Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with browser hijacker


  • This topic is locked This topic is locked
16 replies to this topic

#1 absentmind81

absentmind81

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 18 July 2010 - 01:53 PM

Hi, I have a browser hijacker that affects both firefox and internet explorer. My homepage has not changed, but when I use the search engine I get redirected when I click on search results. The redirected links are mostly ad sites or sites containing a word I search for but not the actual site. When I am redirected most of the time a little loop icon appears in the address bar. Also internet windows for different sites sometimes pop up on their own. As well, it says I have no firewall, yet my windows firewall says it is active When I first discovered the virus I ran superantispyware and Avast antivirus, which found avsoft/avsuite and deleted it, but that did not fix the problem and no new viruses have been found using scans, yet I still have a browser hijacker. I have attached the logs requested. I really hope you can help me fix this. Thanks for your time.
Andrea


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 9:19:50.45 on 07/18/10
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1501 [GMT -5:00]

AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\SVRemote\USB20Remote.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SVRemote] c:\program files\svremote\USB20Remote.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\frhcpx6r.default\
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-21 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-11 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 67656]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2010-1-17 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-21 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-21 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-21 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-21 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 12872]
S3 TridVid;OEM 5600AD Analog Video;c:\windows\system32\drivers\TridVid.sys [2010-4-28 77184]
S4 MT;MT;c:\docume~1\owner\locals~1\temp\MT.exe [2010-6-13 420736]
S4 RAREI;RAREI;c:\docume~1\owner\locals~1\temp\RAREI.exe [2010-6-6 572288]
S4 SQILTY;SQILTY;c:\docume~1\owner\locals~1\temp\SQILTY.exe [2010-6-14 428928]
S4 VNUKKRU;VNUKKRU;c:\docume~1\owner\locals~1\temp\vnukkru.exe --> c:\docume~1\owner\locals~1\temp\VNUKKRU.exe [?]
S4 YAHD;YAHD;c:\docume~1\owner\locals~1\temp\YAHD.exe [2010-6-11 564096]

=============== Created Last 30 ================

2010-07-18 14:16:01 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-07-17 18:18:38 0 d-----w- c:\program files\ConvertHelper
2010-07-16 15:32:51 0 d-----w- c:\documents and settings\owner\dwhelper
2010-07-15 05:38:45 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-15 05:38:45 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-15 05:38:45 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-15 05:38:45 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-15 05:38:45 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-15 05:38:45 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-15 05:38:45 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-15 05:38:45 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-15 05:38:37 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-15 05:38:37 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-15 05:38:36 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-15 05:38:36 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-11 20:04:05 90112 ----a-w- c:\windows\unvise32.exe
2010-07-08 19:12:17 0 d-----w- c:\program files\common files\Control Panels
2010-07-08 19:08:58 0 d-----w- c:\docume~1\alluse~1\applic~1\ALM
2010-07-06 21:44:49 0 d-----w- c:\program files\Bonjour
2010-07-06 21:32:51 0 d-----w- c:\program files\common files\Macrovision Shared
2010-06-29 18:11:29 38848 ----a-w- c:\windows\avastSS.scr
2010-06-27 16:15:03 0 d-----w- c:\program files\Artist's Butler 2.8
2010-06-20 01:20:29 0 d-----w- c:\docume~1\owner\applic~1\Facebook

==================== Find3M ====================

2010-06-27 16:13:25 1690 ----a-w- c:\docume~1\owner\applic~1\wklnhst.dat
2010-06-16 01:27:05 578560 ----a-w- c:\windows\system32\user32.DLL

============= FINISH: 9:21:13.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 PM

Posted 25 July 2010 - 09:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

In your reply, please post both OTL logs .


