvc\dcmsvc.exe ()
O4 - HKLM..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe (SAMSUNG Electronics)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-3518292144-488959563-767666870-1005..\Run: [Aim] C:\Program Files\AIM\aim.exe (AOL Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/11 19:32:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/02/13 01:54:50 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe - (Broadcom Corporation.)
MsConfig - StartUpFolder: C:^Documents and Settings^Eric.SAMIAM^Start Menu^Programs^Startup^Warner Bros.lnk - C:\Program Files\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe - ()
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: Alcmtr - hkey= - key= - C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: DMHotKey - hkey= - key= - C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe (SAMSUNG Electronics)
MsConfig - StartUpReg: EDS - hkey= - key= - C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe (Samsung Electronics,.LTD)
MsConfig - StartUpReg: IMJPMIG8.1 - hkey= - key= - C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: MagicKeyboard - hkey= - key= - C:\Program Files\Samsung\MagicKBD\PreMKbd.exe ()
MsConfig - StartUpReg: MSPY2002 - hkey= - key= - File not found
MsConfig - StartUpReg: Persistence - hkey= - key= - File not found
MsConfig - StartUpReg: PHIME2002A - hkey= - key= - File not found
MsConfig - StartUpReg: PHIME2002ASync - hkey= - key= - File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: RTHDCPL - hkey= - key= - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
MsConfig - StartUpReg: SamsungWInClon - hkey= - key= - C:\Program Files\Samsung\Samsung Recovery Solution III\WCScheduler.exe ()
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre1.5.0\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Unable to start service SrService!

