Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AV Security Suite


  • This topic is locked This topic is locked
52 replies to this topic

#1 jenissolost

jenissolost

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 10 June 2010 - 03:55 AM

I'm running Windows XP with service pack 3 on a Dell Precision/M70 laptop on a wireless network. I went through your instructions to remove AV Security Suite using Malwarebytes' anti-malware software. It detected 37 infected items which I removed per your instructions. All of this was done while my computer ran in safe mode. I restarted my computer when it was done in normal mode and the AV Security Suite is there again. I re-ran the malware software and no infected items were found this time. I'm attaching the DDS and GMER as per your request and also attaching the logs from the removal of the infected items. Please help as I don't know what else to do to get this off my computer.


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 0:30:34.73 on Thu 06/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1709 [GMT -7:00]

AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

============== Running Processes ===============

D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.msn.com
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm869YYUS&fl=0&ptb=3mzWhy5GDQi2bD2N1UqnEA&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyServer = http=127.0.0.1:1034
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - d:\program files\ask.com\GenericAskToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - d:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - d:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - d:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [MsnMsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [EPSON Stylus NX400 Series] "d:\windows\system32\spool\drivers\w32x86\3\e_fatiega.exe" /fu "d:\windows\temp\E_SD3.tmp" /EF "HKCU"
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [cdloader] "d:\documents and settings\administrator\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [NvCplDaemon] "d:\windows\system32\rundll32.exe" d:\windows\system32\NvCpl.dll,NvStartup
mRun: [wkpqggfphafkl] "d:\documents and settings\administrator\local settings\application data\oprsbyd\rchjuvm.exe"
mRun: [UIUCU] "d:\docume~1\admini~1\locals~1\temp\UIUCU.EXE" -CLEAN_UP -S
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [nwiz] "d:\windows\system32\nwiz.exe" /installquiet
mRun: [NvMediaCenter] "d:\windows\system32\RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
mRun: [NVHotkey] "d:\windows\system32\rundll32.exe" nvHotkey.dll,Start
mRun: [MMTray] "d:\progra~1\musicm~1\musicm~1\mm_tray.exe"
mRun: [ISLP2STA.EXE] ISLP2STA.EXE START
mRun: [Dell QuickSet] "d:\program files\dell\quickset\QuickSet.exe"
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SpySweeper] "d:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: d:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - d:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - d:\program files\belkin\nostromo\nost_LM.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - d:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {9BA9AE56-8DFC-4994-AEA9-68BEAD35A6FA} - hxxp://www.mywebtattoo.com/_downloads/cab/v2/MyWebTattoo.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
TCP: {79A28DDD-50FE-43AC-8E33-5A525A085128} = 67.90.152.122
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\2ttlwrgi.default\
FF - prefs.js: browser.search.selectedengine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.url - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1034
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;d:\windows\system32\drivers\ssfs0bbc.sys [2008-12-7 29808]
R1 pwipf6;pwipf6;d:\windows\system32\drivers\pwipf6.sys [2009-3-22 108880]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;d:\program files\webroot\spy sweeper\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;d:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-2-1 1201640]
S3 bcgame;Nostromo HID Device Minidriver;d:\windows\system32\drivers\bcgame.sys [2003-7-23 22821]
S3 GTIPCI21;GTIPCI21;d:\windows\system32\drivers\gtipci21.sys [2008-12-29 88192]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;d:\windows\system32\drivers\islp2nds.sys [2002-10-3 611840]
S3 NdisWDM;Dynex Enhanced Wireless G USB Network Adapter Service;d:\windows\system32\drivers\ndiswdm.sys --> d:\windows\system32\drivers\ndiswdm.sys [?]

=============== Created Last 30 ================

2010-06-10 05:54:59 0 d-----w- d:\docume~1\admini~1\applic~1\Malwarebytes
2010-06-10 05:54:34 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 05:54:33 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-06-10 05:54:33 0 d-----w- d:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-10 05:54:32 0 d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-06-10 03:57:17 0 d-----w- d:\windows\pss

==================== Find3M ====================

2010-06-09 23:53:35 36171 ----a-w- d:\windows\system32\nvModes.dat
2005-09-30 11:35:41 2516480 ----a-w- d:\program files\Driver Detective.msi
2005-09-30 11:35:37 6129 ----a-w- d:\program files\0x0409.ini
2005-09-30 11:35:37 283607 ----a-w- d:\program files\setup.isn
2005-09-30 11:35:37 2389 ----a-w- d:\program files\Setup.INI
2005-01-21 00:53:22 45056 ------r- d:\program files\SetAttrib.exe
2009-11-22 23:32:20 245760 --sha-w- d:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 0:31:01.28 ===============

Here is the last log showing 0 infected items from when I ran the anti-malware software:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4185

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/10/2010 12:07:29 AM
mbam-log-2010-06-10 (00-07-29).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 153775
Time elapsed: 23 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:36 AM

Posted 15 June 2010 - 05:38 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 jenissolost

jenissolost
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 19 June 2010 - 12:44 PM

OTL logfile created on: 6/19/2010 10:38:42 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = D:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 7.78 Mb Total Space | 7.48 Mb Free Space | 96.11% Space Free | Partition Type: FAT
Drive D: | 93.15 Gb Total Space | 81.92 Gb Free Space | 87.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAD-C9D2CC3BCAD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/02/02 09:27:06 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [1999/03/29 03:34:06 | 000,106,768 | ---- | M] (Microsoft Corporation) -- D:\Program Files\X-Setup\bin\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/02/02 09:27:06 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2007/02/20 13:24:34 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Stopped] -- D:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


========== Driver Services (SafeList) ==========

DRV - [2010/02/02 09:24:45 | 000,108,880 | ---- | M] (Privacyware/PWI, Inc.) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\pwipf6.sys -- (pwipf6)
DRV - [2009/11/06 13:00:36 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV)
DRV - [2009/11/06 13:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD)
DRV - [2009/11/06 13:00:34 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2008/04/13 11:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/10/01 16:24:36 | 000,023,864 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2007/03/16 19:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/14 17:55:00 | 000,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2006/03/23 00:32:00 | 003,656,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Stopped] -- D:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/03/10 17:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/07/23 12:16:48 | 000,022,821 | ---- | M] (Belkin Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\bcgame.sys -- (bcgame)
DRV - [2002/10/03 19:07:00 | 000,611,840 | ---- | M] (Intersil Americas Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\islp2nds.sys -- (ISLP2)
DRV - [2002/04/11 20:21:38 | 000,013,335 | ---- | M] (Microsystems Corp) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbcm.sys -- (usbcm)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- D:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 13:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = My Web Search
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2....r={searchTerms}
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 94 A7 0E DB D5 0F CB 01 [binary data]
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1034

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedengine: "Ask.com"
FF - prefs.js..browser.search.usedbfororder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..keyword.url: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1034
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/06/10 16:13:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2009/04/28 07:24:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2009/08/24 17:58:58 | 000,000,000 | ---D | M]

[2009/03/25 10:50:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/07/23 11:55:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions
[2009/07/23 11:55:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions\ChoiceGuard@Microsoft
[2010/02/12 12:01:12 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions\toolbar@ask.com
[2010/02/04 17:45:40 | 000,002,254 | ---- | M] () -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\searchplugins\askcom.xml
[2009/06/22 18:56:13 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions
[2009/05/04 17:58:24 | 000,002,236 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\askcom.xml