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 absentmind81

absentmind81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 26 July 2010 - 12:06 PM

Thanks for responding. I am still having the same problems with my computer. I have included the requested OTL logs in this post. Thanks you for your help. Andrea

OTL logfile created on: 7/25/10 11:36:07 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: M/dd/yy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 20.66 Gb Free Space | 27.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 931.51 Gb Total Space | 494.35 Gb Free Space | 53.07% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAVOY
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/07/25 08:30:16 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/25 08:30:15 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/06 16:32:51 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/06/28 15:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/11 06:27:06 | 000,028,672 | R--- | M] () -- C:\Program Files\SVRemote\USB20Remote.exe
PRC - [2007/05/10 22:46:20 | 000,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\VNUKKRU.exe -- (VNUKKRU)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/06 16:32:51 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/06/14 09:53:46 | 000,428,928 | ---- | M] (Sysinternals - www.sysinternals.com) [Disabled | Stopped] -- C:\Documents and Settings\Owner\Local Settings\Temp\SQILTY.exe -- (SQILTY)
SRV - [2010/06/13 22:29:33 | 000,420,736 | ---- | M] (Sysinternals - www.sysinternals.com) [Disabled | Stopped] -- C:\Documents and Settings\Owner\Local Settings\Temp\MT.exe -- (MT)
SRV - [2010/06/11 22:33:29 | 000,564,096 | ---- | M] (Sysinternals - www.sysinternals.com) [Disabled | Stopped] -- C:\Documents and Settings\Owner\Local Settings\Temp\YAHD.exe -- (YAHD)
SRV - [2010/06/06 22:55:33 | 000,572,288 | ---- | M] (Sysinternals - www.sysinternals.com) [Disabled | Stopped] -- C:\Documents and Settings\Owner\Local Settings\Temp\RAREI.exe -- (RAREI)
SRV - [2007/03/20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\PfModNT.sys -- (PfModNT)
DRV - [2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/29 13:06:59 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/05/29 13:06:59 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/05/29 13:06:59 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2007/09/11 06:26:58 | 000,077,184 | R--- | M] (Trident Multimedia Technologies Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TridVid.sys -- (TridVid)
DRV - [2006/03/01 21:30:54 | 000,618,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2005/05/06 15:42:26 | 001,339,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2005/05/06 15:40:50 | 000,047,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2005/05/06 15:40:20 | 000,036,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2001/12/19 12:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\VCdRom.sys -- (vcdrom)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-117609710-1078081533-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/25 08:30:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 08:30:22 | 000,000,000 | ---D | M]