========== Files/Folders - Created Within 90 Days ==========

[2010/05/31 12:21:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Mozilla
[2010/05/31 12:21:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Mozilla
[2010/05/31 12:18:51 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/05/30 14:51:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/30 14:50:50 | 000,000,000 | --SD | C] -- C:\Combo-Fix
[2010/05/30 13:23:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/30 13:12:00 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/30 12:32:40 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\OTL.exe
[2010/05/30 11:47:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/30 11:01:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/30 11:01:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/30 11:01:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/30 11:01:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/30 11:00:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/29 17:46:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Symantec
[2010/05/29 17:45:49 | 000,083,208 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/29 17:45:49 | 000,073,496 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/29 17:44:45 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec_Client_Security
[2010/05/29 12:17:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Threat Expert
[2010/05/29 02:12:53 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/05/29 02:12:52 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/05/29 02:12:51 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/05/29 02:12:21 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/05/29 02:11:58 | 000,218,592 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/05/29 02:11:58 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/05/29 02:11:10 | 000,063,360 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/05/29 02:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/05/29 02:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/05/29 02:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\PC Tools
[2010/05/29 02:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/05/29 02:09:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/28 04:14:57 | 027,469,615 | ---- | C] (20/20 Software Inc.) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\ITC NAV 8.1.exe
[2010/05/28 01:45:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/28 01:45:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/28 01:36:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\sjtgnnpgc
[2010/05/11 23:03:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\AIM
[2010/05/11 23:03:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/05/11 23:02:51 | 000,000,000 | ---D | C] -- C:\Program Files\AIM
[2010/05/11 23:02:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2010/04/18 23:12:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Desktop\AIM
[2010/04/11 12:41:49 | 000,000,000 | ---D | C] -- C:\Program Files\dcmsvc
[2010/04/11 12:41:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\com.warnerbros.DigitalCopyManager.449F66ACC381FDC604DC2AA255FEECEEBBBEE1E5.1
[2010/04/11 12:40:55 | 000,000,000 | ---D | C] -- C:\Program Files\Warner Bros. Digital Copy Manager
[2010/04/11 12:40:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/10 17:49:16 | 000,000,000 | ---D | C] -- C:\Program Files\Marvell
[2010/04/05 21:50:44 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/05 21:50:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/04 19:03:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Malwarebytes
[2010/04/04 19:01:03 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/04 19:01:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/04 18:52:22 | 005,918,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\mbam-setup.exe
[2010/04/04 00:26:13 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/04/04 00:26:01 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/04 00:20:21 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/04/04 00:18:34 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/04/04 00:18:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/04/03 15:24:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\ArcSoft
[2010/04/03 15:21:36 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[2010/04/03 15:21:35 | 000,000,000 | ---D | C] -- C:\Program Files\ArcSoft
[2010/03/26 21:13:22 | 000,000,000 | ---D | C] -- C:\AudioConverter
[2010/03/26 21:00:13 | 000,356,352 | ---- | C] (Gabest) -- C:\WINDOWS\System32\RealMediaSplitter.ax
[2010/03/26 21:00:09 | 000,000,000 | ---D | C] -- C:\Program Files\easetech
[2010/03/26 20:59:22 | 002,952,541 | ---- | C] ( ) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\audioconverter.exe
[2010/03/21 13:52:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Desktop\photos
[2010/03/21 13:50:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Recovered
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/03 00:45:40 | 004,456,448 | -H-- | M] () -- C:\Documents and Settings\Eric.SAMIAM\NTUSER.DAT
[2010/06/01 12:44:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/01 12:44:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/01 12:44:14 | 1063,702,528 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/31 12:21:38 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/05/30 23:01:36 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Eric.SAMIAM\ntuser.ini
[2010/05/30 23:01:21 | 004,840,452 | -H-- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\IconCache.db
[2010/05/30 14:13:30 | 000,696,082 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Backdoor_Tidserv!inf detected.mht
[2010/05/30 13:19:33 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/30 13:12:30 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/30 12:12:06 | 003,700,932 | R--- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Combo-Fix.exe
[2010/05/30 11:24:54 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\OTL.exe
[2010/05/30 11:20:38 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/30 01:25:20 | 003,700,645 | R--- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Schrauber.exe
[2010/05/30 01:10:04 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\t4x2ptzq.exe
[2010/05/29 19:17:05 | 000,000,000 | ---- | M] () -- C:\WINDOWS\VPC32.INI
[2010/05/29 17:42:33 | 000,124,167 | ---- | M] () -- C:\WINDOWS\System32\SYMEVNT.386
[2010/05/29 17:42:33 | 000,083,208 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/29 17:42:33 | 000,073,496 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/29 02:11:43 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/05/28 01:45:34 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/22 12:59:14 | 000,259,072 | ---- | M] () -- D:\My Documents\Accounting.xls
[2010/05/19 08:33:24 | 000,001,832 | -H-- | M] () -- D:\My Documents\Default.rdp
[2010/05/12 21:58:00 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/12 21:58:00 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/12 08:06:30 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/11 23:04:01 | 000,001,392 | -H-- | M] () -- C:\IPH.PH
[2010/05/10 00:34:36 | 000,111,616 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/16 23:40:04 | 000,027,136 | ---- | M] () -- D:\My Documents\Duplicates.doc
[2010/04/16 20:35:06 | 000,045,568 | ---- | M] () -- D:\My Documents\April Accounting.xls
[2010/04/10 18:44:39 | 000,508,780 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/10 18:44:39 | 000,432,924 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/10 18:44:39 | 000,067,714 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/10 16:15:42 | 000,117,197 | ---- | M] () -- D:\My Documents\TurboReturn10.pdf