O1 HOSTS File: ([2005/09/30 01:12:48 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [Dell QuickSet] D:\Program Files\Dell\QuickSet\QuickSet.exe (Dell Inc)
O4 - HKLM..\Run: [ISLP2STA.EXE] File not found
O4 - HKLM..\Run: [MMTray] D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\system32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] D:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] D:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] D:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SpySweeper] D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [UIUCU] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE File not found
O4 - HKLM..\Run: [wkpqggfphafkl] d:\documents and settings\administrator\local settings\application data\oprsbyd\rchjuvm.exe ()
O4 - HKU\S-1-5-21-507921405-1123561945-1801674531-500..\Run: [cdloader] D:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-507921405-1123561945-1801674531-500..\Run: [EPSON Stylus NX400 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = D:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk = D:\Program Files\Belkin\Nostromo\nost_LM.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: magicjack.com ([my] * in Trusted sites)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: talk4free.com ([reg] * in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} https://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB (PogoWebLauncher Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {9BA9AE56-8DFC-4994-AEA9-68BEAD35A6FA} http://www.mywebtattoo.com/_downloads/cab/v2/MyWebTattoo.cab (Reg Error: Key error.)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab (MSN Games Texas Holdem Poker)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...rk.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab (Reg Error: Key error.)
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab (MSN Games Backgammon)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O30 - LSA: Security Packages - (Lsa) - File not found
O30 - LSA: Security Packages - (ity Packages settings...) - File not found
O30 - LSA: Security Packages - (or) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/20 06:31:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT ]
O32 - AutoRun File - [2008/12/31 06:34:28 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\F\Shell\phone\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/19 10:38:04 | 000,572,416 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/10 16:11:23 | 000,000,000 | ---D | C] -- D:\WINDOWS\LastGood
[2010/06/10 15:49:52 | 000,000,000 | ---D | C] -- D:\Program Files\Alwil Software
[2010/06/10 15:49:52 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/06/10 00:36:47 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Desktop\gmer
[2010/06/09 22:54:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/06/09 22:54:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/09 22:54:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/06/09 22:54:33 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/09 22:54:32 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2010/06/09 22:53:01 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/09 22:42:26 | 000,000,000 | -HSD | C] -- D:\WINDOWS\CSC
[2010/06/09 20:57:17 | 000,000,000 | ---D | C] -- D:\WINDOWS\pss
[2010/06/09 18:21:39 | 000,743,424 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/09 15:55:13 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/09 15:55:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/09 14:24:41 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Local Settings\Application Data\oprsbyd
[7 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[6 D:\WINDOWS\Fonts\*.tmp files -> D:\WINDOWS\Fonts\*.tmp -> ]
[257 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/19 10:32:05 | 000,002,422 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/06/19 10:31:40 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/06/19 10:31:36 | 000,118,952 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 16:14:10 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/06/10 16:13:46 | 000,001,374 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2010/06/10 16:10:34 | 000,493,142 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 16:10:34 | 000,435,434 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2010/06/10 16:10:34 | 000,068,984 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2010/06/10 16:04:03 | 003,407,872 | ---- | M] () -- D:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/10 16:04:03 | 000,000,178 | -HS- | M] () -- D:\Documents and Settings\Administrator\ntuser.ini
[2010/06/10 16:01:16 | 000,036,171 | ---- | M] () -- D:\WINDOWS\System32\nvModes.001
[2010/06/10 16:01:15 | 000,063,783 | ---- | M] () -- D:\WINDOWS\System32\nvwsapps.xml
[2010/06/10 16:01:00 | 000,000,250 | ---- | M] () -- D:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/06/10 15:59:29 | 004,293,476 | -H-- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/10 15:58:24 | 000,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2010/06/10 01:03:00 | 000,000,000 | ---- | M] () -- D:\Documents and Settings\Administrator\defogger_reenable
[2010/06/10 01:02:23 | 000,050,477 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/06/10 00:35:37 | 000,284,915 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/06/10 00:30:12 | 000,525,824 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/09 23:41:07 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2010/06/09 22:54:37 | 000,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/09 22:53:01 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/09 22:48:33 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/06/09 21:10:21 | 000,000,447 | ---- | M] () -- D:\WINDOWS\win.ini
[2010/06/09 21:10:21 | 000,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2010/06/09 20:24:20 | 000,052,736 | ---- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2010/06/09 16:53:35 | 000,036,171 | ---- | M] () -- D:\WINDOWS\System32\nvModes.dat
[7 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[257 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/10 01:03:00 | 000,000,000 | ---- | C] () -- D:\Documents and Settings\Administrator\defogger_reenable
[2010/06/10 01:02:23 | 000,050,477 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/06/10 00:35:35 | 000,284,915 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/06/10 00:30:11 | 000,525,824 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/09 23:41:06 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2010/06/09 23:35:08 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/06/09 22:54:37 | 000,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/09 21:10:44 | 000,001,732 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
[2010/06/09 21:10:44 | 000,000,864 | ---- | C] () -- D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
[2010/06/09 20:24:18 | 000,052,736 | ---- | C] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2009/09/11 17:56:11 | 000,021,840 | ---- | C] () -- D:\WINDOWS\System32\SIntfNT.dll
[2009/09/11 17:56:10 | 000,017,212 | ---- | C] () -- D:\WINDOWS\System32\SIntf32.dll
[2009/09/11 17:56:10 | 000,012,067 | ---- | C] () -- D:\WINDOWS\System32\SIntf16.dll
[2009/08/24 15:55:49 | 000,087,552 | ---- | C] () -- D:\WINDOWS\System32\cpwmon2k.dll
[2009/01/06 17:48:42 | 000,000,097 | ---- | C] () -- D:\WINDOWS\System32\PICSDK.ini
[2009/01/06 17:46:32 | 000,000,044 | ---- | C] () -- D:\WINDOWS\EPSNX400.ini
[2008/12/29 04:31:18 | 001,662,976 | ---- | C] () -- D:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/29 04:31:18 | 001,019,904 | ---- | C] () -- D:\WINDOWS\System32\nvwimg.dll
[2008/12/29 04:31:17 | 000,466,944 | ---- | C] () -- D:\WINDOWS\System32\nvshell.dll
[2008/12/29 04:31:09 | 001,466,368 | ---- | C] () -- D:\WINDOWS\System32\nview.dll
[2008/12/29 04:30:21 | 000,098,304 | ---- | C] () -- D:\WINDOWS\System32\nvapi.dll
[2005/09/30 05:21:43 | 000,000,187 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2004/08/04 05:00:00 | 000,249,270 | ---- | C] () -- D:\WINDOWS\System32\_004551_.tmp.dll
[2004/08/04 05:00:00 | 000,022,040 | ---- | C] () -- D:\WINDOWS\System32\_004519_.tmp.dll
[2004/07/20 11:14:06 | 000,192,512 | ---- | C] () -- D:\WINDOWS\System32\Stac97co.dll
< End of report >
OTL logfile created on: 6/19/2010 10:38:42 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = D:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 7.78 Mb Total Space | 7.48 Mb Free Space | 96.11% Space Free | Partition Type: FAT
Drive D: | 93.15 Gb Total Space | 81.92 Gb Free Space | 87.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAD-C9D2CC3BCAD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/02/02 09:27:06 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [1999/03/29 03:34:06 | 000,106,768 | ---- | M] (Microsoft Corporation) -- D:\Program Files\X-Setup\bin\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/02/02 09:27:06 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2007/02/20 13:24:34 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Stopped] -- D:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


========== Driver Services (SafeList) ==========

DRV - [2010/02/02 09:24:45 | 000,108,880 | ---- | M] (Privacyware/PWI, Inc.) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\pwipf6.sys -- (pwipf6)
DRV - [2009/11/06 13:00:36 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV)
DRV - [2009/11/06 13:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD)
DRV - [2009/11/06 13:00:34 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2008/04/13 11:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/10/01 16:24:36 | 000,023,864 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2007/03/16 19:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/14 17:55:00 | 000,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2006/03/23 00:32:00 | 003,656,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Stopped] -- D:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/03/10 17:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/07/23 12:16:48 | 000,022,821 | ---- | M] (Belkin Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\bcgame.sys -- (bcgame)
DRV - [2002/10/03 19:07:00 | 000,611,840 | ---- | M] (Intersil Americas Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\islp2nds.sys -- (ISLP2)
DRV - [2002/04/11 20:21:38 | 000,013,335 | ---- | M] (Microsystems Corp) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbcm.sys -- (usbcm)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- D:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 13:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = My Web Search
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2....r={searchTerms}
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 94 A7 0E DB D5 0F CB 01 [binary data]
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1034

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedengine: "Ask.com"
FF - prefs.js..browser.search.usedbfororder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..keyword.url: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1034
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/06/10 16:13:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2009/04/28 07:24:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2009/08/24 17:58:58 | 000,000,000 | ---D | M]