[2010/06/17 22:14:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/07/24 14:24:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions
[2010/07/16 10:29:09 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/07/16 10:26:49 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/06/18 12:29:11 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2010/07/24 14:24:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/18 19:00:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/18 19:00:31 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe ()
O4 - HKU\S-1-5-21-117609710-1078081533-839522115-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.71.255.198
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/13 17:15:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/12/15 04:52:18 | 000,000,080 | ---- | M] () - F:\Autorun.inf -- [ NTFS ]
O33 - MountPoints2\W\Shell - "" = AutoRun
O33 - MountPoints2\W\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\X\Shell - "" = AutoRun
O33 - MountPoints2\X\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\Z\Shell - "" = AutoRun
O33 - MountPoints2\Z\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: Defense Center - hkey= - key= - Reg Error: Value error. File not found
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.IYUV - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.YVU9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69537929998893056)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/25 11:34:25 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/23 17:29:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/18 19:07:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/07/18 19:01:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/18 19:01:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/18 19:00:49 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/18 19:00:49 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/18 19:00:49 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/18 19:00:49 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/18 19:00:49 | 000,073,728 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/18 19:00:25 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/07/18 18:59:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Sun
[2010/07/18 18:59:01 | 000,875,296 | ---- | C] (Oracle) -- C:\Documents and Settings\Owner\Desktop\jre-6u21-windows-i586-iftw-rv.exe
[2010/07/18 09:26:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2010/07/17 13:18:38 | 000,000,000 | ---D | C] -- C:\Program Files\ConvertHelper
[2010/07/16 10:32:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\dwhelper
[2010/07/11 15:04:05 | 000,090,112 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe
[2010/07/08 14:12:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Control Panels
[2010/07/08 14:08:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ALM
[2010/07/06 16:44:49 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/07/06 16:32:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2010/06/30 11:46:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\rscgdoafn
[2010/06/29 13:11:29 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/06/27 11:16:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\FileMaker
[2010/06/27 11:15:03 | 000,000,000 | ---D | C] -- C:\Program Files\Artist's Butler 2.8
[2010/06/19 20:20:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Facebook
[2010/06/17 22:14:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla
[2010/06/17 22:14:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2010/06/17 22:12:43 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/06/15 20:58:30 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/06/15 20:26:19 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/14 10:25:06 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/06/12 18:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\My Games
[2010/06/12 18:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\My Games
[2010/06/12 18:02:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\InstallShield
[2010/06/12 16:21:13 | 000,000,000 | ---D | C] -- C:\Program Files\Firaxis Games
[2010/06/12 13:24:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/06/02 00:58:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\PRAGMAdtikbcegnb
[2010/06/02 00:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/06/02 00:25:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/02 00:25:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/31 17:46:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\.mcreference
[2010/05/31 17:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\AcceleratorKit
[2010/05/31 17:45:38 | 000,000,000 | ---D | C] -- C:\Program Files\MainConcept
[2010/05/31 16:55:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\MainConcept
[2010/05/31 16:43:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MainConcept
[2010/05/31 10:30:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\WinRAR
[2010/05/31 10:30:06 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/05/31 09:44:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\MPEG Streamclip
[2010/05/29 12:48:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/29 12:48:34 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/29 12:48:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2010/05/29 12:48:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/26 09:38:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/05/26 09:16:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/05/26 09:16:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/05/26 09:16:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/05/26 09:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/05/26 09:11:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2010/05/26 09:06:29 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/05/26 09:05:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2010/05/19 11:48:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Aiseesoft Studio
[2010/05/19 11:48:16 | 000,000,000 | ---D | C] -- C:\Program Files\Aiseesoft Studio
[2010/05/13 23:31:24 | 000,000,000 | ---D | C] -- C:\Program Files\AC3Filter
[2010/05/12 12:13:16 | 000,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2010/05/12 00:13:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2010/04/28 13:03:03 | 000,000,000 | ---D | C] -- C:\Program Files\DivXCodec
[2010/04/28 13:02:59 | 000,131,072 | ---- | C] (金山软件股份有限公司) -- C:\WINDOWS\System32\VideoRen.ax
[2010/04/28 13:02:59 | 000,077,824 | ---- | C] (honest Technology) -- C:\WINDOWS\System32\DeInterlace.ax
[2010/04/28 13:02:58 | 000,000,000 | ---D | C] -- C:\Program Files\WinPVR
[2010/04/28 13:02:19 | 000,000,000 | ---D | C] -- C:\Program Files\SVRemote
[2010/04/28 13:00:40 | 000,077,184 | R--- | C] (Trident Multimedia Technologies Co.,Ltd) -- C:\WINDOWS\System32\drivers\TridVid.sys
[2010/04/26 17:04:42 | 000,353,592 | ---- | C] (DivX, Inc.) -- C:\WINDOWS\System32\DivXControlPanelApplet.cpl
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/25 11:16:02 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/25 11:13:00 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
