Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Google 404 Error Malware


  • This topic is locked This topic is locked
No replies to this topic

#1 Leroidumonde

Leroidumonde

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 10 July 2010 - 02:26 AM

I wanted to get this out there since I had such a hard time disabling this guy. I'll give the quick problem and solution then I'll tell those interested how I got there.

Problem: When searching for anything using Google.com or the Google toolbar in Firefox the search term would process and show the list of search option links. Clicking on a link would 'refresh' the link page. Only if I clicked on the link four to five times would it allow me to proceed to the link I wanted. In between refreshes a domain would flash, www.inoyesrukfeo.com, somehow tied to yourseekinfo.com, an expired web domain. Other times a Google 404 error said that my "requested URL was not found on this server". It looks like this 404 error. I found out this also happened using Internet Explorer. Interestingly if I searched using Bing, the Google 404 error still popped up. I'm pretty sure that typing 'inoyesrukfeo' in the search toolbar disabled the search button. It was obvious to me I was a victim of malware--I don't know how I got it.

Solution: 'Trojan Remover' was the only tool that found the culprit. The name and location of the hidden, read only, system files were:
C:\Windows\tasks\Hceerusu.job
C:\Windows\System32\nethh.dll

TR actions were
Taskname: Hceerusu
File: C:\Windows\system32\nethh.dll
C:\Windows\system32\nethh.dll
-RHS- 61440 bytes
Created: 7/7/2010 2:39 PM
Modified: 7/7/2010 2:39 PM
Company: [no info]
Parameters: "C:\Windows\system32\nethh.dll",vcuxc
Schedule: On system startup
Next Run Time:
Status: Running
Creator: Matthew
Comments:
C:\Windows\system32\nethh.dll - access denied
C:\Windows\system32\nethh.dll - Ownership taken
Hceerusu - this Scheduled Task has been deleted
C:\Windows\system32\nethh.dll - READ-ONLY, HIDDEN and SYSTEM file attributes removed
C:\Windows\system32\nethh.dll - file renamed to: C:\Windows\system32\nethh.dll.vir
----------

Rest of the story: It took a while for me to find this guy. I'm certainly not new to computers but I've never had such a problem removing malware. I've been using Microsoft Security Essentials with Windows 7 Professional, due to it's price (free!) and it missed this file. Well, next I tried Ad-Aware, no luck. Then Spybot S&D, nope. After that my bag of tricks was empty so I searched online (very slowly due to the malware). I didn't find anything specific about this problem but I learned a lot in general. The next program i tried was Malwarebytes' Anti-Malware and that gave me a false-positive for 'acrobat_update.job'. Trend Micro HijackThis and GMER did not even find these files, however, OTL did. I compared the the list of running .dll files to files that should be running in Windows 7 here and the protection on this file kind of sent up a red flag. Finally, Trojan Remover to the rescue, it renamed the dll file and removed the task file. So far so good.

I hope this helps somebody! If you're interested in the logs I'll post them below.