[2009/03/25 10:50:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/07/23 11:55:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions
[2009/07/23 11:55:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions\ChoiceGuard@Microsoft
[2010/02/12 12:01:12 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions\toolbar@ask.com
[2010/02/04 17:45:40 | 000,002,254 | ---- | M] () -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\searchplugins\askcom.xml
[2009/06/22 18:56:13 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions
[2009/05/04 17:58:24 | 000,002,236 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\askcom.xml

O1 HOSTS File: ([2005/09/30 01:12:48 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [Dell QuickSet] D:\Program Files\Dell\QuickSet\QuickSet.exe (Dell Inc)
O4 - HKLM..\Run: [ISLP2STA.EXE] File not found
O4 - HKLM..\Run: [MMTray] D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\system32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] D:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] D:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] D:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SpySweeper] D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [UIUCU] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE File not found
O4 - HKLM..\Run: [wkpqggfphafkl] d:\documents and settings\administrator\local settings\application data\oprsbyd\rchjuvm.exe ()
O4 - HKU\S-1-5-21-507921405-1123561945-1801674531-500..\Run: [cdloader] D:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-507921405-1123561945-1801674531-500..\Run: [EPSON Stylus NX400 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = D:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk = D:\Program Files\Belkin\Nostromo\nost_LM.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: magicjack.com ([my] * in Trusted sites)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: talk4free.com ([reg] * in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} https://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB (PogoWebLauncher Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {9BA9AE56-8DFC-4994-AEA9-68BEAD35A6FA} http://www.mywebtattoo.com/_downloads/cab/v2/MyWebTattoo.cab (Reg Error: Key error.)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab (MSN Games Texas Holdem Poker)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...rk.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab (Reg Error: Key error.)
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab (MSN Games Backgammon)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O30 - LSA: Security Packages - (Lsa) - File not found
O30 - LSA: Security Packages - (ity Packages settings...) - File not found
O30 - LSA: Security Packages - (or) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/20 06:31:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT ]
O32 - AutoRun File - [2008/12/31 06:34:28 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\F\Shell\phone\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/19 10:38:04 | 000,572,416 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/10 16:11:23 | 000,000,000 | ---D | C] -- D:\WINDOWS\LastGood
[2010/06/10 15:49:52 | 000,000,000 | ---D | C] -- D:\Program Files\Alwil Software
[2010/06/10 15:49:52 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/06/10 00:36:47 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Desktop\gmer
[2010/06/09 22:54:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/06/09 22:54:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/09 22:54:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/06/09 22:54:33 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/09 22:54:32 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2010/06/09 22:53:01 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/09 22:42:26 | 000,000,000 | -HSD | C] -- D:\WINDOWS\CSC
[2010/06/09 20:57:17 | 000,000,000 | ---D | C] -- D:\WINDOWS\pss
[2010/06/09 18:21:39 | 000,743,424 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/09 15:55:13 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/09 15:55:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/09 14:24:41 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Local Settings\Application Data\oprsbyd
[7 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[6 D:\WINDOWS\Fonts\*.tmp files -> D:\WINDOWS\Fonts\*.tmp -> ]
[257 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/19 10:32:05 | 000,002,422 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/06/19 10:31:40 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/06/19 10:31:36 | 000,118,952 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 16:14:10 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/06/10 16:13:46 | 000,001,374 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2010/06/10 16:10:34 | 000,493,142 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 16:10:34 | 000,435,434 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2010/06/10 16:10:34 | 000,068,984 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2010/06/10 16:04:03 | 003,407,872 | ---- | M] () -- D:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/10 16:04:03 | 000,000,178 | -HS- | M] () -- D:\Documents and Settings\Administrator\ntuser.ini
[2010/06/10 16:01:16 | 000,036,171 | ---- | M] () -- D:\WINDOWS\System32\nvModes.001
[2010/06/10 16:01:15 | 000,063,783 | ---- | M] () -- D:\WINDOWS\System32\nvwsapps.xml
[2010/06/10 16:01:00 | 000,000,250 | ---- | M] () -- D:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/06/10 15:59:29 | 004,293,476 | -H-- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/10 15:58:24 | 000,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2010/06/10 01:03:00 | 000,000,000 | ---- | M] () -- D:\Documents and Settings\Administrator\defogger_reenable
[2010/06/10 01:02:23 | 000,050,477 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/06/10 00:35:37 | 000,284,915 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/06/10 00:30:12 | 000,525,824 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/09 23:41:07 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2010/06/09 22:54:37 | 000,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/09 22:53:01 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/09 22:48:33 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/06/09 21:10:21 | 000,000,447 | ---- | M] () -- D:\WINDOWS\win.ini
[2010/06/09 21:10:21 | 000,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2010/06/09 20:24:20 | 000,052,736 | ---- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2010/06/09 16:53:35 | 000,036,171 | ---- | M] () -- D:\WINDOWS\System32\nvModes.dat
[7 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[257 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/10 01:03:00 | 000,000,000 | ---- | C] () -- D:\Documents and Settings\Administrator\defogger_reenable
[2010/06/10 01:02:23 | 000,050,477 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/06/10 00:35:35 | 000,284,915 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/06/10 00:30:11 | 000,525,824 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/09 23:41:06 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2010/06/09 23:35:08 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/06/09 22:54:37 | 000,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/09 21:10:44 | 000,001,732 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
[2010/06/09 21:10:44 | 000,000,864 | ---- | C] () -- D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
[2010/06/09 20:24:18 | 000,052,736 | ---- | C] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2009/09/11 17:56:11 | 000,021,840 | ---- | C] () -- D:\WINDOWS\System32\SIntfNT.dll
[2009/09/11 17:56:10 | 000,017,212 | ---- | C] () -- D:\WINDOWS\System32\SIntf32.dll
[2009/09/11 17:56:10 | 000,012,067 | ---- | C] () -- D:\WINDOWS\System32\SIntf16.dll
[2009/08/24 15:55:49 | 000,087,552 | ---- | C] () -- D:\WINDOWS\System32\cpwmon2k.dll
[2009/01/06 17:48:42 | 000,000,097 | ---- | C] () -- D:\WINDOWS\System32\PICSDK.ini
[2009/01/06 17:46:32 | 000,000,044 | ---- | C] () -- D:\WINDOWS\EPSNX400.ini
[2008/12/29 04:31:18 | 001,662,976 | ---- | C] () -- D:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/29 04:31:18 | 001,019,904 | ---- | C] () -- D:\WINDOWS\System32\nvwimg.dll
[2008/12/29 04:31:17 | 000,466,944 | ---- | C] () -- D:\WINDOWS\System32\nvshell.dll
[2008/12/29 04:31:09 | 001,466,368 | ---- | C] () -- D:\WINDOWS\System32\nview.dll
[2008/12/29 04:30:21 | 000,098,304 | ---- | C] () -- D:\WINDOWS\System32\nvapi.dll
[2005/09/30 05:21:43 | 000,000,187 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2004/08/04 05:00:00 | 000,249,270 | ---- | C] () -- D:\WINDOWS\System32\_004551_.tmp.dll
[2004/08/04 05:00:00 | 000,022,040 | ---- | C] () -- D:\WINDOWS\System32\_004519_.tmp.dll
[2004/07/20 11:14:06 | 000,192,512 | ---- | C] () -- D:\WINDOWS\System32\Stac97co.dll
< End of report >
OTL logfile created on: 6/19/2010 10:38:42 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = D:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 7.78 Mb Total Space | 7.48 Mb Free Space | 96.11% Space Free | Partition Type: FAT
Drive D: | 93.15 Gb Total Space | 81.92 Gb Free Space | 87.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAD-C9D2CC3BCAD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/02/02 09:27:06 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [1999/03/29 03:34:06 | 000,106,768 | ---- | M] (Microsoft Corporation) -- D:\Program Files\X-Setup\bin\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/02/02 09:27:06 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2007/02/20 13:24:34 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Stopped] -- D:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