[2010/04/08 23:11:25 | 000,000,398 | ---- | M] () -- C:\WINDOWS\AudioConverter.INI
[2010/04/08 23:08:24 | 000,000,032 | ---- | M] () -- C:\WINDOWS\aceg.ini
[2010/04/08 23:04:44 | 000,003,019 | ---- | M] () -- C:\WINDOWS\EaseAudioConverter.ini
[2010/04/08 14:29:32 | 000,063,360 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/04/05 21:50:52 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Spybot - Search & Destroy.lnk
[2010/04/05 08:39:44 | 000,000,502 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\HijackThis.exe.lnk
[2010/04/04 22:56:16 | 000,000,813 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\kSyrAm2eY.exe.lnk
[2010/04/04 21:59:22 | 000,000,637 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\VirtualDub.exe.lnk
[2010/04/04 18:52:22 | 005,918,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\mbam-setup.exe
[2010/04/04 00:25:55 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/04/04 00:25:47 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/03/26 20:59:28 | 002,952,541 | ---- | M] ( ) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\audioconverter.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/31 12:21:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/30 15:22:41 | 1063,702,528 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/30 14:14:49 | 000,696,082 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Backdoor_Tidserv!inf detected.mht
[2010/05/30 13:12:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/30 13:12:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/30 12:32:40 | 003,700,932 | R--- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Combo-Fix.exe
[2010/05/30 11:01:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/30 11:01:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/30 11:01:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/30 11:01:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/30 11:01:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/30 09:19:26 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\t4x2ptzq.exe
[2010/05/30 09:19:25 | 003,700,645 | R--- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Schrauber.exe
[2010/05/29 19:17:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2010/05/29 17:45:49 | 000,124,167 | ---- | C] () -- C:\WINDOWS\System32\SYMEVNT.386
[2010/05/29 02:12:55 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/05/29 02:12:53 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/05/29 02:12:53 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/05/29 02:12:52 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/05/29 02:12:52 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/05/29 02:12:21 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/05/29 02:11:58 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/05/29 02:11:58 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/05/29 02:11:43 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/05/29 02:11:10 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/05/28 01:45:34 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/16 23:40:02 | 000,027,136 | ---- | C] () -- D:\My Documents\Duplicates.doc
[2010/04/13 21:41:47 | 000,000,345 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\hubsvclog.txt
[2010/04/10 16:15:39 | 000,117,197 | ---- | C] () -- D:\My Documents\TurboReturn10.pdf
[2010/04/05 21:50:52 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Spybot - Search & Destroy.lnk
[2010/04/05 08:39:44 | 000,000,502 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\HijackThis.exe.lnk
[2010/04/04 22:56:16 | 000,000,813 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\kSyrAm2eY.exe.lnk
[2010/04/04 21:59:20 | 000,000,637 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\VirtualDub.exe.lnk
[2010/04/04 01:17:41 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/03/26 22:58:45 | 000,000,398 | ---- | C] () -- C:\WINDOWS\AudioConverter.INI
[2010/03/26 21:00:13 | 000,003,019 | ---- | C] () -- C:\WINDOWS\EaseAudioConverter.ini
[2010/03/26 21:00:13 | 000,000,032 | ---- | C] () -- C:\WINDOWS\aceg.ini
[2009/03/28 15:25:00 | 000,000,135 | R--- | C] () -- C:\WINDOWS\System32\lngEng.ini
[2009/03/28 15:25:00 | 000,000,117 | ---- | C] () -- C:\WINDOWS\System32\lngKor.ini
[2009/02/14 00:09:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/12 09:18:33 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Eric_KBD.ini
[2009/01/05 14:35:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/11/11 19:44:21 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\MagicKBD.INI
[2008/11/11 19:44:21 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Owner_KBD.ini
[2008/11/11 19:44:18 | 000,003,425 | ---- | C] () -- C:\WINDOWS\System32\KBDR.INI
[2008/11/11 19:44:18 | 000,002,741 | ---- | C] () -- C:\WINDOWS\System32\KBDD.INI
[2008/11/11 19:44:18 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDO.INI
[2008/11/11 19:44:18 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDC.INI
[2008/11/11 19:44:18 | 000,002,606 | ---- | C] () -- C:\WINDOWS\System32\KBDB.INI
[2008/11/11 19:44:18 | 000,002,236 | ---- | C] () -- C:\WINDOWS\System32\KBDQ.INI
[2008/11/11 19:44:18 | 000,001,956 | ---- | C] () -- C:\WINDOWS\System32\KBDE.INI
[2008/11/11 19:44:18 | 000,001,885 | ---- | C] () -- C:\WINDOWS\System32\KBDP.INI
[2008/11/11 19:44:18 | 000,001,857 | ---- | C] () -- C:\WINDOWS\System32\KBDUU.INI
[2008/11/11 19:44:18 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDG.INI
[2008/11/11 19:44:18 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDA.INI
[2008/11/11 19:44:18 | 000,001,834 | ---- | C] () -- C:\WINDOWS\System32\KBDU.INI
[2008/11/11 19:44:18 | 000,001,819 | ---- | C] () -- C:\WINDOWS\System32\KBDN.INI
[2008/11/11 19:44:18 | 000,001,699 | ---- | C] () -- C:\WINDOWS\System32\KBDT.INI
[2008/11/11 19:44:18 | 000,001,697 | ---- | C] () -- C:\WINDOWS\System32\KBDV.INI
[2008/11/11 19:44:18 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\KBDS.INI
[2008/11/11 19:44:18 | 000,001,476 | ---- | C] () -- C:\WINDOWS\System32\KBDF.INI
[2008/11/11 19:38:50 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/11/11 19:36:16 | 000,004,300 | ---- | C] () -- C:\WINDOWS\System32\MEMIO.SYS
[2008/11/11 18:12:32 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/11/06 12:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 12:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/04/01 10:00:28 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/04/01 09:41:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/02/17 13:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 13:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2003/05/21 01:19:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2009/03/11 08:49:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2010/05/11 23:03:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
[2009/11/21 02:05:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Amazon
[2010/06/03 19:27:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/06/17 20:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/02/13 01:36:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLAN
[2009/04/05 21:51:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/04/04 00:20:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2009/03/10 00:08:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\acccore
[2009/02/17 01:33:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Amazon
[2010/04/11 12:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\com.warnerbros.DigitalCopyManager.449F66ACC381FDC604DC2AA255FEECEEBBBEE1E5.1
[2010/03/27 11:17:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Facebook
[2009/02/15 17:40:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\XnView