TR Log:
***** THE SYSTEM HAS BEEN RESTARTED *****7/9/2010 7:50:17 PM: Trojan Remover has been restarted7/9/2010 7:50:17 PM: Trojan Remover closed***************************************************************** NORMAL SCAN FOR ACTIVE MALWARE *****Trojan Remover Ver 6.8.2.2595. For information, email support@simplysup.com[Unregistered version]Scan started at: 7:33:39 PM 09 Jul 2010Using Database v7543Operating System:  Windows 7 Professional [Build: 6.1.7600]File System:       NTFSUAC is ENABLED [default level]UserData directory: C:\Users\Matthew\AppData\Roaming\Simply Super Software\Trojan Remover\Database directory: C:\ProgramData\Simply Super Software\Trojan Remover\Data\Logfile directory:  C:\Users\Matthew\Documents\Simply Super Software\Trojan Remover Logfiles\Program directory:  C:\Program Files\Trojan Remover\Running with Administrator privileges************************************************************************************************************************7:33:39 PM: ----- SCANNING FOR ROOTKIT SERVICES -----No hidden Services were detected.************************************************************7:33:46 PM: Scanning -----WINDOWS REGISTRY-------------------------Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon--------------------Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogonThis key's "Shell" value calls the following program(s):Key value: [explorer.exe]File: explorer.exeC:\Windows\explorer.exe2614272 bytesCreated:  4/16/2010 9:36 PMModified: 10/30/2009 10:45 PMCompany:  Microsoft Corporation----------This key's "Userinit" value calls the following program(s):Key value: [C:\Windows\system32\userinit.exe,]File: C:\Windows\system32\userinit.exeC:\Windows\system32\userinit.exe26112 bytesCreated:  7/13/2009 4:34 PMModified: 7/13/2009 6:14 PMCompany:  Microsoft Corporation------------------------------Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows--------------------Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsValue Name: load--------------------Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunValue Name: P17RunEValue Data: RunDll32 P17RunE.dll,RunDLLEntryC:\Windows\system32\P17RunE.dll14848 bytesCreated:  3/28/2008 3:57 PMModified: 3/28/2008 3:57 PMCompany:  Creative Technology Ltd.--------------------Value Name: MSSEValue Data: "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkeyc:\Program Files\Microsoft Security Essentials\msseces.exe1093208 bytesCreated:  6/1/2010 2:53 PMModified: 6/1/2010 2:53 PMCompany:  Microsoft Corporation--------------------Value Name: Zune LauncherValue Data: "c:\Program Files\Zune\ZuneLauncher.exe"c:\Program Files\Zune\ZuneLauncher.exe158448 bytesCreated:  1/7/2010 2:38 PMModified: 1/7/2010 2:38 PMCompany:  Microsoft Corporation--------------------Value Name: GrooveMonitorValue Data: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe31072 bytesCreated:  10/25/2008 11:44 AMModified: 10/25/2008 11:44 AMCompany:  Microsoft Corporation--------------------Value Name: StartCCCValue Data: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe90112 bytesCreated:  11/10/2006 12:35 PMModified: 11/10/2006 12:35 PMCompany:  [no info]--------------------Value Name: Adobe Reader Speed LauncherValue Data: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe35760 bytesCreated:  6/19/2010 7:04 PMModified: 6/19/2010 7:04 PMCompany:  Adobe Systems Incorporated--------------------Value Name: Adobe ARMValue Data: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe976832 bytesCreated:  12/11/2009 3:57 PMModified: 6/9/2010 1:06 AMCompany:  Adobe Systems Incorporated--------------------Value Name: ArcSoft Connection ServiceValue Data: C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe207360 bytesCreated:  5/19/2010 2:02 PMModified: 3/18/2010 11:19 AMCompany:  ArcSoft Inc.--------------------Value Name: HP Software UpdateValue Data: C:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exe49208 bytesCreated:  6/9/2010 8:55 PMModified: 6/9/2010 8:55 PMCompany:  Hewlett-Packard--------------------Value Name: Value Data: Blank entry: []--------------------Value Name: Malwarebytes Anti-Malware (reboot)Value Data: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptC:\Program Files\Malwarebytes' Anti-Malware\mbam.exe1090952 bytesCreated:  7/9/2010 3:49 PMModified: 4/29/2010 3:39 PMCompany:  Malwarebytes Corporation--------------------Value Name: TrojanScannerValue Data: C:\Program Files\Trojan Remover\Trjscan.exe /bootC:\Program Files\Trojan Remover\Trjscan.exe1167296 bytesCreated:  7/9/2010 6:57 PMModified: 7/5/2010 12:49 PMCompany:  Simply Super Software----------------------------------------Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceThis Registry Key appears to be empty--------------------Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunValue Name: SkypeValue Data: "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedC:\Program Files\Skype\Phone\Skype.exe-R- 26192168 bytesCreated:  5/13/2010 5:57 PMModified: 5/13/2010 5:57 PMCompany:  Skype Technologies S.A.--------------------Value Name: SidebarValue Data: C:\Program Files\Windows Sidebar\sidebar.exe /autoRunC:\Program Files\Windows Sidebar\sidebar.exe1173504 bytesCreated:  7/13/2009 4:41 PMModified: 7/13/2009 6:14 PMCompany:  Microsoft Corporation--------------------Value Name: SpybotSD TeaTimerValue Data: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exe - entry is globally excluded----------------------------------------Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceThis Registry Key appears to be empty--------------------Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesThis Registry Key appears to be empty--------------------Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceThis Registry Key appears to be empty************************************************************7:33:56 PM: Scanning -----SHELLEXECUTEHOOKS-----************************************************************7:33:56 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----Taskdir check completed----------No Hidden File-loading Registry Entries found----------************************************************************7:33:57 PM: Scanning -----ACTIVE SCREENSAVER-----No active ScreenSaver found to scan.************************************************************7:33:57 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----************************************************************7:33:57 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----Key:  StorSvcPath: %SystemRoot%\system32\storsvc.dllC:\Windows\system32\storsvc.dll16384 bytesCreated:  7/13/2009 4:45 PMModified: 7/13/2009 6:16 PMCompany:  Microsoft Corporation--------------------************************************************************7:34:04 PM: Scanning ----- SERVICES REGISTRY KEYS -----Key:       ACDaemonImagePath: C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe113152 bytesCreated:  5/19/2010 2:02 PMModified: 3/18/2010 11:19 AMCompany:  ArcSoft Inc.----------Key:       AMD External Events UtilityImagePath: %SystemRoot%\system32\atiesrxx.exeC:\Windows\system32\atiesrxx.exe172032 bytesCreated:  3/2/2010 9:11 PMModified: 3/2/2010 9:11 PMCompany:  AMD----------Key:       amdkmdagImagePath: system32\DRIVERS\atipmdag.sysC:\Windows\system32\DRIVERS\atipmdag.sys5340160 bytesCreated:  3/2/2010 9:22 PMModified: 3/2/2010 9:22 PMCompany:  ATI Technologies Inc.----------Key:       amdkmdapImagePath: system32\DRIVERS\atikmpag.sysC:\Windows\system32\DRIVERS\atikmpag.sys152064 bytesCreated:  3/2/2010 8:07 PMModified: 3/2/2010 8:07 PMCompany:  Advanced Micro Devices, Inc.----------Key:       amdsataImagePath: \SystemRoot\system32\DRIVERS\amdsata.sysC:\Windows\system32\DRIVERS\amdsata.sys79952 bytesCreated:  6/10/2009 2:19 PMModified: 7/13/2009 6:26 PMCompany:  Advanced Micro Devices----------Key:       amdxataImagePath: system32\DRIVERS\amdxata.sysC:\Windows\system32\DRIVERS\amdxata.sys23616 bytesCreated:  7/13/2009 3:09 PMModified: 7/13/2009 6:26 PMCompany:  Advanced Micro Devices----------Key:       atapiImagePath: system32\DRIVERS\atapi.sysC:\Windows\system32\DRIVERS\atapi.sys21584 bytesCreated:  7/13/2009 4:11 PMModified: 7/13/2009 6:26 PMCompany:  Microsoft Corporation----------Key:       clr_optimization_v4.0.30319_32ImagePath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe130384 bytesCreated:  3/18/2010 1:16 PMModified: 3/18/2010 1:16 PMCompany:  Microsoft Corporation----------Key:       Creative Audio Engine Licensing ServiceImagePath: "C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe"C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe79360 bytesCreated:  4/17/2010 10:11 AMModified: 4/17/2010 10:11 AMCompany:  Creative Labs----------Key:       CTAudSvcServiceImagePath: C:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exe307200 bytesCreated:  4/17/2010 10:10 AMModified: 11/18/2008 1:15 PMCompany:  Creative Technology Ltd----------Key:       CX23880ImagePath: system32\drivers\cx88vid.sysC:\Windows\system32\drivers\cx88vid.sys188671 bytesCreated:  1/7/2004 8:42 PMModified: 1/7/2004 8:42 PMCompany:  Conexant Systems, Inc.