========== Driver Services (SafeList) ==========

DRV - [2010/02/02 09:24:45 | 000,108,880 | ---- | M] (Privacyware/PWI, Inc.) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\pwipf6.sys -- (pwipf6)
DRV - [2009/11/06 13:00:36 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV)
DRV - [2009/11/06 13:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD)
DRV - [2009/11/06 13:00:34 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2008/04/13 11:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/10/01 16:24:36 | 000,023,864 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2007/03/16 19:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/14 17:55:00 | 000,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2006/03/23 00:32:00 | 003,656,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Stopped] -- D:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/03/10 17:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/07/23 12:16:48 | 000,022,821 | ---- | M] (Belkin Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\bcgame.sys -- (bcgame)
DRV - [2002/10/03 19:07:00 | 000,611,840 | ---- | M] (Intersil Americas Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\islp2nds.sys -- (ISLP2)
DRV - [2002/04/11 20:21:38 | 000,013,335 | ---- | M] (Microsystems Corp) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbcm.sys -- (usbcm)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- D:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 13:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = My Web Search
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2....r={searchTerms}
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 94 A7 0E DB D5 0F CB 01 [binary data]
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1034

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedengine: "Ask.com"
FF - prefs.js..browser.search.usedbfororder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..keyword.url: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1034
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/06/10 16:13:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2009/04/28 07:24:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2009/08/24 17:58:58 | 000,000,000 | ---D | M]

[2009/03/25 10:50:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/07/23 11:55:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions
[2009/07/23 11:55:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions\ChoiceGuard@Microsoft
[2010/02/12 12:01:12 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions\toolbar@ask.com
[2010/02/04 17:45:40 | 000,002,254 | ---- | M] () -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\searchplugins\askcom.xml
[2009/06/22 18:56:13 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions
[2009/05/04 17:58:24 | 000,002,236 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\askcom.xml

O1 HOSTS File: ([2005/09/30 01:12:48 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [Dell QuickSet] D:\Program Files\Dell\QuickSet\QuickSet.exe (Dell Inc)
O4 - HKLM..\Run: [ISLP2STA.EXE] File not found
O4 - HKLM..\Run: [MMTray] D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\system32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] D:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] D:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] D:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SpySweeper] D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [UIUCU] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE File not found
O4 - HKLM..\Run: [wkpqggfphafkl] d:\documents and settings\administrator\local settings\application data\oprsbyd\rchjuvm.exe ()
O4 - HKU\S-1-5-21-507921405-1123561945-1801674531-500..\Run: [cdloader] D:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-507921405-1123561945-1801674531-500..\Run: [EPSON Stylus NX400 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = D:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk = D:\Program Files\Belkin\Nostromo\nost_LM.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: magicjack.com ([my] * in Trusted sites)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: talk4free.com ([reg] * in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} https://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB (PogoWebLauncher Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {9BA9AE56-8DFC-4994-AEA9-68BEAD35A6FA} http://www.mywebtattoo.com/_downloads/cab/v2/MyWebTattoo.cab (Reg Error: Key error.)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab (MSN Games Texas Holdem Poker)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...rk.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab (Reg Error: Key error.)
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab (MSN Games Backgammon)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O30 - LSA: Security Packages - (Lsa) - File not found
O30 - LSA: Security Packages - (ity Packages settings...) - File not found
O30 - LSA: Security Packages - (or) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/20 06:31:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT ]
O32 - AutoRun File - [2008/12/31 06:34:28 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\F\Shell\phone\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/19 10:38:04 | 000,572,416 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/10 16:11:23 | 000,000,000 | ---D | C] -- D:\WINDOWS\LastGood
[2010/06/10 15:49:52 | 000,000,000 | ---D | C] -- D:\Program Files\Alwil Software
[2010/06/10 15:49:52 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/06/10 00:36:47 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Desktop\gmer
[2010/06/09 22:54:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/06/09 22:54:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/09 22:54:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/06/09 22:54:33 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/09 22:54:32 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2010/06/09 22:53:01 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/09 22:42:26 | 000,000,000 | -HSD | C] -- D:\WINDOWS\CSC
[2010/06/09 20:57:17 | 000,000,000 | ---D | C] -- D:\WINDOWS\pss
[2010/06/09 18:21:39 | 000,743,424 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/09 15:55:13 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/09 15:55:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/09 14:24:41 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Local Settings\Application Data\oprsbyd
[7 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[6 D:\WINDOWS\Fonts\*.tmp files -> D:\WINDOWS\Fonts\*.tmp -> ]
[257 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/19 10:32:05 | 000,002,422 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/06/19 10:31:40 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/06/19 10:31:36 | 000,118,952 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 16:14:10 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/06/10 16:13:46 | 000,001,374 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2010/06/10 16:10:34 | 000,493,142 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 16:10:34 | 000,435,434 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2010/06/10 16:10:34 | 000,068,984 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2010/06/10 16:04:03 | 003,407,872 | ---- | M] () -- D:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/10 16:04:03 | 000,000,178 | -HS- | M] () -- D:\Documents and Settings\Administrator\ntuser.ini
[2010/06/10 16:01:16 | 000,036,171 | ---- | M] () -- D:\WINDOWS\System32\nvModes.001
[2010/06/10 16:01:15 | 000,063,783 | ---- | M] () -- D:\WINDOWS\System32\nvwsapps.xml
[2010/06/10 16:01:00 | 000,000,250 | ---- | M] () -- D:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/06/10 15:59:29 | 004,293,476 | -H-- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/10 15:58:24 | 000,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2010/06/10 01:03:00 | 000,000,000 | ---- | M] () -- D:\Documents and Settings\Administrator\defogger_reenable
[2010/06/10 01:02:23 | 000,050,477 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/06/10 00:35:37 | 000,284,915 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/06/10 00:30:12 | 000,525,824 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/09 23:41:07 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2010/06/09 22:54:37 | 000,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/09 22:53:01 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/09 22:48:33 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/06/09 21:10:21 | 000,000,447 | ---- | M] () -- D:\WINDOWS\win.ini
[2010/06/09 21:10:21 | 000,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2010/06/09 20:24:20 | 000,052,736 | ---- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2010/06/09 16:53:35 | 000,036,171 | ---- | M] () -- D:\WINDOWS\System32\nvModes.dat
[7 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[257 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/10 01:03:00 | 000,000,000 | ---- | C] () -- D:\Documents and Settings\Administrator\defogger_reenable
[2010/06/10 01:02:23 | 000,050,477 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/06/10 00:35:35 | 000,284,915 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/06/10 00:30:11 | 000,525,824 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/09 23:41:06 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2010/06/09 23:35:08 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/06/09 22:54:37 | 000,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/09 21:10:44 | 000,001,732 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
[2010/06/09 21:10:44 | 000,000,864 | ---- | C] () -- D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
[2010/06/09 20:24:18 | 000,052,736 | ---- | C] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2009/09/11 17:56:11 | 000,021,840 | ---- | C] () -- D:\WINDOWS\System32\SIntfNT.dll
[2009/09/11 17:56:10 | 000,017,212 | ---- | C] () -- D:\WINDOWS\System32\SIntf32.dll
[2009/09/11 17:56:10 | 000,012,067 | ---- | C] () -- D:\WINDOWS\System32\SIntf16.dll
[2009/08/24 15:55:49 | 000,087,552 | ---- | C] () -- D:\WINDOWS\System32\cpwmon2k.dll
[2009/01/06 17:48:42 | 000,000,097 | ---- | C] () -- D:\WINDOWS\System32\PICSDK.ini
[2009/01/06 17:46:32 | 000,000,044 | ---- | C] () -- D:\WINDOWS\EPSNX400.ini
[2008/12/29 04:31:18 | 001,662,976 | ---- | C] () -- D:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/29 04:31:18 | 001,019,904 | ---- | C] () -- D:\WINDOWS\System32\nvwimg.dll
[2008/12/29 04:31:17 | 000,466,944 | ---- | C] () -- D:\WINDOWS\System32\nvshell.dll
[2008/12/29 04:31:09 | 001,466,368 | ---- | C] () -- D:\WINDOWS\System32\nview.dll
[2008/12/29 04:30:21 | 000,098,304 | ---- | C] () -- D:\WINDOWS\System32\nvapi.dll
[2005/09/30 05:21:43 | 000,000,187 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2004/08/04 05:00:00 | 000,249,270 | ---- | C] () -- D:\WINDOWS\System32\_004551_.tmp.dll
[2004/08/04 05:00:00 | 000,022,040 | ---- | C] () -- D:\WINDOWS\System32\_004519_.tmp.dll
[2004/07/20 11:14:06 | 000,192,512 | ---- | C] () -- D:\WINDOWS\System32\Stac97co.dll
< End of report >
OTL logfile created on: 6/19/2010 10:38:42 AM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = D:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 86.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 7.78 Mb Total Space | 7.48 Mb Free Space | 96.11% Space Free | Partition Type: FAT
Drive D: | 93.15 Gb Total Space | 81.92 Gb Free Space | 87.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAD-C9D2CC3BCAD
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/02/02 09:27:06 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [1999/03/29 03:34:06 | 000,106,768 | ---- | M] (Microsoft Corporation) -- D:\Program Files\X-Setup\bin\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/14 11:00:26 | 000,249,136 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/02/02 09:27:06 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- D:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2007/02/20 13:24:34 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Stopped] -- D:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)