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 08:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:atapi.sys
[2008/04/14 04:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 04:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 04:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 08:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 08:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 08:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 04 June 2010 - 06:01 AM

Hello, eal5b.

Ok, you did have a backdoor rootkit based on your first post, so I'll give you the warning below. The GMER log is clean. There are a few things we can clean up, and further secure, though.

EDIT: one other question...any symptoms of the virus renaming? Like redirects?

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Viewpoint (foistware) Warning"

I see Viewpoint is installed on your machine. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to the Control Panel, then Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.







Step 1

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.



Step 2

You have the most recent version of Java (1.6 update 20) installed, but you also have an older version that could be exploited. Please go to Add/Remove Programs and remove any older versions of Java then reboot.



Step 3

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :Files
    C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    :OTL
    @Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.
etavares

Edited by etavares, 04 June 2010 - 06:02 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 eal5b

eal5b
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 05 June 2010 - 07:12 AM

etavares,

Here's the OTL fix log (will now run the regular scan):

========== FILES ==========
C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} folder moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync\ deleted successfully.
========== OTL ==========
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.

OTL by OldTimer - Version 3.2.5.3 log created on 06052010_080737


#6 eal5b

eal5b
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 05 June 2010 - 09:20 AM

And the latest OTL log:


OTL logfile created on: 6/5/2010 8:15:48 AM - Run 4
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\Eric.SAMIAM\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 582.00 Mb Available Physical Memory | 57.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.81 Gb Total Space | 7.22 Gb Free Space | 24.24% Space Free | Partition Type: NTFS
Drive D: | 14.96 Gb Total Space | 0.14 Gb Free Space | 0.96% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAMIAM
Current User Name: Eric
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/03 20:42:16 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\OTL.exe
PRC - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2009/04/07 13:53:32 | 000,030,440 | ---- | M] () -- C:\Program Files\dcmsvc\dcmsvc.exe
PRC - [2008/10/20 10:32:54 | 002,768,896 | ---- | M] () -- C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
PRC - [2008/10/06 18:07:26 | 000,679,936 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 18:00:10 | 000,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2006/10/30 18:29:28 | 000,036,864 | ---- | M] () -- C:\Program Files\Samsung\Samsung Network Manager\SNMWLANService.exe
PRC - [2003/05/21 01:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
PRC - [2003/05/21 01:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
PRC - [2003/05/21 01:21:18 | 000,090,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe


========== Modules (SafeList) ==========

MOD - [2010/06/03 20:42:16 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\OTL.exe
MOD - [2008/04/14 08:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
SRV - [2010/04/04 00:24:47 | 001,265,264 | ---- | M] (Lavasoft) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/03/15 11:50:36 | 001,142,224 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/11 11:09:22 | 000,366,840 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2010/01/22 09:56:24 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2009/09/03 12:41:06 | 000,025,704 | R--- | M] (Amazon.com) [On_Demand | Stopped] -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService)
SRV - [2008/05/13 12:44:00 | 000,077,480 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe -- (Samsung Update Plus)
SRV - [2006/10/30 18:29:28 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe -- (SNM WLAN Service)
SRV - [2003/05/21 01:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2003/05/21 01:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)