----------Key:       Dot4ImagePath: system32\DRIVERS\Dot4.sysC:\Windows\system32\DRIVERS\Dot4.sys131072 bytesCreated:  7/13/2009 4:45 PMModified: 7/13/2009 4:45 PMCompany:  Microsoft Corporation----------Key:       Dot4PrintImagePath: system32\DRIVERS\Dot4Prt.sysC:\Windows\system32\DRIVERS\Dot4Prt.sys16384 bytesCreated:  7/13/2009 4:45 PMModified: 7/13/2009 4:45 PMCompany:  Microsoft Corporation----------Key:       dot4usbImagePath: system32\DRIVERS\dot4usb.sysC:\Windows\system32\DRIVERS\dot4usb.sys36864 bytesCreated:  7/13/2009 4:45 PMModified: 7/13/2009 4:45 PMCompany:  Microsoft Corporation----------Key:       iaStorVImagePath: \SystemRoot\system32\DRIVERS\iaStorV.sysC:\Windows\system32\DRIVERS\iaStorV.sys332352 bytesCreated:  6/10/2009 2:19 PMModified: 7/13/2009 6:20 PMCompany:  Intel Corporation----------Key:       kbdhidImagePath: \SystemRoot\system32\DRIVERS\kbdhid.sysC:\Windows\system32\DRIVERS\kbdhid.sys28160 bytesCreated:  7/13/2009 4:45 PMModified: 7/13/2009 4:45 PMCompany:  Microsoft Corporation----------Key:       mouhidImagePath: \SystemRoot\system32\DRIVERS\mouhid.sysC:\Windows\system32\DRIVERS\mouhid.sys26112 bytesCreated:  7/13/2009 4:45 PMModified: 7/13/2009 4:45 PMCompany:  Microsoft Corporation----------Key:       MpFilterImagePath: system32\DRIVERS\MpFilter.sysC:\Windows\system32\DRIVERS\MpFilter.sys151216 bytesCreated:  12/2/2009 3:23 PMModified: 3/25/2010 9:30 PMCompany:  Microsoft Corporation----------Key:       MpNWMonImagePath: system32\DRIVERS\MpNWMon.sysC:\Windows\system32\DRIVERS\MpNWMon.sys42368 bytesCreated:  12/2/2009 3:23 PMModified: 3/25/2010 9:30 PMCompany:  Microsoft Corporation----------Key:       MsMpSvcImagePath: "c:\Program Files\Microsoft Security Essentials\MsMpEng.exe"c:\Program Files\Microsoft Security Essentials\MsMpEng.exe17904 bytesCreated:  3/25/2010 9:40 PMModified: 3/25/2010 9:40 PMCompany:  Microsoft Corporation----------Key:       P17ImagePath: system32\drivers\P17.sysC:\Windows\system32\drivers\P17.sys1147392 bytesCreated:  4/21/2009 1:58 PMModified: 4/21/2009 1:58 PMCompany:  Creative Technology Ltd.----------Key:       pbfilterImagePath: \??\C:\Program Files\PeerBlock\pbfilter.sysC:\Program Files\PeerBlock\pbfilter.sys16472 bytesCreated:  4/18/2010 11:08 AMModified: 9/28/2009 2:02 AMCompany:  [no info]----------Key:       RTL8187BImagePath: system32\DRIVERS\wg111v3.sysC:\Windows\system32\DRIVERS\wg111v3.sys376832 bytesCreated:  4/16/2010 9:14 PMModified: 11/18/2009 6:09 PMCompany:  NETGEAR Inc.                           ----------Key:       SBSDWSCServiceImagePath: C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeC:\Program Files\Spybot - Search & Destroy\SDWinSec.exe1153368 bytesCreated:  7/8/2010 11:57 AMModified: 1/26/2009 3:31 PMCompany:  Safer Networking Ltd.----------Key:       SISNICImagePath: system32\DRIVERS\sisnic.sysC:\Windows\system32\DRIVERS\sisnic.sys40840 bytesCreated:  7/13/2006 6:32 PMModified: 7/13/2006 6:32 PMCompany:  SiS Corporation----------Key:       UimBusImagePath: system32\DRIVERS\UimBus.sysC:\Windows\system32\DRIVERS\UimBus.sys34392 bytesCreated:  1/15/2010 12:21 PMModified: 1/15/2010 12:21 PMCompany:  Windows ® 2000 DDK provider----------Key:       Uim_IMImagePath: System32\Drivers\Uim_IM.sysC:\Windows\System32\Drivers\Uim_IM.sys385544 bytesCreated:  1/15/2010 12:21 PMModified: 1/15/2010 12:21 PMCompany:  Paragon----------Key:       UmPassImagePath: system32\DRIVERS\umpass.sysC:\Windows\system32\DRIVERS\umpass.sys8192 bytesCreated:  7/13/2009 4:51 PMModified: 7/13/2009 4:51 PMCompany:  Microsoft Corporation----------Key:       usbbusImagePath: system32\DRIVERS\lgusbbus.sysC:\Windows\system32\DRIVERS\lgusbbus.sys13056 bytesCreated:  1/21/2010 1:59 AMModified: 1/21/2010 1:59 AMCompany:  LG Electronics Inc.----------Key:       UsbDiagImagePath: system32\DRIVERS\lgusbdiag.sysC:\Windows\system32\DRIVERS\lgusbdiag.sys20864 bytesCreated:  1/21/2010 1:59 AMModified: 1/21/2010 1:59 AMCompany:  LG Electronics Inc.----------Key:       USBModemImagePath: system32\DRIVERS\lgusbmodem.sysC:\Windows\system32\DRIVERS\lgusbmodem.sys24960 bytesCreated:  1/21/2010 1:59 AMModified: 1/21/2010 1:59 AMCompany:  LG Electronics Inc.----------Key:       usbvideoImagePath: System32\Drivers\usbvideo.sysC:\Windows\System32\Drivers\usbvideo.sys146176 bytesCreated:  7/13/2009 4:51 PMModified: 7/13/2009 4:51 PMCompany:  Microsoft Corporation----------Key:       vwififltImagePath: system32\DRIVERS\vwififlt.sysC:\Windows\system32\DRIVERS\vwififlt.sys48128 bytesCreated:  7/13/2009 4:52 PMModified: 7/13/2009 4:52 PMCompany:  Microsoft Corporation----------Key:       WatAdminSvcImagePath: %SystemRoot%\system32\Wat\WatAdminSvc.exeC:\Windows\system32\Wat\WatAdminSvc.exe1343400 bytesCreated:  4/19/2010 4:38 PMModified: 4/19/2010 4:38 PMCompany:  Microsoft Corporation----------Key:       WinUsbImagePath: system32\DRIVERS\WinUsb.sysC:\Windows\system32\DRIVERS\WinUsb.sys34944 bytesCreated:  7/13/2009 4:51 PMModified: 7/13/2009 4:51 PMCompany:  Microsoft Corporation----------Key:       ZuneNetworkSvcImagePath: "c:\Program Files\Zune\ZuneNss.exe"c:\Program Files\Zune\ZuneNss.exe5950704 bytesCreated:  1/7/2010 2:38 PMModified: 1/7/2010 2:38 PMCompany:  Microsoft Corporation----------Key:       ZuneWlanCfgSvcImagePath: c:\Windows\system32\ZuneWlanCfgSvc.exec:\Windows\system32\ZuneWlanCfgSvc.exe447216 bytesCreated:  1/7/2010 2:38 PMModified: 1/7/2010 2:38 PMCompany:  Microsoft Corporation----------************************************************************7:34:32 PM: Scanning -----VXD ENTRIES-----************************************************************7:34:33 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----No WINLOGON\NOTIFY DLLs found to scanRootkit scan of Winlogon\Notify key not possible [key may not exist]************************************************************7:34:33 PM: Scanning ----- CONTEXTMENUHANDLERS -----Key:   LavasoftShellExtCLSID: {DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}Path:  C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dllC:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll185328 bytesCreated:  7/6/2010 10:28 AMModified: 7/6/2010 10:28 AMCompany:  ----------Key:   MSSECLSID: {0365FE2C-F183-4091-AC82-BFC39FB75C49}Path:  c:\PROGRA~1\MICROS~1\shellext.dllc:\PROGRA~1\MICROS~1\shellext.dll469040 bytesCreated:  6/1/2010 2:53 PMModified: 6/1/2010 2:53 PMCompany:  Microsoft Corporation----------************************************************************7:34:34 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----************************************************************7:34:34 PM: Scanning ----- BROWSER HELPER OBJECTS -----Key: {53707962-6F74-2D53-2644-206D7942484F}BHO: C:\PROGRA~1\SPYBOT~1\SDHelper.dllC:\PROGRA~1\SPYBOT~1\SDHelper.dll1879896 bytesCreated:  7/8/2010 11:57 AMModified: 1/26/2009 3:31 PMCompany:  Safer Networking Limited----------Key: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497}BHO: C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllC:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll804136 bytesCreated:  2/8/2010 1:28 PMModified: 2/8/2010 1:28 PMCompany:  Skype Technologies S.A.----------************************************************************7:34:35 PM: Scanning ----- SHELLSERVICEOBJECTS -----************************************************************7:34:35 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----No SharedTaskScheduler entries found to scan************************************************************7:34:35 PM: Scanning ----- IMAGEFILE DEBUGGERS -----No "Debugger" entries found.************************************************************7:34:35 PM: Scanning ----- APPINIT_DLLS -----The AppInit_DLLs value is blank or does not exist************************************************************7:34:36 PM: Scanning ----- SECURITY PROVIDER DLLS -----************************************************************7:34:36 PM: Scanning ------ COMMON STARTUP GROUP ------[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]The Common Startup Group attempts to load the following file(s) at boot time:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini-HS- 174 bytesCreated:  7/13/2009 9:41 PMModified: 7/13/2009 9:41 PMCompany:  [no info]--------------------HP Button Manager.lnk - links to C:\PROGRA~1\HP\BUTTON~1\BM.exeC:\PROGRA~1\HP\BUTTON~1\BM.exe266240 bytesCreated:  5/19/2010 2:18 PMModified: 12/1/2009 9:17 PMCompany:  --------------------HP Digital Imaging Monitor.lnk - links to C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exeC:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe270336 bytesCreated:  9/23/2009 10:42 PMModified: 9/23/2009 10:42 PMCompany:  Hewlett-Packard Co.