[2010/07/25 08:09:51 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/25 08:09:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/25 08:09:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/24 22:54:29 | 006,029,312 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/07/24 22:54:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/07/23 19:32:40 | 000,178,688 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/23 13:58:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/19 21:42:31 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/18 19:00:31 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/18 19:00:31 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/18 19:00:31 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/18 19:00:31 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/18 19:00:31 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/18 18:59:00 | 000,875,296 | ---- | M] (Oracle) -- C:\Documents and Settings\Owner\Desktop\jre-6u21-windows-i586-iftw-rv.exe
[2010/07/18 09:23:55 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/07/18 09:18:21 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/07/18 09:16:01 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/07/16 08:59:35 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/14 01:58:11 | 000,000,312 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\spider.sav
[2010/07/08 18:32:38 | 000,031,568 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/08 17:43:24 | 001,444,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/08 16:11:39 | 006,429,716 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/07/08 12:50:27 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/06/29 13:11:30 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/28 15:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/06/28 15:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/06/28 15:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/06/27 11:15:36 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Artist's Butler 2.8.lnk
[2010/06/27 11:13:25 | 000,001,690 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2010/06/21 13:52:11 | 002,792,740 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\carte-map.pdf
[2010/06/21 13:43:35 | 000,037,235 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\10437401.jpg
[2010/06/21 13:41:03 | 000,282,850 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\15650254.jpg
[2010/06/20 12:48:10 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/06/17 23:00:56 | 000,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/17 23:00:27 | 000,355,086 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/17 23:00:27 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/17 23:00:27 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/17 22:20:59 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/06/17 22:13:30 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/17 22:13:29 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/14 09:53:23 | 025,870,336 | ---- | M] () -- C:\WINDOWS\System32\KJCMS
[2010/06/12 18:26:24 | 000,002,130 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sid Meier's Civilization 4 - Beyond the Sword.lnk
[2010/06/12 18:05:46 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Sid Meier's Civilization 4 - Warlords.lnk
[2010/06/12 18:03:24 | 000,000,977 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Sid Meier's Civilization 4.lnk
[2010/06/12 13:28:25 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/06/12 13:28:23 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/12 13:28:23 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/11 21:25:32 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/06/10 14:21:19 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/05/31 17:45:58 | 000,000,756 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MainConcept Reference.lnk
[2010/05/29 12:48:42 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/26 09:41:01 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/05/26 09:10:55 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/16 07:16:16 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/12 00:18:55 | 000,001,469 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DivX Movies.lnk
[2010/05/12 00:18:27 | 000,000,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/05/12 00:18:01 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
[2010/04/28 13:02:58 | 000,000,433 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinPVR.lnk
[2010/04/26 17:04:42 | 000,353,592 | ---- | M] (DivX, Inc.) -- C:\WINDOWS\System32\DivXControlPanelApplet.cpl
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/18 09:24:03 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/07/18 09:18:28 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/07/18 09:16:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/07/08 12:50:27 | 000,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/06/27 11:15:36 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Artist's Butler 2.8.lnk
[2010/06/21 13:52:11 | 002,792,740 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\carte-map.pdf
[2010/06/21 13:43:35 | 000,037,235 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\10437401.jpg
[2010/06/21 13:41:03 | 000,282,850 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\15650254.jpg
[2010/06/17 22:20:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/06/17 22:13:30 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/17 22:13:29 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/15 20:26:21 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/06/14 09:52:39 | 025,870,336 | ---- | C] () -- C:\WINDOWS\System32\KJCMS
[2010/06/12 18:26:24 | 000,002,130 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Sid Meier's Civilization 4 - Beyond the Sword.lnk
[2010/06/12 17:53:15 | 000,000,947 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Launch Sid Meier's Civilization 4 - Warlords.lnk
[2010/06/12 16:21:18 | 000,000,977 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Launch Sid Meier's Civilization 4.lnk
[2010/06/11 21:25:32 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/31 17:45:58 | 000,000,756 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MainConcept Reference.lnk
[2010/05/29 12:48:42 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/16 07:16:16 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/13 23:31:25 | 000,497,664 | ---- | C] () -- C:\WINDOWS\System32\ac3filter.acm
[2010/05/12 00:18:27 | 000,000,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/05/12 00:18:01 | 000,000,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
[2010/04/28 13:02:59 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\VideoSnapshot.ax
[2010/04/28 13:02:59 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\VideoConverter.ax
[2010/04/28 13:02:59 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\TShiftReader.ax
[2010/04/28 13:02:59 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\TShiftWriter.ax
[2010/04/28 13:02:58 | 000,000,433 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinPVR.lnk
[2010/01/25 13:39:24 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\AlbumDSLR.dll
[2010/01/18 13:19:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/17 18:13:39 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2010/01/14 14:49:06 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2010/01/13 19:36:42 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old