========== Driver Services (SafeList) ==========

DRV - [2010/02/02 09:24:45 | 000,108,880 | ---- | M] (Privacyware/PWI, Inc.) [Kernel | System | Running] -- D:\WINDOWS\system32\drivers\pwipf6.sys -- (pwipf6)
DRV - [2009/11/06 13:00:36 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV)
DRV - [2009/11/06 13:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD)
DRV - [2009/11/06 13:00:34 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- D:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2008/04/13 11:56:49 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/10/01 16:24:36 | 000,023,864 | ---- | M] (Webroot Software Inc (www.webroot.com)) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\sskbfd.sys -- (SSKBFD)
DRV - [2007/03/16 19:10:56 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/09/14 17:55:00 | 000,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2006/03/23 00:32:00 | 003,656,352 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Stopped] -- D:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/03/10 17:56:06 | 000,273,168 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\STAC97.sys -- (STAC97)
DRV - [2004/08/23 15:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- D:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/07/23 12:16:48 | 000,022,821 | ---- | M] (Belkin Corporation) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\bcgame.sys -- (bcgame)
DRV - [2002/10/03 19:07:00 | 000,611,840 | ---- | M] (Intersil Americas Inc.) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\islp2nds.sys -- (ISLP2)
DRV - [2002/04/11 20:21:38 | 000,013,335 | ---- | M] (Microsystems Corp) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\usbcm.sys -- (usbcm)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Stopped] -- D:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 13:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Stopped] -- D:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = My Web Search
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://www.mywebsearch.com/jsp/cfg_redir2....r={searchTerms}
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 94 A7 0E DB D5 0F CB 01 [binary data]
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1034

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedengine: "Ask.com"
FF - prefs.js..browser.search.usedbfororder: true
FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..keyword.url: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 1034
FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/06/10 16:13:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2009/04/28 07:24:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2009/08/24 17:58:58 | 000,000,000 | ---D | M]

[2009/03/25 10:50:01 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/07/23 11:55:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions
[2009/07/23 11:55:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions\ChoiceGuard@Microsoft
[2010/02/12 12:01:12 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\extensions\toolbar@ask.com
[2010/02/04 17:45:40 | 000,002,254 | ---- | M] () -- D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\searchplugins\askcom.xml
[2009/06/22 18:56:13 | 000,000,000 | ---D | M] -- D:\Program Files\Mozilla Firefox\extensions
[2009/05/04 17:58:24 | 000,002,236 | ---- | M] () -- D:\Program Files\Mozilla Firefox\searchplugins\askcom.xml

O1 HOSTS File: ([2005/09/30 01:12:48 | 000,000,734 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - D:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [Dell QuickSet] D:\Program Files\Dell\QuickSet\QuickSet.exe (Dell Inc)
O4 - HKLM..\Run: [ISLP2STA.EXE] File not found
O4 - HKLM..\Run: [MMTray] D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] D:\WINDOWS\system32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] D:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] D:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] D:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SpySweeper] D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [UIUCU] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE File not found
O4 - HKLM..\Run: [wkpqggfphafkl] d:\documents and settings\administrator\local settings\application data\oprsbyd\rchjuvm.exe ()
O4 - HKU\S-1-5-21-507921405-1123561945-1801674531-500..\Run: [cdloader] D:\Documents and Settings\Administrator\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKU\S-1-5-21-507921405-1123561945-1801674531-500..\Run: [EPSON Stylus NX400 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = D:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk = D:\Program Files\Belkin\Nostromo\nost_LM.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: magicjack.com ([my] * in Trusted sites)
O15 - HKU\S-1-5-21-507921405-1123561945-1801674531-500\..Trusted Domains: talk4free.com ([reg] * in Trusted sites)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} https://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB (PogoWebLauncher Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {9BA9AE56-8DFC-4994-AEA9-68BEAD35A6FA} http://www.mywebtattoo.com/_downloads/cab/v2/MyWebTattoo.cab (Reg Error: Key error.)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab (MSN Games Texas Holdem Poker)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...rk.cab56649.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab (Reg Error: Key error.)
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab (MSN Games Backgammon)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - D:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O30 - LSA: Security Packages - (Lsa) - File not found
O30 - LSA: Security Packages - (ity Packages settings...) - File not found
O30 - LSA: Security Packages - (or) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/20 06:31:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT ]
O32 - AutoRun File - [2008/12/31 06:34:28 | 000,000,090 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\F\Shell\phone\command - "" = F:\autorun.exe -- File not found
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/19 10:38:04 | 000,572,416 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/10 16:11:23 | 000,000,000 | ---D | C] -- D:\WINDOWS\LastGood
[2010/06/10 15:49:52 | 000,000,000 | ---D | C] -- D:\Program Files\Alwil Software
[2010/06/10 15:49:52 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/06/10 00:36:47 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Desktop\gmer
[2010/06/09 22:54:59 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/06/09 22:54:34 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/09 22:54:33 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys
[2010/06/09 22:54:33 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/09 22:54:32 | 000,000,000 | ---D | C] -- D:\Program Files\Malwarebytes' Anti-Malware
[2010/06/09 22:53:01 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/09 22:42:26 | 000,000,000 | -HSD | C] -- D:\WINDOWS\CSC
[2010/06/09 20:57:17 | 000,000,000 | ---D | C] -- D:\WINDOWS\pss
[2010/06/09 18:21:39 | 000,743,424 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/09 15:55:13 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/09 15:55:11 | 000,000,000 | ---D | C] -- D:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/09 14:24:41 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Administrator\Local Settings\Application Data\oprsbyd
[7 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[6 D:\WINDOWS\Fonts\*.tmp files -> D:\WINDOWS\Fonts\*.tmp -> ]
[257 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/19 10:38:08 | 000,572,416 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/06/19 10:32:05 | 000,002,422 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2010/06/19 10:31:40 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2010/06/19 10:31:36 | 000,118,952 | ---- | M] () -- D:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 16:14:10 | 000,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2010/06/10 16:13:46 | 000,001,374 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2010/06/10 16:10:34 | 000,493,142 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 16:10:34 | 000,435,434 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat
[2010/06/10 16:10:34 | 000,068,984 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat
[2010/06/10 16:04:03 | 003,407,872 | ---- | M] () -- D:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/10 16:04:03 | 000,000,178 | -HS- | M] () -- D:\Documents and Settings\Administrator\ntuser.ini
[2010/06/10 16:01:16 | 000,036,171 | ---- | M] () -- D:\WINDOWS\System32\nvModes.001
[2010/06/10 16:01:15 | 000,063,783 | ---- | M] () -- D:\WINDOWS\System32\nvwsapps.xml
[2010/06/10 16:01:00 | 000,000,250 | ---- | M] () -- D:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/06/10 15:59:29 | 004,293,476 | -H-- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/10 15:58:24 | 000,002,577 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2010/06/10 01:03:00 | 000,000,000 | ---- | M] () -- D:\Documents and Settings\Administrator\defogger_reenable
[2010/06/10 01:02:23 | 000,050,477 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/06/10 00:35:37 | 000,284,915 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/06/10 00:30:12 | 000,525,824 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/09 23:41:07 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2010/06/09 22:54:37 | 000,000,696 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/09 22:53:01 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- D:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
[2010/06/09 22:48:33 | 000,363,520 | ---- | M] () -- D:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/06/09 21:10:21 | 000,000,447 | ---- | M] () -- D:\WINDOWS\win.ini
[2010/06/09 21:10:21 | 000,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2010/06/09 20:24:20 | 000,052,736 | ---- | M] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2010/06/09 16:53:35 | 000,036,171 | ---- | M] () -- D:\WINDOWS\System32\nvModes.dat
[7 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[257 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/10 01:03:00 | 000,000,000 | ---- | C] () -- D:\Documents and Settings\Administrator\defogger_reenable
[2010/06/10 01:02:23 | 000,050,477 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\Defogger.exe
[2010/06/10 00:35:35 | 000,284,915 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\gmer.zip
[2010/06/10 00:30:11 | 000,525,824 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\dds.scr
[2010/06/09 23:41:06 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\iExplore.exe
[2010/06/09 23:35:08 | 000,363,520 | ---- | C] () -- D:\Documents and Settings\Administrator\Desktop\rkill.com
[2010/06/09 22:54:37 | 000,000,696 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/09 21:10:44 | 000,001,732 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadout Manager.lnk
[2010/06/09 21:10:44 | 000,000,864 | ---- | C] () -- D:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
[2010/06/09 20:24:18 | 000,052,736 | ---- | C] () -- D:\Documents and Settings\Administrator\Local Settings\Application Data\syssvc.exe
[2009/09/11 17:56:11 | 000,021,840 | ---- | C] () -- D:\WINDOWS\System32\SIntfNT.dll
[2009/09/11 17:56:10 | 000,017,212 | ---- | C] () -- D:\WINDOWS\System32\SIntf32.dll
[2009/09/11 17:56:10 | 000,012,067 | ---- | C] () -- D:\WINDOWS\System32\SIntf16.dll
[2009/08/24 15:55:49 | 000,087,552 | ---- | C] () -- D:\WINDOWS\System32\cpwmon2k.dll
[2009/01/06 17:48:42 | 000,000,097 | ---- | C] () -- D:\WINDOWS\System32\PICSDK.ini
[2009/01/06 17:46:32 | 000,000,044 | ---- | C] () -- D:\WINDOWS\EPSNX400.ini
[2008/12/29 04:31:18 | 001,662,976 | ---- | C] () -- D:\WINDOWS\System32\nvwdmcpl.dll
[2008/12/29 04:31:18 | 001,019,904 | ---- | C] () -- D:\WINDOWS\System32\nvwimg.dll
[2008/12/29 04:31:17 | 000,466,944 | ---- | C] () -- D:\WINDOWS\System32\nvshell.dll
[2008/12/29 04:31:09 | 001,466,368 | ---- | C] () -- D:\WINDOWS\System32\nview.dll
[2008/12/29 04:30:21 | 000,098,304 | ---- | C] () -- D:\WINDOWS\System32\nvapi.dll
[2005/09/30 05:21:43 | 000,000,187 | ---- | C] () -- D:\WINDOWS\wininit.ini
[2004/08/04 05:00:00 | 000,249,270 | ---- | C] () -- D:\WINDOWS\System32\_004551_.tmp.dll
[2004/08/04 05:00:00 | 000,022,040 | ---- | C] () -- D:\WINDOWS\System32\_004519_.tmp.dll
[2004/07/20 11:14:06 | 000,192,512 | ---- | C] () -- D:\WINDOWS\System32\Stac97co.dll
< End of report >
GMER log is on next attachment