--------------------NETGEAR WG111v3 Smart Wizard.lnk - links to C:\PROGRA~1\NETGEAR\WG111v3\WG111v3.exeC:\PROGRA~1\NETGEAR\WG111v3\WG111v3.exe2469888 bytesCreated:  11/6/2009 2:36 PMModified: 11/6/2009 2:36 PMCompany:  --------------------************************************************************7:34:38 PM: Scanning ----- USER STARTUP GROUPS -----Checking Startup Group for: Matthew[C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup]C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini-HS- 174 bytesCreated:  4/16/2010 4:22 PMModified: 5/19/2010 2:15 PMCompany:  [no info]------------------------------************************************************************7:34:38 PM: Scanning ----- SCHEDULED TASKS -----Taskname:      {10B7F972-9BDD-4F50-8C0D-3408A7BE9310}File:          C:\Windows\system32\pcalua.exe - globally excludedParameters:    -a C:\Users\Matthew\Desktop\EndNote.exe -d C:\Users\Matthew\Desktop----------Taskname:      {33334C28-E682-4469-B180-38F432F31468}File:          C:\Windows\system32\pcalua.exe - globally excludedParameters:    -a "C:\Program Files\EndNote X4\EndNote.exe" -d "C:\Program Files\EndNote X4"----------Taskname:      {8BB7210C-5BC6-4BAA-AA37-724352801732}File:          C:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Skype\Phone\Skype.exe-R- 26192168 bytesCreated:  5/13/2010 5:57 PMModified: 5/13/2010 5:57 PMCompany:  Skype Technologies S.A.Schedule:      At task creation/modificationNext Run Time: Status:        ReadyCreator:       SkypeSetupLightComments:      ----------Taskname:      {9C08BF08-DD38-4090-B3B6-0B77552E64BC}File:          C:\Windows\system32\pcalua.exe - globally excludedParameters:    -a C:\Users\Matthew\Desktop\HijackThis.exe -d C:\Users\Matthew\Desktop----------Taskname:      {ABE2323E-A227-4E4D-917C-9740DD5A0B66}File:          C:\Windows\system32\pcalua.exe - globally excludedParameters:    -a C:\Users\Matthew\Downloads\setup.exe -d "C:\Program Files\Mozilla Firefox"----------Taskname:      Ad-Aware Scan (Monthly Full Scan)File:          C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exeC:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe902208 bytesCreated:  7/6/2010 10:28 AMModified: 7/6/2010 10:28 AMCompany:  Lavasoft                                                              Parameters:    scan "Full Scan"Schedule:      At 12:00:00 PM on day 30 of month 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, starting 7/30/2010Next Run Time: 7/30/2010 12:00:00 PMStatus:        ReadyCreator:       Comments:      ----------Taskname:      Ad-Aware Scan (Weekly Quick Scan)File:          C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exeC:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe902208 bytesCreated:  7/6/2010 10:28 AMModified: 7/6/2010 10:28 AMCompany:  Lavasoft                                                              Parameters:    scan "Smart Scan"Schedule:      At 11:55:00 PM every Wednesday of every week, starting 7/7/2010Next Run Time: 7/14/2010 11:55:00 PMStatus:        ReadyCreator:       Comments:      ----------Taskname:      Ad-Aware Update (Weekly)File:          C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exeC:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe902208 bytesCreated:  7/6/2010 10:28 AMModified: 7/6/2010 10:28 AMCompany:  Lavasoft                                                              Parameters:    update all silentSchedule:      At 4:09:00 PM every Wednesday, Saturday of every week, starting 7/7/2010Next Run Time: 7/10/2010 4:09:00 PMStatus:        ReadyCreator:       Comments:      ----------Taskname:      HceerusuFile:          C:\Windows\system32\nethh.dllC:\Windows\system32\nethh.dll-RHS- 61440 bytesCreated:  7/7/2010 2:39 PMModified: 7/7/2010 2:39 PMCompany:  [no info]Parameters:    "C:\Windows\system32\nethh.dll",vcuxcSchedule:      On system startupNext Run Time: Status:        RunningCreator:       MatthewComments:      C:\Windows\system32\nethh.dll - access deniedC:\Windows\system32\nethh.dll - Ownership takenHceerusu - this Scheduled Task has been deletedC:\Windows\system32\nethh.dll - READ-ONLY, HIDDEN and SYSTEM file attributes removedC:\Windows\system32\nethh.dll - file renamed to: C:\Windows\system32\nethh.dll.vir----------************************************************************7:42:20 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----Key:   SharingPrivateCLSID: {08244EE6-92F0-47f2-9FC9-929BAA2E7235}File:  %SystemRoot%\system32\ntshrui.dllC:\Windows\system32\ntshrui.dll442880 bytesCreated:  7/13/2009 4:41 PMModified: 7/13/2009 6:16 PMCompany:  Microsoft Corporation----------************************************************************7:42:20 PM: Scanning ----- DEVICE DRIVER ENTRIES -----Value: vidc.ffdsFile:  C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dllC:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll85504 bytesCreated:  7/8/2010 10:05 AMModified: 8/30/2009 10:13 PMCompany:  [no info]----------************************************************************7:42:21 PM: ----- ADDITIONAL CHECKS -----Winlogon registry rootkit checks completed----------Heuristic checks for hidden files/drivers completed----------Layered Service Provider entries checks completed----------Windows Explorer Policies checks completed----------Desktop Wallpaper: C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpgC:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg1216877 bytesCreated:  4/16/2010 4:21 PMModified: 6/30/2010 8:11 PMCompany:  [no info]----------Web Desktop Wallpaper entry is blank----------Checks for rogue DNS NameServers completed----------Additional checks completed************************************************************7:42:23 PM: Scanning ----- RUNNING PROCESSES -----C:\Windows\system32\Dwm.exe92672 bytesCreated:  7/13/2009 4:24 PMModified: 7/13/2009 6:14 PMCompany:  Microsoft Corporation--------------------C:\Windows\Explorer.EXE - file already scanned--------------------C:\Windows\system32\taskhost.exe49152 bytesCreated:  7/13/2009 4:19 PMModified: 7/13/2009 6:14 PMCompany:  Microsoft Corporation--------------------C:\Windows\System32\rundll32.exe44544 bytesCreated:  7/13/2009 4:41 PMModified: 7/13/2009 6:14 PMCompany:  Microsoft Corporation--------------------C:\Program Files\Microsoft Security Essentials\msseces.exe - file already scanned--------------------C:\Program Files\Zune\ZuneLauncher.exe - file already scanned--------------------C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe - file already scanned--------------------C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe - file already scanned--------------------C:\Program Files\HP\HP Software Update\hpwuschd2.exe - file already scanned--------------------C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac309760 bytesCreated:  5/19/2010 2:02 PMModified: 3/24/2010 1:58 PMCompany:  ArcSoft Inc.--------------------C:\Program Files\Windows Sidebar\sidebar.exe - file already scanned--------------------C:\Program Files\HP\Button Manager\BM.exe266240 bytesCreated:  5/19/2010 2:18 PMModified: 12/1/2009 9:17 PMCompany:  --------------------C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe270336 bytesCreated:  9/23/2009 10:42 PMModified: 9/23/2009 10:42 PMCompany:  Hewlett-Packard Co.--------------------C:\Program Files\NETGEAR\WG111v3\WG111v3.exe2469888 bytesCreated:  11/6/2009 2:36 PMModified: 11/6/2009 2:36 PMCompany:  --------------------C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe168960 bytesCreated:  9/23/2009 10:11 PMModified: 9/23/2009 10:11 PMCompany:  Hewlett-Packard Co.--------------------C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe559104 bytesCreated:  9/23/2009 10:11 PMModified: 9/23/2009 10:11 PMCompany:  Hewlett-Packard Co.--------------------C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe362496 bytesCreated:  5/21/2009 6:57 PMModified: 5/21/2009 6:57 PMCompany:  Hewlett-Packard--------------------C:\Program Files\Combined Community Codec Pack\MPC\mpc-hc.exe6851584 bytesCreated:  7/8/2010 10:05 AMModified: 9/1/2009 2:44 PMCompany:  mpc-hc@Sourceforge--------------------C:\Program Files\Mozilla Firefox\firefox.exe910296 bytesCreated:  4/17/2010 9:46 AMModified: 6/27/2010 9:26 PMCompany:  Mozilla Corporation--------------------C:\Program Files\Mozilla Firefox\plugin-container.exe14808 bytesCreated:  6/24/2010 7:55 PMModified: 6/27/2010 9:26 PMCompany:  Mozilla Corporation--------------------C:\Program Files\Trojan Remover\Rmvtrjan.exeFileSize:          3687344[This is a Trojan Remover component]--------------------C:\Windows\system32\SearchFilterHost.exe86528 bytesCreated:  7/13/2009 5:13 PMModified: 7/13/2009 6:14 PMCompany:  Microsoft Corporation--------------------************************************************************7:42:29 PM: Checking HOSTS fileNo malicious entries were found in the HOSTS file************************************************************------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":[url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":C:\Windows\System32\blank.htmHKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":[url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":[url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":[url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":[url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":C:\Windows\system32\blank.htmHKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":[url="http://www.google.com"]http://www.google.com[/url]HKCU\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":[url="http://www.google.com/ie"]http://www.google.com/ie[/url]************************************************************=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ====== ONE OR MORE FILES WERE RENAMED OR REMOVED ===Scan completed at: 7:42:30 PM 09 Jul 2010Total Scan time: 00:08:51-------------------------------------------------------------------------Trojan Remover needs to restart the system to complete operations7/9/2010 7:42:49 PM: restart commenced************************************************************