========== LOP Check ==========

[2010/02/21 17:22:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/13 19:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rogers Online Protection
[2010/06/14 10:35:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/26 18:58:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ameCache
[2010/07/24 22:54:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BitTorrent
[2010/06/19 20:20:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Facebook
[2010/05/31 16:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MainConcept
[2010/05/31 09:44:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MPEG Streamclip
[2010/01/13 19:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Rogers Online Protection
[2010/07/25 11:13:00 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/02/10 15:27:54 | 000,237,568 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/02/09 20:27:50 | 000,040,960 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2010/02/10 15:27:54 | 025,690,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/02/10 15:27:54 | 003,932,160 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2010/01/13 17:15:58 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/06/12 13:28:25 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/01/13 17:15:58 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/01/13 17:15:58 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/13 17:15:58 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/05/26 09:10:55 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/25 08:08:50 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2009/07/31 15:58:00 | 000,192,512 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll

< %systemroot%\*. /mp /s >


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/05/26 09:05:00 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/05/26 09:05:00 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 05:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/05/26 09:05:00 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/05/26 09:05:00 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2006/05/11 11:30:52 | 000,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2006/03/16 19:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USER32.DLL >
[2008/04/13 19:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2010/06/15 20:27:05 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.DLL
[2004/08/04 05:00:00 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\WINDOWS\$NtServicePackUninstall$\user32.dll

< MD5 for: WS2_32.DLL >
[2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
[2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
[2004/08/04 05:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 177 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >













OTL Extras logfile created on: 7/25/10 11:36:07 AM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: M/dd/yy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 20.66 Gb Free Space | 27.73% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 931.51 Gb Total Space | 494.35 Gb Free Space | 53.07% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAVOY
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\BitTorrent.exe" = C:\Program Files\BitTorrent\BitTorrent.exe:*:Enabled:BitTorrent -- ()
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- (Firaxis Games)
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- (Firaxis Games)
"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated)
"C:\Program Files\Adobe\Adobe After Effects CS3\Support Files\AfterFX.exe" = C:\Program Files\Adobe\Adobe After Effects CS3\Support Files\AfterFX.exe:*:Enabled:Adobe After Effects CS3 -- (Adobe Systems Incorporated )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{004685F7-9FB6-4789-812F-59ABB34A55AF}" = Adobe Setup
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{29C43496-7C6B-4922-9B5A-19BC259342DC}_is1" = Album DS demo 6.2.0
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{32E4F0D2-C135-475E-A841-1D59A0D22989}" = Sid Meier's Civilization 4 - Beyond the Sword
"{33BEE6F3-9987-4F98-A069-97A64EC8321A}" = Microsoft Works Suite Add-in for Microsoft Word
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E4B349F-10B5-4586-9D99-489A90A8B228}" = Sid Meier's Civilization 4 - Warlords
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}" = Sid Meier's Civilization 4
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3
"{7ECEF10B-F1C2-4FD5-861F-A3FCB4653304}" = Adobe After Effects CS3 Third Party Content
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{8704D51E-25B7-4F23-81E7-AA4F54790210}" = Microsoft Streets and Trips 2004
"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B9966F27-9678-4620-9579-925E3084647E}" = Microsoft Works
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}" = Sid Meier's Civilization 4
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{DA13BA57-3F22-469A-A616-B06FFE8A207F}" = WinPVR
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EB0202F7-016A-410C-ADE4-40F848CCC661}" = Adobe After Effects CS3
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"AC3Filter_is1" = AC3Filter 1.62b
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_3675c95c239b992d5d0ee8fce969b9e" = Adobe After Effects CS3 Third Party Content
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"Artist's Butler 2.8_is1" = Artist's Butler 2.8
"avast5" = avast! Free Antivirus
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup.divx.com" = DivX Setup
"DVD Flick_is1" = DVD Flick 1.3.0.7
"ie8" = Windows Internet Explorer 8
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"MainConcept Reference 1.6.1" = MainConcept Reference 1.6.1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Prism" = Prism Video Converter
"PROSet" = Intel® PRO Network Adapters and Drivers
"Trapcode Particular v2" = Trapcode Particular v2
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2004Setup" = Microsoft Works 2004 Setup Launcher

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/25/10 9:32:14 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/25/10 9:32:14 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/25/10 9:32:14 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/25/10 9:32:14 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/25/10 9:32:14 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/25/10 11:53:09 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/25/10 11:53:09 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/25/10 11:53:09 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/25/10 11:53:09 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/25/10 11:53:09 AM | Computer Name = LAVOY | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 7/23/10 2:58:32 PM | Computer Name = LAVOY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/23/10 2:58:32 PM | Computer Name = LAVOY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 7/23/10 2:59:06 PM | Computer Name = LAVOY | Source = Service Control Manager | ID = 7000
Description = The PfModNT service failed to start due to the following error: %%2

Error - 7/23/10 3:00:09 PM | Computer Name = LAVOY | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 7/24/10 9:57:05 AM | Computer Name = LAVOY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/24/10 9:57:05 AM | Computer Name = LAVOY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 7/24/10 9:57:47 AM | Computer Name = LAVOY | Source = Service Control Manager | ID = 7000
Description = The PfModNT service failed to start due to the following error: %%2