========== Driver Services (SafeList) ==========

DRV - [2010/06/04 04:00:00 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100604.006\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/06/04 04:00:00 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100604.006\NAVENG.SYS -- (NAVENG)
DRV - [2010/03/29 10:06:14 | 000,218,592 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/02/04 11:53:02 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2010/01/06 15:09:40 | 001,596,768 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/09/23 16:23:58 | 000,238,464 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMC326.sys -- (VMC326)
DRV - [2008/08/28 14:18:14 | 000,224,736 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/08/26 19:35:00 | 004,753,920 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/06/27 04:02:00 | 000,289,024 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/04/22 14:44:08 | 000,073,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2008/04/14 08:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 16:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/01/14 23:01:02 | 000,030,208 | ---- | M] (Samsung Electronics,.LTD) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SamsungEDS.SYS -- (DNSeFilter)
DRV - [2007/03/31 16:02:42 | 000,876,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/03/23 13:50:42 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/10/30 18:29:28 | 000,019,840 | ---- | M] (Samsung) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SUE_PD.sys -- (SUEPD)
DRV - [2005/10/27 00:18:05 | 000,004,300 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\MEMIO.SYS -- (DOSMEMIO)
DRV - [2003/05/02 21:08:22 | 000,030,208 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navapel.sys -- (NAVAPEL)
DRV - [2003/05/02 21:08:18 | 000,224,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Navap.sys -- (NAVAP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3518292144-488959563-767666870-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.mc532.mail.yahoo.com/mc/welcome?...d=8nt39d8afg4vo
IE - HKU\S-1-5-21-3518292144-488959563-767666870-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3518292144-488959563-767666870-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://us.mc532.mail.yahoo.com/mc/welcome?.gx=1&.rand=8nt39d8afg4vo"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/31 12:21:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/01 12:44:24 | 000,000,000 | ---D | M]