OTL Log:
OTL logfile created on: 7/9/2010 2:33:25 PM - Run 1OTL by OldTimer - Version 3.2.8.1     Folder = C:\Users\Matthew\Desktop An unknown product  (Version = 6.1.7600) - Type = NTWorkstationInternet Explorer (Version = 8.0.7600.16385)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free4.00 Gb Paging File | 3.00 Gb Available in Paging File | 68.00% Paging File freePaging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program FilesDrive C: | 57.26 Gb Total Space | 29.62 Gb Free Space | 51.72% Space Free | Partition Type: NTFSDrive D: | 153.38 Gb Total Space | 5.20 Gb Free Space | 3.39% Space Free | Partition Type: NTFSE: Drive not present or media not loadedF: Drive not present or media not loadedG: Drive not present or media not loadedDrive H: | 1.86 Gb Total Space | 0.34 Gb Free Space | 18.27% Space Free | Partition Type: NTFSI: Drive not present or media not loadedDrive J: | 966.99 Mb Total Space | 8.88 Mb Free Space | 0.92% Space Free | Partition Type: FAT32 Computer Name: MATTHEW-PCCurrent User Name: MatthewLogged in as Administrator. Current Boot Mode: NormalScan Mode: All usersCompany Name Whitelist: OffSkip Microsoft Files: OffFile Age = 30 DaysOutput = Minimal ========== Processes (SafeList) ========== PRC - C:\Users\Matthew\Desktop\OTL.exe (OldTimer Tools)PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft Inc.)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)PRC - C:\Windows\System32\atieclxx.exe (AMD)PRC - C:\Windows\System32\atiesrxx.exe (AMD)PRC - c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)PRC - C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)PRC - C:\Program Files\HP\Button Manager\BM.exe ()PRC - C:\Program Files\NETGEAR\WG111v3\WG111v3.exe ()PRC - C:\Windows\explorer.exe (Microsoft Corporation)PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)PRC - C:\Windows\System32\PrintIsolationHost.exe (Microsoft Corporation)PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)PRC - C:\Program Files\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)  ========== Modules (SafeList) ========== MOD - C:\Users\Matthew\Desktop\OTL.exe (OldTimer Tools)MOD - C:\Windows\System32\sspicli.dll (Microsoft Corporation)MOD - C:\Windows\System32\sechost.dll (Microsoft Corporation)MOD - C:\Windows\System32\samcli.dll (Microsoft Corporation)MOD - C:\Windows\System32\profapi.dll (Microsoft Corporation)MOD - C:\Windows\System32\netutils.dll (Microsoft Corporation)MOD - C:\Windows\System32\KernelBase.dll (Microsoft Corporation)MOD - C:\Windows\System32\dwmapi.dll (Microsoft Corporation)MOD - C:\Windows\System32\devobj.dll (Microsoft Corporation)MOD - C:\Windows\System32\cryptbase.dll (Microsoft Corporation)MOD - C:\Windows\System32\cfgmgr32.dll (Microsoft Corporation)MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll (Microsoft Corporation)  ========== Win32 Services (SafeList) ========== SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)SRV - (Creative Audio Engine Licensing Service) -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe (Creative Labs)SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)SRV - (ZuneWlanCfgSvc) -- C:\Windows\System32\ZuneWlanCfgSvc.exe (Microsoft Corporation)SRV - (ZuneNetworkSvc) -- c:\Program Files\Zune\ZuneNss.exe (Microsoft Corporation)SRV - (WwanSvc) -- C:\Windows\System32\wwansvc.dll (Microsoft Corporation)SRV - (WbioSrvc) -- C:\Windows\System32\wbiosrvc.dll (Microsoft Corporation)SRV - (Power) -- C:\Windows\System32\umpo.dll (Microsoft Corporation)SRV - (Themes) -- C:\Windows\System32\themeservice.dll (Microsoft Corporation)SRV - (sppuinotify) -- C:\Windows\System32\sppuinotify.dll (Microsoft Corporation)SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)SRV - (RpcEptMapper) -- C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)SRV - (PNRPsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)SRV - (p2pimsvc) -- C:\Windows\System32\pnrpsvc.dll (Microsoft Corporation)SRV - (HomeGroupProvider) -- C:\Windows\System32\provsvc.dll (Microsoft Corporation)SRV - (PNRPAutoReg) -- C:\Windows\System32\pnrpauto.dll (Microsoft Corporation)SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)SRV - (HomeGroupListener) -- C:\Windows\System32\ListSvc.dll (Microsoft Corporation)SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)SRV - (Dhcp) -- C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)SRV - (defragsvc) -- C:\Windows\System32\defragsvc.dll (Microsoft Corporation)SRV - (BDESVC) -- C:\Windows\System32\bdesvc.dll (Microsoft Corporation)SRV - (AxInstSV) ActiveX Installer (AxInstSV) -- C:\Windows\System32\AxInstSv.dll (Microsoft Corporation)SRV - (AppIDSvc) -- C:\Windows\System32\appidsvc.dll (Microsoft Corporation)SRV - (sppsvc) -- C:\Windows\System32\sppsvc.exe (Microsoft Corporation)SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)SRV - (CTAudSvcService) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe (Creative Technology Ltd)  ========== Driver Services (SafeList) ========== DRV - (Lbd) -- C:\Windows\system32\DRIVERS\Lbd.sys (Lavasoft AB)DRV - (MpFilter) -- C:\Windows\System32\drivers\MpFilter.sys (Microsoft Corporation)DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)DRV - (amdkmdag) -- C:\Windows\System32\drivers\atipmdag.sys (ATI Technologies Inc.)DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)DRV - (UsbDiag) -- C:\Windows\System32\drivers\lgusbdiag.sys (LG Electronics Inc.)DRV - (USBModem) -- C:\Windows\System32\drivers\lgusbmodem.sys (LG Electronics Inc.)DRV - (usbbus) -- C:\Windows\System32\drivers\lgusbbus.sys (LG Electronics Inc.)DRV - (Uim_IM) -- C:\Windows\System32\drivers\Uim_IM.sys (Paragon)DRV - (UimBus) -- C:\Windows\System32\drivers\UimBus.sys (Windows ® 2000 DDK provider)DRV - (KSecPkg) -- C:\Windows\System32\Drivers\ksecpkg.sys (Microsoft Corporation)DRV - (RTL8187B) -- C:\Windows\System32\drivers\wg111v3.sys (NETGEAR Inc.                           )DRV - (pbfilter) -- C:\Program Files\PeerBlock\pbfilter.sys ()DRV - (cmdide) -- C:\Windows\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)DRV - (adpahci) -- C:\Windows\system32\DRIVERS\adpahci.sys (Adaptec, Inc.)DRV - (adp94xx) -- C:\Windows\system32\DRIVERS\adp94xx.sys (Adaptec, Inc.)DRV - (amdsbs) -- C:\Windows\system32\DRIVERS\amdsbs.sys (AMD Technologies Inc.)DRV - (adpu320) -- C:\Windows\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)DRV - (arcsas) -- C:\Windows\system32\DRIVERS\arcsas.sys (Adaptec, Inc.)DRV - (amdsata) -- C:\Windows\system32\DRIVERS\amdsata.sys (Advanced Micro Devices)DRV - (arc) -- C:\Windows\system32\DRIVERS\arc.sys (Adaptec, Inc.)DRV - (amdxata) -- C:\Windows\system32\DRIVERS\amdxata.sys (Advanced Micro Devices)DRV - (aliide) -- C:\Windows\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)DRV - (nvstor) -- C:\Windows\system32\DRIVERS\nvstor.sys (NVIDIA Corporation)DRV - (nvraid) -- C:\Windows\system32\DRIVERS\nvraid.sys (NVIDIA Corporation)DRV - (nfrd960) -- C:\Windows\system32\DRIVERS\nfrd960.sys (IBM Corporation)DRV - (LSI_SAS) -- C:\Windows\system32\DRIVERS\lsi_sas.sys (LSI Corporation)DRV - (iaStorV) -- C:\Windows\system32\DRIVERS\iaStorV.sys (Intel Corporation)DRV - (MegaSR) -- C:\Windows\system32\DRIVERS\MegaSR.sys (LSI Corporation, Inc.)DRV - (LSI_SCSI) -- C:\Windows\system32\DRIVERS\lsi_scsi.sys (LSI Corporation)DRV - (LSI_FC) -- C:\Windows\system32\DRIVERS\lsi_fc.sys (LSI Corporation)DRV - (LSI_SAS2) -- C:\Windows\system32\DRIVERS\lsi_sas2.sys (LSI Corporation)DRV - (iirsp) -- C:\Windows\system32\DRIVERS\iirsp.sys (Intel Corp./ICP vortex GmbH)DRV - (megasas) -- C:\Windows\system32\DRIVERS\megasas.sys (LSI Corporation)DRV - (hwpolicy) -- C:\Windows\System32\drivers\hwpolicy.sys (Microsoft Corporation)DRV - (elxstor) -- C:\Windows\system32\DRIVERS\elxstor.sys (Emulex)DRV - (aic78xx) -- C:\Windows\system32\DRIVERS\djsvs.sys (Adaptec, Inc.)DRV - (HpSAMD) -- C:\Windows\system32\DRIVERS\HpSAMD.sys (Hewlett-Packard Company)DRV - (FsDepends) -- C:\Windows\System32\drivers\fsdepends.sys (Microsoft Corporation)DRV - (vsmraid) -- C:\Windows\system32\DRIVERS\vsmraid.sys (VIA Technologies Inc.,Ltd)DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)DRV - (vhdmp) -- C:\Windows\system32\DRIVERS\vhdmp.sys (Microsoft Corporation)DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)DRV - (vdrvroot) -- C:\Windows\system32\DRIVERS\vdrvroot.sys (Microsoft Corporation)DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)DRV - (WIMMount) -- C:\Windows\System32\drivers\wimmount.sys (Microsoft Corporation)DRV - (viaide) -- C:\Windows\system32\DRIVERS\viaide.sys (VIA Technologies, Inc.)DRV - (ql2300) -- C:\Windows\system32\DRIVERS\ql2300.sys (QLogic Corporation)DRV - (rdyboost) -- C:\Windows\System32\drivers\rdyboost.sys (Microsoft Corporation)DRV - (ql40xx) -- C:\Windows\system32\DRIVERS\ql40xx.sys (QLogic Corporation)DRV - (SiSRaid4) -- C:\Windows\system32\DRIVERS\sisraid4.sys (Silicon Integrated Systems)DRV - (pcw) -- C:\Windows\System32\drivers\pcw.sys (Microsoft Corporation)DRV - (SiSRaid2) -- C:\Windows\system32\DRIVERS\SiSRaid2.sys (Silicon Integrated Systems Corp.)DRV - (stexstor) -- C:\Windows\system32\DRIVERS\stexstor.sys (Promise Technology)DRV - (CNG) -- C:\Windows\System32\Drivers\cng.sys (Microsoft Corporation)DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\System32\Drivers\Brserid.sys (Brother Industries Ltd.)DRV - (rdpbus) -- C:\Windows\System32\drivers\rdpbus.sys (Microsoft Corporation)DRV - (RDPREFMP) -- C:\Windows\System32\drivers\RDPREFMP.sys (Microsoft Corporation)DRV - (RasAgileVpn) WAN Miniport (IKEv2) -- C:\Windows\System32\drivers\agilevpn.sys (Microsoft Corporation)DRV - (WfpLwf) -- C:\Windows\System32\drivers\wfplwf.sys (Microsoft Corporation)DRV - (NdisCap) -- C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)DRV - (vwififlt) -- C:\Windows\System32\drivers\vwififlt.sys (Microsoft Corporation)DRV - (vwifibus) -- C:\Windows\System32\drivers\vwifibus.sys (Microsoft Corporation)DRV - (1394ohci) -- C:\Windows\system32\DRIVERS\1394ohci.sys (Microsoft Corporation)DRV - (UmPass) -- C:\Windows\System32\drivers\umpass.sys (Microsoft Corporation)DRV - (usbaudio) USB Audio Driver (WDM) -- C:\Windows\System32\drivers\USBAUDIO.sys (Microsoft Corporation)DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)DRV - (mshidkmdf) -- C:\Windows\System32\drivers\mshidkmdf.sys (Microsoft Corporation)DRV - (MTConfig) -- C:\Windows\system32\DRIVERS\MTConfig.sys (Microsoft Corporation)DRV - (CompositeBus) -- C:\Windows\System32\drivers\CompositeBus.sys (Microsoft Corporation)DRV - (AppID) -- C:\Windows\system32\drivers\appid.sys (Microsoft Corporation)DRV - (scfilter) -- C:\Windows\System32\drivers\scfilter.sys (Microsoft Corporation)DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)DRV - (discache) -- C:\Windows\System32\drivers\discache.sys (Microsoft Corporation)DRV - (HidBatt) -- C:\Windows\system32\DRIVERS\HidBatt.sys (Microsoft Corporation)DRV - (AcpiPmi) -- C:\Windows\system32\DRIVERS\acpipmi.sys (Microsoft Corporation)DRV - (AmdPPM) -- C:\Windows\system32\DRIVERS\amdppm.sys (Microsoft Corporation)DRV - (hcw85cir) -- C:\Windows\system32\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)DRV - (BrUsbMdm) -- C:\Windows\System32\Drivers\BrUsbMdm.sys (Brother Industries Ltd.)DRV - (BrUsbSer) -- C:\Windows\System32\Drivers\BrUsbSer.sys (Brother Industries Ltd.)DRV - (BrSerWdm) -- C:\Windows\System32\Drivers\BrSerWdm.sys (Brother Industries Ltd.)DRV - (BrFiltLo) -- C:\Windows\system32\DRIVERS\BrFiltLo.sys (Brother Industries, Ltd.)DRV - (BrFiltUp) -- C:\Windows\system32\DRIVERS\BrFiltUp.sys (Brother Industries, Ltd.)DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)DRV - (ebdrv) -- C:\Windows\system32\DRIVERS\evbdx.sys (Broadcom Corporation)DRV - (b06bdrv) -- C:\Windows\system32\DRIVERS\bxvbdx.sys (Broadcom Corporation)DRV - (P17) -- C:\Windows\System32\drivers\P17.sys (Creative Technology Ltd.)DRV - (atikmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)DRV - (SISNIC) -- C:\Windows\System32\drivers\sisnic.sys (SiS Corporation)DRV - (CX23880) -- C:\Windows\System32\drivers\cx88vid.sys (Conexant Systems, Inc.)  ========== Standard Registry (SafeList) ==========  ========== Internet Explorer ==========   IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0   IE - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://www.google.com/ie"]http://www.google.com/ie[/url]IE - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [url="http://www.google.com"]http://www.google.com[/url]IE - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [url="http://www.msn.com/"]http://www.msn.com/[/url]IE - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-usIE - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CB 53 18 15 C6 1E CB 01  [binary data]IE - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = [url="http://www.google.com/ie"]http://www.google.com/ie[/url]IE - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [url="http://www.google.com/ie"]http://www.google.com/ie[/url]IE - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.8FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2 FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/04/24 13:23:50 | 000,000,000 | ---D | M]FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/27 21:26:10 | 000,000,000 | ---D | M]FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/01 10:50:58 | 000,000,000 | ---D | M] [2010/04/17 09:46:55 | 000,000,000 | ---D | M] -- C:\Users\Matthew\AppData\Roaming\Mozilla\Extensions[2010/07/08 20:31:41 | 000,000,000 | ---D | M] -- C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\v6lfb8x8.default\extensions[2010/07/08 10:07:00 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\v6lfb8x8.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}[2010/07/08 10:07:01 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\v6lfb8x8.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}[2010/07/08 11:43:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions[2010/05/19 15:06:42 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} O1 HOSTS File: ([2010/07/08 13:17:15 | 000,411,980 | R--- | M]) - C:\Windows\System32\drivers\etc\hostsO1 - Hosts: 127.0.0.1	www.007guard.comO1 - Hosts: 127.0.0.1	007guard.comO1 - Hosts: 127.0.0.1	008i.comO1 - Hosts: 127.0.0.1	www.008k.comO1 - Hosts: 127.0.0.1	008k.comO1 - Hosts: 127.0.0.1	www.00hq.comO1 - Hosts: 127.0.0.1	00hq.comO1 - Hosts: 127.0.0.1	010402.comO1 - Hosts: 127.0.0.1	www.032439.comO1 - Hosts: 127.0.0.1	032439.comO1 - Hosts: 127.0.0.1	www.0scan.comO1 - Hosts: 127.0.0.1	0scan.comO1 - Hosts: 127.0.0.1	1000gratisproben.comO1 - Hosts: 127.0.0.1	www.1000gratisproben.comO1 - Hosts: 127.0.0.1	1001namen.comO1 - Hosts: 127.0.0.1	www.1001namen.comO1 - Hosts: 127.0.0.1	100888290cs.comO1 - Hosts: 127.0.0.1	www.100888290cs.comO1 - Hosts: 127.0.0.1	www.100sexlinks.comO1 - Hosts: 127.0.0.1	100sexlinks.comO1 - Hosts: 127.0.0.1	10sek.comO1 - Hosts: 127.0.0.1	www.10sek.comO1 - Hosts: 127.0.0.1	www.1-2005-search.comO1 - Hosts: 127.0.0.1	1-2005-search.comO1 - Hosts: 127.0.0.1	123fporn.infoO1 - Hosts: 14234 more lines...O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)O4 - HKLM..\Run: []  File not foundO4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)O4 - HKLM..\Run: [P17RunE] C:\Windows\System32\P17RunE.dll (Creative Technology Ltd.)O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)O4 - HKU\S-1-5-21-3536798840-4057045489-3425926903-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)O13 - gopher Prefix: missingO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} [url="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/url] (Symantec RuFSI Utility Class)O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} [url="http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab"]http://ccfiles.creative.com/Web/softwareup...15112/CTPID.cab[/url] (Creative Software AutoUpdate Support Package)O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.9.127.107 68.190.192.35 68.116.46.115O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not foundO21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)O32 - HKLM CDRom: AutoRun - 1O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]O34 - HKLM BootExecute: (autocheck autochk *) -  File not foundO34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()O35 - HKLM\..comfile [open] -- "%1" %*O35 - HKLM\..exefile [open] -- "%1" %*O37 - HKLM\...com [@ = comfile] -- "%1" %*O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/07/09 14:13:47 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Matthew\Desktop\OTL.exe[2010/07/09 14:12:52 | 006,153,352 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Users\Matthew\Desktop\mbam-setup-1.46.exe[2010/07/09 14:12:04 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Matthew\Desktop\HijackThis.exe[2010/07/08 11:57:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy[2010/07/08 11:57:46 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy[2010/07/08 11:03:04 | 000,000,000 | ---D | C] -- C:\Windows\pss[2010/07/08 10:05:26 | 000,000,000 | ---D | C] -- C:\Program Files\Combined Community Codec Pack[2010/07/07 16:37:56 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys[2010/07/07 16:09:40 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys[2010/07/07 16:08:38 | 000,000,000 | ---D | C] -- C:\Users\Matthew\AppData\Local\Sunbelt Software[2010/07/07 16:08:07 | 000,000,000 | -H-D | C] -- C:\ProgramData\{65893B95-F47B-4483-B883-86BA181E9B54}[2010/07/07 16:06:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft[2010/07/07 16:06:49 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft[2010/07/07 14:45:10 | 000,000,000 | ---D | C] -- C:\Users\Matthew\AppData\Roaming\EndNote[2010/07/07 14:43:08 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Risxtd[2010/07/07 14:43:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ResearchSoft[2010/07/07 14:42:56 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\EndNote[2010/07/07 14:42:09 | 000,000,000 | ---D | C] -- C:\Program Files\EndNote X4[2010/07/07 14:41:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Thomson.ResearchSoft.Installers[2010/07/07 14:39:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard[2010/07/07 08:57:15 | 000,093,443 | ---- | C] (SteelBytes) -- C:\Users\Matthew\Desktop\HD_Speed.exe[2010/07/06 19:37:52 | 000,000,000 | ---D | C] -- C:\Users\Matthew\Desktop\My GS Drive[2010/06/29 18:07:48 | 000,000,000 | ---D | C] -- C:\Users\Matthew\Documents\My Scans[2010/06/29 18:02:56 | 000,000,000 | ---D | C] -- C:\Users\Matthew\AppData\Roaming\HpUpdate[2010/06/29 18:02:50 | 000,000,000 | ---D | C] -- C:\Windows\Hewlett-Packard[2010/06/27 22:29:51 | 000,000,000 | ---D | C] -- C:\Users\Matthew\AppData\Local\JMP7 Data[2010/06/27 17:21:36 | 000,306,688 | ---- | C] (InstallShield Software Corporation) -- C:\Windows\IsUninst.exe[2010/06/27 16:58:21 | 000,000,000 | ---D | C] -- C:\Program Files\SAS[2010/06/27 16:54:54 | 000,000,000 | ---D | C] -- C:\Users\Matthew\AppData\Roaming\GraphPad Software[2010/06/27 16:54:33 | 000,000,000 | ---D | C] -- C:\ProgramData\GraphPad Software[2010/06/27 16:54:33 | 000,000,000 | ---D | C] -- C:\Program Files\GraphPad[2010/06/23 15:23:23 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonBJ[2010/06/22 16:59:10 | 000,295,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe[2010/06/22 16:59:10 | 000,099,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll[2010/06/22 16:59:09 | 000,049,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll[2010/06/22 16:57:25 | 000,641,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\CPFilters.dll[2010/06/22 16:57:21 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdri.dll[2010/06/22 16:57:21 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax[2010/06/22 16:57:21 | 000,199,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax[2010/06/10 17:11:16 | 000,067,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\asycfilt.dll[2010/06/10 17:11:15 | 002,326,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys[2010/06/10 17:11:05 | 000,606,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll[2010/06/10 17:11:03 | 000,381,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll[2010/06/10 17:11:02 | 000,064,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll[2010/06/10 17:11:02 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll[2010/06/10 17:09:35 | 000,293,888 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll[2010/06/10 17:09:35 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll ========== Files - Modified Within 30 Days ========== [2010/07/09 14:35:20 | 006,815,744 | -HS- | M] () -- C:\Users\Matthew\ntuser.dat[2010/07/09 14:14:10 | 000,293,376 | ---- | M] () -- C:\Users\Matthew\Desktop\jqz3dvqz.exe[2010/07/09 14:14:03 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Matthew\Desktop\OTL.exe[2010/07/09 14:13:21 | 006,153,352 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Users\Matthew\Desktop\mbam-setup-1.46.exe[2010/07/09 14:12:17 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Matthew\Desktop\HijackThis.exe[2010/07/09 14:00:01 | 000,000,302 | -H-- | M] () -- C:\Windows\tasks\Acrobat Update.job[2010/07/09 13:34:39 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job[2010/07/09 13:34:39 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Scan (Weekly Quick Scan).job[2010/07/09 13:34:39 | 000,000,368 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Scan (Monthly Full Scan).job[2010/07/09 08:38:41 | 000,013,456 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0[2010/07/09 08:38:41 | 000,013,456 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0[2010/07/09 08:30:15 | 000,342,688 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT[2010/07/09 08:30:09 | 000,086,464 | ---- | M] () -- C:\Users\Matthew\AppData\Local\GDIPFONTCACHEV1.DAT[2010/07/09 08:30:01 | 000,000,302 | -HS- | M] () -- C:\Windows\tasks\Hceerusu.job[2010/07/09 08:29:59 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT[2010/07/09 08:29:41 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat[2010/07/09 08:29:27 | 1610,297,344 | -HS- | M] () -- C:\hiberfil.sys[2010/07/09 02:55:06 | 001,187,557 | -H-- | M] () -- C:\Users\Matthew\AppData\Local\IconCache.db[2010/07/08 17:35:59 | 000,000,513 | ---- | M] () -- C:\Windows\win.ini[2010/07/08 13:17:15 | 000,411,980 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts[2010/07/07 16:37:56 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys[2010/07/07 16:08:05 | 000,001,124 | ---- | M] () -- C:\Users\Matthew\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk[2010/07/07 14:39:29 | 000,061,440 | RHS- | M] () -- C:\Windows\System32\nethh.dll[2010/07/06 22:10:49 | 000,726,316 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI[2010/07/06 22:10:49 | 000,623,940 | ---- | M] () -- C:\Windows\System32\perfh009.dat[2010/07/06 22:10:49 | 000,106,316 | ---- | M] () -- C:\Windows\System32\perfc009.dat[2010/07/06 10:28:45 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\Windows\System32\drivers\Lbd.sys[2010/07/06 10:28:44 | 000,015,880 | ---- | M] () -- C:\Windows\System32\lsdelete.exe[2010/07/01 12:44:11 | 000,000,362 | RHS- | M] () -- C:\ProgramData\ntuser.pol[2010/07/01 11:01:48 | 002,861,972 | ---- | M] () -- C:\Users\Matthew\Desktop\ASUS P4S800.pdf[2010/06/27 16:59:19 | 000,000,969 | ---- | M] () -- C:\Windows\vpd.properties[2010/06/27 16:54:56 | 000,000,016 | -H-- | M] () -- C:\ProgramData\obtf5[2010/06/14 18:55:42 | 138,776,610 | ---- | M] () -- C:\Users\Matthew\Desktop\MVI_3513.AVI ========== Files Created - No Company Name ========== [2010/07/09 14:14:06 | 000,293,376 | ---- | C] () -- C:\Users\Matthew\Desktop\jqz3dvqz.exe[2010/07/09 08:33:55 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job[2010/07/09 08:33:55 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Scan (Weekly Quick Scan).job[2010/07/09 08:33:55 | 000,000,368 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Scan (Monthly Full Scan).job[2010/07/07 20:42:07 | 000,015,880 | ---- | C] () -- C:\Windows\System32\lsdelete.exe[2010/07/07 16:08:05 | 000,001,124 | ---- | C] () -- C:\Users\Matthew\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk[2010/07/07 14:39:29 | 000,000,302 | -HS- | C] () -- C:\Windows\tasks\Hceerusu.job[2010/07/07 14:39:28 | 000,061,440 | RHS- | C] () -- C:\Windows\System32\nethh.dll[2010/07/07 14:39:12 | 000,000,302 | -H-- | C] () -- C:\Windows\tasks\Acrobat Update.job[2010/07/01 10:58:47 | 002,861,972 | ---- | C] () -- C:\Users\Matthew\Desktop\ASUS P4S800.pdf[2010/06/29 13:09:20 | 138,776,610 | ---- | C] () -- C:\Users\Matthew\Desktop\MVI_3513.AVI[2010/06/27 16:59:19 | 000,000,969 | ---- | C] () -- C:\Windows\vpd.properties[2010/06/27 16:54:56 | 000,000,016 | -H-- | C] () -- C:\ProgramData\obtf5[2010/04/18 11:06:08 | 000,000,064 | ---- | C] () -- C:\Windows\minitab.ini[2010/04/17 10:09:27 | 000,148,480 | ---- | C] () -- C:\Windows\System32\APOMngr.DLL[2010/04/17 10:09:27 | 000,073,728 | ---- | C] () -- C:\Windows\System32\CmdRtr.DLL[2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll[2009/04/21 11:04:26 | 000,003,930 | ---- | C] () -- C:\Windows\System32\ludap17.ini[2008/11/13 14:07:24 | 000,002,177 | ---- | C] () -- C:\Windows\P17EP.ini[2008/01/09 19:59:10 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll[2005/03/08 14:17:00 | 000,000,054 | ---- | C] () -- C:\Windows\System32\ctzapxx.ini< End of report >