Error - 7/25/10 9:09:17 AM | Computer Name = LAVOY | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/25/10 9:09:17 AM | Computer Name = LAVOY | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 7/25/10 9:10:21 AM | Computer Name = LAVOY | Source = Service Control Manager | ID = 7000
Description = The PfModNT service failed to start due to the following error: %%2


< End of report >


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 PM

Posted 26 July 2010 - 06:03 PM

Hello, absentmind81.
Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type N for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares

Edited by etavares, 26 July 2010 - 06:03 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 absentmind81

absentmind81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 28 July 2010 - 08:14 AM

Here is the MBR logfile. As you can see it said there was an error reading raw MBR. How should I proceed? Thanks




MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0

\\.\F: --> \\.\PhysicalDrive1



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected

931 GB \\.\PhysicalDrive1 Error reading raw MBR!





Done! Press ENTER to exit...



#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 PM

Posted 28 July 2010 - 06:00 PM

Hello, absentmind81.

No worries..it's an external drive. I'm concerned about the active one in C:\. You likely have a rootkit, but I'm trying to find exactly which type it is. Let's run Combofix next.

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 absentmind81

absentmind81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 31 July 2010 - 06:32 AM

I had to run ComboFix in safe mode, as I could not get it to work otherwise. I hope that doesn't effect the scan results. I have included the combofix.txt as requested. Thank you for your help!

ComboFix 10-07-28.03 - Owner 07/30/10 21:48:22.1.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1793 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\etavaresCF.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Favorites\_favdata.dat
c:\windows\PRAGMAdtikbcegnb
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-29 14:57 . 2010-07-30 03:47 -------- d-----w- C:\etavaresCF
2010-07-25 22:43 . 2010-07-25 22:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
2010-07-19 00:07 . 2010-07-19 00:07 -------- d-----w- c:\windows\Sun
2010-07-19 00:01 . 2010-07-19 00:01 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2c61b0d9-n\msvcp71.dll
2010-07-19 00:01 . 2010-07-19 00:01 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2c61b0d9-n\jmc.dll
2010-07-19 00:01 . 2010-07-19 00:01 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2c61b0d9-n\msvcr71.dll
2010-07-19 00:01 . 2010-07-19 00:01 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6daa8b12-n\decora-sse.dll
2010-07-19 00:01 . 2010-07-19 00:01 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6daa8b12-n\decora-d3d.dll
2010-07-19 00:01 . 2010-07-19 00:01 -------- d-----w- c:\program files\Common Files\Java
2010-07-19 00:00 . 2010-07-19 00:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-19 00:00 . 2010-07-19 00:00 -------- d-----w- c:\program files\Java
2010-07-17 18:18 . 2010-07-17 18:18 -------- d-----w- c:\program files\ConvertHelper
2010-07-16 15:32 . 2010-07-16 15:32 -------- d-----w- c:\documents and settings\Owner\dwhelper
2010-07-15 05:38 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-15 05:38 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-15 05:38 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-15 05:38 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-15 05:38 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-15 05:38 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-15 05:38 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-15 05:38 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-15 05:38 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-15 05:38 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-15 05:38 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-15 05:38 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-11 20:04 . 2004-03-29 21:23 90112 ----a-w- c:\windows\unvise32.exe
2010-07-11 00:59 . 2010-07-11 01:40 2568656 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-07-08 19:12 . 2010-07-08 19:12 -------- d-----w- c:\program files\Common Files\Control Panels
2010-07-08 19:08 . 2010-07-08 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-07-06 21:44 . 2010-07-06 21:44 -------- d-----w- c:\program files\Bonjour
2010-07-06 21:32 . 2010-07-06 21:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 05:53 . 2010-01-14 20:27 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-07-29 04:02 . 2010-04-20 00:00 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-07-16 13:59 . 2010-01-14 02:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-08 23:32 . 2010-01-13 22:23 31568 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-08 19:12 . 2010-01-14 00:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-08 18:04 . 2010-01-17 23:22 -------- d-----w- c:\program files\QuickTime
2010-06-28 20:57 . 2010-06-29 18:11 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-02-21 22:22 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-02-21 22:22 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-02-21 22:22 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-02-21 22:22 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-02-21 22:22 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-02-21 22:22 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-02-21 22:22 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-02-21 22:22 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-27 16:15 . 2010-06-27 16:15 -------- d-----w- c:\program files\Artist's Butler 2.8
2010-06-27 16:13 . 2010-01-18 18:30 1690 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-06-20 01:20 . 2010-06-20 01:20 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe
2010-06-20 01:20 . 2010-06-20 01:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Facebook
2010-06-18 03:20 . 2010-06-18 03:20 0 ----a-w- c:\windows\nsreg.dat
2010-06-16 02:14 . 2010-06-16 01:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-16 01:27 . 2004-08-04 10:00 578560 ----a-w- c:\windows\system32\user32.DLL
2010-06-16 01:26 . 2010-06-16 01:26 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-16 01:26 . 2010-06-16 01:26 -------- d-----w- c:\program files\Trend Micro
2010-06-16 00:27 . 2010-01-19 18:17 -------- d-----w- c:\documents and settings\Owner\Application Data\DVD Flick
2010-06-14 15:36 . 2010-06-14 15:25 -------- d-----w- c:\program files\Spyware Doctor
2010-06-14 15:35 . 2010-01-14 00:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-14 15:25 . 2010-01-14 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-12 23:19 . 2010-01-14 02:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-12 23:02 . 2010-06-12 23:02 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2010-06-12 22:45 . 2010-06-12 21:21 -------- d-----w- c:\program files\Firaxis Games
2010-06-12 03:38 . 2010-05-29 17:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-12 02:25 . 2010-06-12 02:25 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-02 05:15 . 2010-06-02 05:15 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-02 05:15 . 2010-05-29 17:49 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-29 17:49 . 2010-05-29 17:49 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 14:19 . 2010-01-13 22:15 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-12 05:19 . 2010-05-12 05:19 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-12 05:18 . 2010-05-12 05:18 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-11 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SVRemote"="c:\program files\SVRemote\USB20Remote.exe" [2007-09-11 28672]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Defense Center