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:36 AM

Posted 19 June 2010 - 01:31 PM

Hi there, sorry don't see GMER ohmy.gif

Or do you mean you will add it in another post?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 jenissolost

jenissolost
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 19 June 2010 - 01:31 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-19 11:30:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwayrfod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwAdjustPrivilegesToken [0xBA4266B0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwConnectPort [0xBA426BB0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateFile [0xBA425510]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateKey [0xBA426370]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreatePort [0xBA426F10]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateProcessEx [0xBA427870]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateSection [0xBA427170]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateThread [0xBA427470]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDebugActiveProcess [0xBA425E80]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteKey [0xBA424080]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteValueKey [0xBA4241E0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeviceIoControlFile [0xBA425F80]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenFile [0xBA4257A0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenProcess [0xBA4243A0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenSection [0xBA425A10]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenThread [0xBA426570]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwResumeThread [0xBA424610]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSecureConnectPort [0xBA426D60]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSetValueKey [0xBA423EE0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateProcess [0xBA423DD0]
SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateThread [0xBA4244F0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

Device \FileSystem\Cdfs \Cdfs B97BF400

---- EOF - GMER 1.0.15 ----


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:36 AM

Posted 19 June 2010 - 01:52 PM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 jenissolost

jenissolost
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 19 June 2010 - 01:58 PM

Should I run this in safe mode? I've been running everything that way. I'll download it and have it ready to run as soon as I receive a reply

#8 jenissolost

jenissolost
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 19 June 2010 - 02:24 PM

I ran the combo fix in normal mode and have the report generated....I can't seem to get onto the internet in normal though. Should I restart in safe mode to send you the report? Thank you

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:36 AM

Posted 19 June 2010 - 02:42 PM

Did the internet also not work before running Combofix? If so, and safe mode works with internet, then yes, try safe mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 jenissolost

jenissolost
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 19 June 2010 - 02:53 PM

It works in safe mode. I don't know about normal after AV Security infected it. I was lucky enough to have another computer so I could find out how to fix that one. I checked to make sure it wasn't re-directing me to a proxy server, but that wasn't it. I'll attach the report using safe mode

#11 jenissolost

jenissolost
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 19 June 2010 - 02:56 PM