[2010/05/31 12:21:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Mozilla\Extensions
[2010/06/04 19:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Mozilla\Firefox\Profiles\xjyyu047.default\extensions
[2010/06/01 13:03:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Mozilla\Firefox\Profiles\xjyyu047.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/31 12:18:56 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/05/30 11:20:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe ()
O4 - HKLM..\Run: [dcmsvc] C:\Program Files\dcmsvc\dcmsvc.exe ()
O4 - HKLM..\Run: [DMHotKey] C:\Program Files\Samsung\Easy Display Manager\DMLoader.exe (SAMSUNG Electronics)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe File not found
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-3518292144-488959563-767666870-1005..\Run: [Aim] C:\Program Files\AIM\aim.exe (AOL Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Eric.SAMIAM\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3518292144-488959563-767666870-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_20.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/11 19:32:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/05 08:07:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/04 19:40:16 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/04 13:09:01 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\erunt-setup.exe
[2010/06/03 20:42:08 | 000,000,000 | ---D | C] -- D:\My Documents\Downloads
[2010/05/31 12:21:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Mozilla
[2010/05/31 12:21:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\Mozilla
[2010/05/31 12:18:51 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/05/31 12:17:03 | 008,354,440 | ---- | C] (Mozilla) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Firefox Setup 3.6.3.exe
[2010/05/30 14:51:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/30 14:50:50 | 000,000,000 | --SD | C] -- C:\Combo-Fix
[2010/05/30 13:23:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/30 13:12:00 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/30 12:32:40 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\OTL.exe
[2010/05/30 11:47:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/30 11:46:06 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/30 11:46:06 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/30 11:46:06 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/30 11:46:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/30 11:46:05 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/30 11:01:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/30 11:01:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/30 11:01:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/30 11:01:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/30 11:00:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/30 09:19:23 | 016,295,712 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\jre-6u20-windows-i586.exe
[2010/05/29 17:46:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Symantec
[2010/05/29 17:45:49 | 000,083,208 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/29 17:45:49 | 000,073,496 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/29 17:44:45 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec_Client_Security
[2010/05/29 12:17:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\Threat Expert
[2010/05/29 02:12:53 | 000,149,456 | ---- | C] (PC Tools) -- C:\WINDOWS\SGDetectionTool.dll
[2010/05/29 02:12:52 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll
[2010/05/29 02:12:51 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDRes.dll
[2010/05/29 02:12:21 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/05/29 02:11:58 | 000,218,592 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/05/29 02:11:58 | 000,088,040 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/05/29 02:11:10 | 000,063,360 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/05/29 02:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/05/29 02:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/05/29 02:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Application Data\PC Tools
[2010/05/29 02:09:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/05/29 02:09:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/28 04:14:57 | 027,469,615 | ---- | C] (20/20 Software Inc.) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\ITC NAV 8.1.exe
[2010/05/28 01:45:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/28 01:45:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/28 01:36:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\sjtgnnpgc
[2010/05/11 23:03:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\AIM
[2010/05/11 23:03:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM
[2010/05/11 23:02:51 | 000,000,000 | ---D | C] -- C:\Program Files\AIM
[2010/05/11 23:02:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/05 08:09:58 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/05 08:09:56 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/05 08:09:53 | 1063,702,528 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/05 08:09:08 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Eric.SAMIAM\NTUSER.DAT
[2010/06/05 08:09:08 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Eric.SAMIAM\ntuser.ini
[2010/06/04 19:40:56 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/04 19:40:22 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\ERUNT.lnk
[2010/06/04 13:21:26 | 000,001,832 | -H-- | M] () -- D:\My Documents\Default.rdp
[2010/06/04 13:08:38 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\erunt-setup.exe
[2010/06/03 20:42:16 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\OTL.exe
[2010/05/31 12:21:38 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/05/31 12:17:02 | 008,354,440 | ---- | M] (Mozilla) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Firefox Setup 3.6.3.exe
[2010/05/30 23:01:21 | 004,840,452 | -H-- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\IconCache.db
[2010/05/30 14:13:30 | 000,696,082 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Backdoor_Tidserv!inf detected.mht
[2010/05/30 13:19:33 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/30 13:12:30 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/30 12:12:06 | 003,700,932 | R--- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Combo-Fix.exe
[2010/05/30 11:42:57 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/05/30 11:42:56 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/05/30 11:42:56 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/05/30 11:42:56 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/30 11:42:54 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/30 11:20:38 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/30 01:25:20 | 003,700,645 | R--- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Schrauber.exe
[2010/05/30 01:19:00 | 016,295,712 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Eric.SAMIAM\Desktop\jre-6u20-windows-i586.exe
[2010/05/30 01:10:04 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\t4x2ptzq.exe
[2010/05/29 19:17:05 | 000,000,000 | ---- | M] () -- C:\WINDOWS\VPC32.INI
[2010/05/29 17:42:33 | 000,124,167 | ---- | M] () -- C:\WINDOWS\System32\SYMEVNT.386
[2010/05/29 17:42:33 | 000,083,208 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/29 17:42:33 | 000,073,496 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/29 02:11:43 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/05/28 01:45:34 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/22 12:59:14 | 000,259,072 | ---- | M] () -- D:\My Documents\Accounting.xls
[2010/05/12 21:58:00 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/12 21:58:00 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/12 08:06:30 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/11 23:04:01 | 000,001,392 | -H-- | M] () -- C:\IPH.PH
[2010/05/10 00:34:36 | 000,111,616 | ---- | M] () -- C:\Documents and Settings\Eric.SAMIAM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/04 19:40:56 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/04 19:40:22 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\ERUNT.lnk
[2010/05/31 12:21:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/30 15:22:41 | 1063,702,528 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/30 14:14:49 | 000,696,082 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Backdoor_Tidserv!inf detected.mht
[2010/05/30 13:12:30 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/30 13:12:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/30 12:32:40 | 003,700,932 | R--- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Combo-Fix.exe
[2010/05/30 11:01:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/30 11:01:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/30 11:01:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/30 11:01:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/30 11:01:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/30 09:19:26 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\t4x2ptzq.exe
[2010/05/30 09:19:25 | 003,700,645 | R--- | C] () -- C:\Documents and Settings\Eric.SAMIAM\Desktop\Schrauber.exe
[2010/05/29 19:17:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2010/05/29 17:45:49 | 000,124,167 | ---- | C] () -- C:\WINDOWS\System32\SYMEVNT.386
[2010/05/29 02:12:55 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/05/29 02:12:53 | 000,000,882 | ---- | C] () -- C:\WINDOWS\RegSDImport.xml
[2010/05/29 02:12:53 | 000,000,879 | ---- | C] () -- C:\WINDOWS\RegISSImport.xml
[2010/05/29 02:12:52 | 001,152,444 | ---- | C] () -- C:\WINDOWS\UDB.zip
[2010/05/29 02:12:52 | 000,000,131 | ---- | C] () -- C:\WINDOWS\IDB.zip
[2010/05/29 02:12:21 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/05/29 02:11:58 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/05/29 02:11:58 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/05/29 02:11:43 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/05/29 02:11:10 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/05/28 01:45:34 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/26 22:58:45 | 000,000,398 | ---- | C] () -- C:\WINDOWS\AudioConverter.INI
[2010/03/26 21:00:13 | 000,003,019 | ---- | C] () -- C:\WINDOWS\EaseAudioConverter.ini
[2010/03/26 21:00:13 | 000,000,032 | ---- | C] () -- C:\WINDOWS\aceg.ini
[2009/03/28 15:25:00 | 000,000,135 | R--- | C] () -- C:\WINDOWS\System32\lngEng.ini
[2009/03/28 15:25:00 | 000,000,117 | ---- | C] () -- C:\WINDOWS\System32\lngKor.ini
[2009/02/14 00:09:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/12 09:18:33 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Eric_KBD.ini
[2009/01/05 14:35:19 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/11/11 19:44:21 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\MagicKBD.INI
[2008/11/11 19:44:21 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\Owner_KBD.ini
[2008/11/11 19:44:18 | 000,003,425 | ---- | C] () -- C:\WINDOWS\System32\KBDR.INI
[2008/11/11 19:44:18 | 000,002,741 | ---- | C] () -- C:\WINDOWS\System32\KBDD.INI
[2008/11/11 19:44:18 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDO.INI
[2008/11/11 19:44:18 | 000,002,699 | ---- | C] () -- C:\WINDOWS\System32\KBDC.INI
[2008/11/11 19:44:18 | 000,002,606 | ---- | C] () -- C:\WINDOWS\System32\KBDB.INI
[2008/11/11 19:44:18 | 000,002,236 | ---- | C] () -- C:\WINDOWS\System32\KBDQ.INI
[2008/11/11 19:44:18 | 000,001,956 | ---- | C] () -- C:\WINDOWS\System32\KBDE.INI
[2008/11/11 19:44:18 | 000,001,885 | ---- | C] () -- C:\WINDOWS\System32\KBDP.INI
[2008/11/11 19:44:18 | 000,001,857 | ---- | C] () -- C:\WINDOWS\System32\KBDUU.INI
[2008/11/11 19:44:18 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDG.INI
[2008/11/11 19:44:18 | 000,001,835 | ---- | C] () -- C:\WINDOWS\System32\KBDA.INI
[2008/11/11 19:44:18 | 000,001,834 | ---- | C] () -- C:\WINDOWS\System32\KBDU.INI
[2008/11/11 19:44:18 | 000,001,819 | ---- | C] () -- C:\WINDOWS\System32\KBDN.INI
[2008/11/11 19:44:18 | 000,001,699 | ---- | C] () -- C:\WINDOWS\System32\KBDT.INI
[2008/11/11 19:44:18 | 000,001,697 | ---- | C] () -- C:\WINDOWS\System32\KBDV.INI
[2008/11/11 19:44:18 | 000,001,522 | ---- | C] () -- C:\WINDOWS\System32\KBDS.INI
[2008/11/11 19:44:18 | 000,001,476 | ---- | C] () -- C:\WINDOWS\System32\KBDF.INI
[2008/11/11 19:38:50 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2008/11/11 19:36:16 | 000,004,300 | ---- | C] () -- C:\WINDOWS\System32\MEMIO.SYS
[2008/11/11 18:12:32 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/11/06 12:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 12:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/04/01 10:00:28 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/04/01 09:41:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/02/17 13:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 13:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2003/05/21 01:19:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 05 June 2010 - 09:49 AM