GMER Log:
GMER 1.0.15.15281 - [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2010-07-09 15:41:47Windows 6.1.7600 Running: jqz3dvqz.exe; Driver: C:\Users\Matthew\AppData\Local\Temp\fwddifow.sys---- System - GMER 1.0.15 ----INT 0x1F        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C26AF8INT 0x37        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C26104INT 0xC1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C263F4INT 0xD1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C0F2D8INT 0xDF        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C261DCINT 0xE1        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C26958INT 0xE3        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C266F8INT 0xFD        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C26F2CINT 0xFE        \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                       82C271A8---- Kernel code sections - GMER 1.0.15 ----.text           ntoskrnl.exe!ZwSaveKeyEx + 13B1                                                                                82C788E9 1 Byte  [06].text           ntoskrnl.exe!KiDispatchInterrupt + 5A2                                                                         82C983D2 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}.text           C:\Windows\system32\DRIVERS\atikmdag.sys                                                                       section is writeable [0x90808000, 0x1E7294, 0xE8000020].text           peauth.sys                                                                                                     97611C9D 28 Bytes  [44, 05, 58, AE, 1C, 3A, 9A, ...].text           peauth.sys                                                                                                     97611CC1 28 Bytes  [44, 05, 58, AE, 1C, 3A, 9A, ...]---- User IAT/EAT - GMER 1.0.15 ----IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                [74B02494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                           [74AE5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                          [74AE56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                 [74B0250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                       [74AF8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                         [74AF4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                        [74AF50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                       [74AF51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]              [74AF66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                        [74AF82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                   [74AF8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                 [74AF907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                       [74AFE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                           [74AF4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)IAT             C:\Windows\system32\rundll32.exe[1972] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]          [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\system32\rundll32.exe[1972] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]           [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\system32\rundll32.exe[1972] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]         [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\system32\rundll32.exe[1972] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]        [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\system32\rundll32.exe[1972] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress]         [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\system32\rundll32.exe[1972] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]         [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\System32\rundll32.exe[2100] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]          [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\System32\rundll32.exe[2100] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]           [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\System32\rundll32.exe[2100] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]         [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Windows\System32\rundll32.exe[2100] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]        [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Program Files\Zune\ZuneLauncher.exe[2124] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]  [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Program Files\Zune\ZuneLauncher.exe[2124] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]    [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Program Files\Zune\ZuneLauncher.exe[2124] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]     [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)IAT             C:\Program Files\Zune\ZuneLauncher.exe[2124] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]   [75D95D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)---- Devices - GMER 1.0.15 ----AttachedDevice  \Driver\tdx \Device\Tcp                                                                                        Lbd.sys (Boot Driver/Lavasoft AB)Device          \Driver\ACPI_HAL \Device\00000049                                                                              halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                         fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                         fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                         fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice  \Driver\volmgr \Device\HarddiskVolume4                                                                         fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)AttachedDevice  \FileSystem\fastfat \Fat                                                                                       fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)---- EOF - GMER 1.0.15 ----