ComboFix 10-06-18.03 - Administrator 06/19/2010 12:08:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1639 [GMT -7:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\autorun.inf
d:\documents and settings\Administrator\Local Settings\Application Data\syssvc.exe
D:\setup.exe
d:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
d:\windows\Downloaded Program Files\popcaploader.inf
d:\windows\system32\_004508_.tmp.dll
d:\windows\system32\_004509_.tmp.dll
d:\windows\system32\_004510_.tmp.dll
d:\windows\system32\_004511_.tmp.dll
d:\windows\system32\_004518_.tmp.dll
d:\windows\system32\_004519_.tmp.dll
d:\windows\system32\_004520_.tmp.dll
d:\windows\system32\_004521_.tmp.dll
d:\windows\system32\_004523_.tmp.dll
d:\windows\system32\_004524_.tmp.dll
d:\windows\system32\_004525_.tmp.dll
d:\windows\system32\_004527_.tmp.dll
d:\windows\system32\_004528_.tmp.dll
d:\windows\system32\_004530_.tmp.dll
d:\windows\system32\_004531_.tmp.dll
d:\windows\system32\_004532_.tmp.dll
d:\windows\system32\_004534_.tmp.dll
d:\windows\system32\_004535_.tmp.dll
d:\windows\system32\_004537_.tmp.dll
d:\windows\system32\_004538_.tmp.dll
d:\windows\system32\_004542_.tmp.dll
d:\windows\system32\_004543_.tmp.dll
d:\windows\system32\_004545_.tmp.dll
d:\windows\system32\_004548_.tmp.dll
d:\windows\system32\_004550_.tmp.dll
d:\windows\system32\_004551_.tmp.dll
d:\windows\system32\_004552_.tmp.dll
d:\windows\system32\_004553_.tmp.dll
d:\windows\system32\_004554_.tmp.dll
d:\windows\system32\_004557_.tmp.dll
d:\windows\system32\_004558_.tmp.dll
d:\windows\system32\_004559_.tmp.dll
d:\windows\system32\_004560_.tmp.dll
d:\windows\system32\_004561_.tmp.dll
d:\windows\system32\_004566_.tmp.dll
d:\windows\system32\_004568_.tmp.dll
d:\windows\system32\SET499.tmp
d:\windows\system32\SET6F1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-10 22:49 . 2010-06-10 22:49 -------- d-----w- d:\program files\Alwil Software
2010-06-10 22:49 . 2010-06-10 22:49 -------- d-----w- d:\documents and settings\All Users\Application Data\Alwil Software
2010-06-10 05:54 . 2010-06-10 05:54 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-10 05:54 . 2010-04-29 22:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 05:54 . 2010-06-10 05:54 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-10 05:54 . 2010-04-29 22:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-06-10 05:54 . 2010-06-10 05:54 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-06-10 01:21 . 2010-05-06 10:41 743424 -c----w- d:\windows\system32\dllcache\iedvtool.dll
2010-06-09 22:56 . 2010-06-09 22:56 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
2010-06-09 21:24 . 2010-06-09 21:24 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\oprsbyd
2010-06-06 16:32 . 2010-06-06 16:32 348160 ----a-w- d:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1367deb0-n\msvcr71.dll
2010-06-06 16:32 . 2010-06-06 16:32 503808 ----a-w- d:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1367deb0-n\msvcp71.dll
2010-06-06 16:32 . 2010-06-06 16:32 499712 ----a-w- d:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1367deb0-n\jmc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 23:53 . 2008-12-29 11:33 36171 ----a-w- d:\windows\system32\nvModes.dat
2010-06-09 23:27 . 2009-03-25 16:50 -------- d-----w- d:\program files\Microsoft Silverlight
2010-05-12 07:24 . 2009-09-12 00:24 -------- d-----w- d:\program files\Diablo II
2010-05-10 06:45 . 2009-02-10 19:28 1 ----a-w- d:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-08 09:00 . 2010-01-08 02:48 -------- d-----w- d:\documents and settings\Administrator\Application Data\mjusbsp
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- d:\windows\system32\wininet.dll
2010-05-02 05:22 . 2009-02-01 23:06 1851264 ----a-w- d:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- d:\windows\system32\atmfd.dll
2005-09-30 11:35 . 2005-09-30 11:36 2516480 ----a-w- d:\program files\Driver Detective.msi
2005-09-30 11:35 . 2005-09-30 11:36 6129 ----a-w- d:\program files\0x0409.ini
2005-09-30 11:35 . 2005-09-30 11:36 283607 ----a-w- d:\program files\setup.isn
2005-09-30 11:35 . 2005-09-30 11:36 2389 ----a-w- d:\program files\Setup.INI
2005-01-21 00:53 . 2005-09-30 12:51 45056 ------r- d:\program files\SetAttrib.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-05 00:50 1197448 ----a-w- d:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-06 00:02 238968 ----a-w- d:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"cdloader"="d:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISLP2STA.EXE"="ISLP2STA.EXE START" [X]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2006-03-23 7561216]
"wkpqggfphafkl"="d:\documents and settings\administrator\local settings\application data\oprsbyd\rchjuvm.exe" [2010-06-09 375552]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-06-23 148888]
"nwiz"="d:\windows\system32\nwiz.exe" [2006-03-23 1519616]
"NvMediaCenter"="NvMCTray.dll" [2006-03-23 86016]
"NVHotkey"="nvHotkey.dll" [2006-03-23 73728]
"MMTray"="d:\progra~1\MUSICM~1\MUSICM~1\mm_tray.exe" [2005-03-31 135168]
"Dell QuickSet"="d:\program files\Dell\QuickSet\QuickSet.exe" [2007-02-20 1191936]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SpySweeper"="d:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

d:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - d:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - d:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-23 442368]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 ssfs0bbc;ssfs0bbc;d:\windows\system32\drivers\ssfs0bbc.sys [12/7/2008 10:26 PM 29808]
R1 pwipf6;pwipf6;d:\windows\system32\drivers\pwipf6.sys [3/22/2009 2:50 PM 108880]
R2 WRConsumerService;Webroot Client Service;d:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2/1/2009 6:15 PM 1201640]
R3 GTIPCI21;GTIPCI21;d:\windows\system32\drivers\gtipci21.sys [12/29/2008 4:09 AM 88192]
S3 bcgame;Nostromo HID Device Minidriver;d:\windows\system32\drivers\bcgame.sys [7/23/2003 12:16 PM 22821]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;d:\windows\system32\drivers\islp2nds.sys [10/3/2002 7:07 PM 611840]
S3 NdisWDM;Dynex Enhanced Wireless G USB Network Adapter Service;d:\windows\system32\DRIVERS\ndiswdm.sys --> d:\windows\system32\DRIVERS\ndiswdm.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-10 d:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- d:\program files\Ask.com\UpdateTask.exe [2010-02-05 00:50]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm869YYUS&fl=0&ptb=3mzWhy5GDQi2bD2N1UqnEA&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyServer = http=127.0.0.1:1034
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
TCP: {79A28DDD-50FE-43AC-8E33-5A525A085128} = 67.90.152.122
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {9BA9AE56-8DFC-4994-AEA9-68BEAD35A6FA} - hxxp://www.mywebtattoo.com/_downloads/cab/v2/MyWebTattoo.cab
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\
FF - prefs.js: browser.search.selectedengine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.url - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1034
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 12:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,dc,9b,0b,7f,ce,88,44,82,7a,07,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,46,7f,f1,54,08,7f,41,b5,47,6d,\

[HKEY_USERS\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3668)
d:\windows\system32\WININET.dll
d:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
d:\program files\Belkin\Nostromo\nost_FSH.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\System32\SCardSvr.exe
d:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Dell\QuickSet\NICCONFIGSVC.exe
d:\windows\system32\nvsvc32.exe
d:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
d:\windows\system32\wdfmgr.exe
d:\program files\Webroot\Spy Sweeper\SpySweeper.exe
d:\windows\system32\rundll32.exe
d:\program files\OpenOffice.org 3\program\soffice.exe
d:\program files\OpenOffice.org 3\program\soffice.bin
d:\program files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2010-06-19 12:21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 19:21

Pre-Run: 87,821,766,656 bytes free
Post-Run: 87,821,922,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7EC7226B89C92D3B115912D42FB50E0E


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:36 AM

Posted 20 June 2010 - 02:21 AM

Hello again

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wkpqggfphafkl"=-

Folder::
d:\documents and settings\administrator\local settings\application data\oprsbyd

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:1034
uInternet Settings,ProxyOverride = <local>

Firefox::
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\
FF - prefs.js: browser.search.selectedengine
FF - prefs.js: keyword.url
FF - prefs.js: network.proxy.http
FF - prefs.js: network.proxy.http_port
FF - prefs.js: network.proxy.type

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Now please reboot in normal mode and uninstall Ask Toolbar using Add/Remove programs. Let me know how normal mode is running.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 jenissolost

jenissolost
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 20 June 2010 - 02:57 PM