Hello, eal5b.
Ok, let's get a second opinion.

First, please go to Start --> Control Panel --> Add/remove Programs and remove any version of Java other than Java 1.6 Update 20. The earlier versions have known security holes. Until recently, java updates never uninstalled the old version so we have to do it manually.




I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 eal5b

eal5b
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 06 June 2010 - 06:57 PM

ESET scan results:


C:\Documents and Settings\Eric.SAMIAM\Local Settings\temp\Av-test.txt Eicar test file cleaned by deleting - quarantined


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 06 June 2010 - 07:07 PM

Hello, eal5b.

OK, it only found a legit virus test file. It confirmed what I had thought. You're clean. Nice work! There wasn't anything left for me to do.





Step 1

Next, we need to remove the other tools we have used.
  • Please download OTC by OldTimer and save it to you desktop
  • Doubleclick the icon to start the program.
  • Then, click the big button.
  • You will get a prompt saying Begin Cleanup Process. Click Yes.
  • Restart your computer when prompted.
Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites
Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
  4. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares

PS> i'm not sure if I answered this already, but the GMER log was clean. Those are legitimate system drivers.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 eal5b

eal5b
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 07 June 2010 - 07:38 AM

Ran the cleanup, so glad to have the computer back. Thanks etavares!

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:29 AM

Posted 14 June 2010 - 04:27 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users