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.4Scan saved at 3:45:05 PM, on 7/9/2010Platform: Windows 7  (WinNT 6.00.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\rundll32.exeC:\Program Files\Microsoft Security Essentials\msseces.exeC:\Program Files\Zune\ZuneLauncher.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeC:\Program Files\HP\HP Software Update\hpwuschd2.exeC:\Windows\system32\taskhost.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\HP\Button Manager\BM.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\NETGEAR\WG111v3\WG111v3.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.acC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\HP\Digital Imaging\bin\hpqbam08.exeC:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\taskhost.exeC:\Windows\system32\taskeng.exeC:\Users\Matthew\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllO4 - HKLM\..\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntryO4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkeyO4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')O4 - Global Startup: HP Button Manager.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/url]O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [url="http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab"]http://ccfiles.creative.com/Web/softwareup...15112/CTPID.cab[/url]O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeO23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exeO23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeO23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe--End of file - 7935 bytes

Malwarebytes' Anti-Malware Log:
www.malwarebytes.org

Database version _linenums:4298'>Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4298Windows 6.1.7600Internet Explorer 8.0.7600.163857/9/2010 4:03:18 PMmbam-log-2010-07-09 (16-03-18).txtScan type: Quick scanObjects scanned: 130207Time elapsed: 6 minute(s), 36 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Windows\Tasks\Acrobat Update.job (Malware.Trace) -> Quarantined successfully.


BC AdBot (Login to Remove)

 





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users