ComboFix 10-06-18.03 - Administrator 06/19/2010 12:08:04.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1639 [GMT -7:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\autorun.inf
d:\documents and settings\Administrator\Local Settings\Application Data\syssvc.exe
D:\setup.exe
d:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
d:\windows\Downloaded Program Files\popcaploader.inf
d:\windows\system32\_004508_.tmp.dll
d:\windows\system32\_004509_.tmp.dll
d:\windows\system32\_004510_.tmp.dll
d:\windows\system32\_004511_.tmp.dll
d:\windows\system32\_004518_.tmp.dll
d:\windows\system32\_004519_.tmp.dll
d:\windows\system32\_004520_.tmp.dll
d:\windows\system32\_004521_.tmp.dll
d:\windows\system32\_004523_.tmp.dll
d:\windows\system32\_004524_.tmp.dll
d:\windows\system32\_004525_.tmp.dll
d:\windows\system32\_004527_.tmp.dll
d:\windows\system32\_004528_.tmp.dll
d:\windows\system32\_004530_.tmp.dll
d:\windows\system32\_004531_.tmp.dll
d:\windows\system32\_004532_.tmp.dll
d:\windows\system32\_004534_.tmp.dll
d:\windows\system32\_004535_.tmp.dll
d:\windows\system32\_004537_.tmp.dll
d:\windows\system32\_004538_.tmp.dll
d:\windows\system32\_004542_.tmp.dll
d:\windows\system32\_004543_.tmp.dll
d:\windows\system32\_004545_.tmp.dll
d:\windows\system32\_004548_.tmp.dll
d:\windows\system32\_004550_.tmp.dll
d:\windows\system32\_004551_.tmp.dll
d:\windows\system32\_004552_.tmp.dll
d:\windows\system32\_004553_.tmp.dll
d:\windows\system32\_004554_.tmp.dll
d:\windows\system32\_004557_.tmp.dll
d:\windows\system32\_004558_.tmp.dll
d:\windows\system32\_004559_.tmp.dll
d:\windows\system32\_004560_.tmp.dll
d:\windows\system32\_004561_.tmp.dll
d:\windows\system32\_004566_.tmp.dll
d:\windows\system32\_004568_.tmp.dll
d:\windows\system32\SET499.tmp
d:\windows\system32\SET6F1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-10 22:49 . 2010-06-10 22:49 -------- d-----w- d:\program files\Alwil Software
2010-06-10 22:49 . 2010-06-10 22:49 -------- d-----w- d:\documents and settings\All Users\Application Data\Alwil Software
2010-06-10 05:54 . 2010-06-10 05:54 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-10 05:54 . 2010-04-29 22:39 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 05:54 . 2010-06-10 05:54 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-10 05:54 . 2010-04-29 22:39 20952 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-06-10 05:54 . 2010-06-10 05:54 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-06-10 01:21 . 2010-05-06 10:41 743424 -c----w- d:\windows\system32\dllcache\iedvtool.dll
2010-06-09 22:56 . 2010-06-09 22:56 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
2010-06-09 21:24 . 2010-06-09 21:24 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\oprsbyd
2010-06-06 16:32 . 2010-06-06 16:32 348160 ----a-w- d:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1367deb0-n\msvcr71.dll
2010-06-06 16:32 . 2010-06-06 16:32 503808 ----a-w- d:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1367deb0-n\msvcp71.dll
2010-06-06 16:32 . 2010-06-06 16:32 499712 ----a-w- d:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1367deb0-n\jmc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 23:53 . 2008-12-29 11:33 36171 ----a-w- d:\windows\system32\nvModes.dat
2010-06-09 23:27 . 2009-03-25 16:50 -------- d-----w- d:\program files\Microsoft Silverlight
2010-05-12 07:24 . 2009-09-12 00:24 -------- d-----w- d:\program files\Diablo II
2010-05-10 06:45 . 2009-02-10 19:28 1 ----a-w- d:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-08 09:00 . 2010-01-08 02:48 -------- d-----w- d:\documents and settings\Administrator\Application Data\mjusbsp
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- d:\windows\system32\wininet.dll
2010-05-02 05:22 . 2009-02-01 23:06 1851264 ----a-w- d:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- d:\windows\system32\atmfd.dll
2005-09-30 11:35 . 2005-09-30 11:36 2516480 ----a-w- d:\program files\Driver Detective.msi
2005-09-30 11:35 . 2005-09-30 11:36 6129 ----a-w- d:\program files\0x0409.ini
2005-09-30 11:35 . 2005-09-30 11:36 283607 ----a-w- d:\program files\setup.isn
2005-09-30 11:35 . 2005-09-30 11:36 2389 ----a-w- d:\program files\Setup.INI
2005-01-21 00:53 . 2005-09-30 12:51 45056 ------r- d:\program files\SetAttrib.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-05 00:50 1197448 ----a-w- d:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "d:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-05 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-06 00:02 238968 ----a-w- d:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"cdloader"="d:\documents and settings\Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISLP2STA.EXE"="ISLP2STA.EXE START" [X]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2006-03-23 7561216]
"wkpqggfphafkl"="d:\documents and settings\administrator\local settings\application data\oprsbyd\rchjuvm.exe" [2010-06-09 375552]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-06-23 148888]
"nwiz"="d:\windows\system32\nwiz.exe" [2006-03-23 1519616]
"NvMediaCenter"="NvMCTray.dll" [2006-03-23 86016]
"NVHotkey"="nvHotkey.dll" [2006-03-23 73728]
"MMTray"="d:\progra~1\MUSICM~1\MUSICM~1\mm_tray.exe" [2005-03-31 135168]
"Dell QuickSet"="d:\program files\Dell\QuickSet\QuickSet.exe" [2007-02-20 1191936]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SpySweeper"="d:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-11-06 6515784]

d:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - d:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - d:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-23 442368]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 ssfs0bbc;ssfs0bbc;d:\windows\system32\drivers\ssfs0bbc.sys [12/7/2008 10:26 PM 29808]
R1 pwipf6;pwipf6;d:\windows\system32\drivers\pwipf6.sys [3/22/2009 2:50 PM 108880]
R2 WRConsumerService;Webroot Client Service;d:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2/1/2009 6:15 PM 1201640]
R3 GTIPCI21;GTIPCI21;d:\windows\system32\drivers\gtipci21.sys [12/29/2008 4:09 AM 88192]
S3 bcgame;Nostromo HID Device Minidriver;d:\windows\system32\drivers\bcgame.sys [7/23/2003 12:16 PM 22821]
S3 ISLP2;Intersil 802.11 Wireless LAN Driver;d:\windows\system32\drivers\islp2nds.sys [10/3/2002 7:07 PM 611840]
S3 NdisWDM;Dynex Enhanced Wireless G USB Network Adapter Service;d:\windows\system32\DRIVERS\ndiswdm.sys --> d:\windows\system32\DRIVERS\ndiswdm.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-10 d:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- d:\program files\Ask.com\UpdateTask.exe [2010-02-05 00:50]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZCxdm869YYUS&fl=0&ptb=3mzWhy5GDQi2bD2N1UqnEA&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyServer = http=127.0.0.1:1034
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
Trusted Zone: magicjack.com\my
Trusted Zone: talk4free.com\reg
TCP: {79A28DDD-50FE-43AC-8E33-5A525A085128} = 67.90.152.122
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {9BA9AE56-8DFC-4994-AEA9-68BEAD35A6FA} - hxxp://www.mywebtattoo.com/_downloads/cab/v2/MyWebTattoo.cab
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2ttlwrgi.default\
FF - prefs.js: browser.search.selectedengine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.url - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 1034
FF - prefs.js: network.proxy.type - 1
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 12:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,dc,9b,0b,7f,ce,88,44,82,7a,07,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c3,46,7f,f1,54,08,7f,41,b5,47,6d,\

[HKEY_USERS\S-1-5-21-507921405-1123561945-1801674531-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3668)
d:\windows\system32\WININET.dll
d:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
d:\program files\Belkin\Nostromo\nost_FSH.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
d:\windows\System32\SCardSvr.exe
d:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Dell\QuickSet\NICCONFIGSVC.exe
d:\windows\system32\nvsvc32.exe
d:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
d:\windows\system32\wdfmgr.exe
d:\program files\Webroot\Spy Sweeper\SpySweeper.exe
d:\windows\system32\rundll32.exe
d:\program files\OpenOffice.org 3\program\soffice.exe
d:\program files\OpenOffice.org 3\program\soffice.bin
d:\program files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2010-06-19 12:21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 19:21

Pre-Run: 87,821,766,656 bytes free
Post-Run: 87,821,922,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7EC7226B89C92D3B115912D42FB50E0E


Here is the combofix log. It made me update to a newer version of combofix which I did. I was able to restart in normal mode and I don't have anymore popups with AV Security Suite. The programs I checked seemed to work fine. I uninstalled the ask toolbar as requested. I'm still unable to connect to the internet in normal mode though, so I had to restart in safe mode to send this.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:36 AM

Posted 20 June 2010 - 03:09 PM

Sorry, but that is the wrong log smile.gif

Did Combofix not create a new log at c:\combofix.txt (the one you posted is the one from the first run).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 jenissolost

jenissolost
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 20 June 2010 - 03:42 PM

That is what came up. Do you want me to re-run the previous instructions again? Thank you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users