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/21/10 5:22 PM 165456]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/11/09 10:44 AM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/09 10:44 AM 67656]
S1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [1/17/10 5:30 PM 8576]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/21/10 5:22 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/10 1:56 PM 135664]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/09 10:44 AM 12872]
S3 TridVid;OEM 5600AD Analog Video;c:\windows\system32\drivers\TridVid.sys [4/28/10 1:00 PM 77184]
S4 MT;MT;c:\docume~1\Owner\LOCALS~1\Temp\MT.exe --> c:\docume~1\Owner\LOCALS~1\Temp\MT.exe [?]
S4 RAREI;RAREI;c:\docume~1\Owner\LOCALS~1\Temp\RAREI.exe --> c:\docume~1\Owner\LOCALS~1\Temp\RAREI.exe [?]
S4 SQILTY;SQILTY;c:\docume~1\Owner\LOCALS~1\Temp\SQILTY.exe --> c:\docume~1\Owner\LOCALS~1\Temp\SQILTY.exe [?]
S4 VNUKKRU;VNUKKRU;c:\docume~1\Owner\LOCALS~1\Temp\VNUKKRU.exe --> c:\docume~1\Owner\LOCALS~1\Temp\VNUKKRU.exe [?]
S4 YAHD;YAHD;c:\docume~1\Owner\LOCALS~1\Temp\YAHD.exe --> c:\docume~1\Owner\LOCALS~1\Temp\YAHD.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 18:55]

2010-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 18:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 22:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1078081533-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2506A6BC-A4AD-6AEB-A080-65D9C54D7376}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"naafgjcenaifpjggkpmjkcoelklj"=hex:6a,61,65,6b,64,64,6c,63,69,6a,61,70,6d,6f,
6e,6a,6e,65,63,63,00,f4
"maknajlddmenfikkkpbgcnbnll"=hex:6a,61,65,6b,64,64,6c,63,69,6a,61,70,6d,6f,6e,
6a,6e,65,63,63,00,f4
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(204)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-30 22:06:00
ComboFix-quarantined-files.txt 2010-07-31 03:05

Pre-Run: 26,219,479,040 bytes free
Post-Run: 27,104,362,496 bytes free

- - End Of File - - C74E172B07531E195E3253917866CA59


#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 PM

Posted 31 July 2010 - 07:18 AM

Hello, absentmind81.

How is your computer running now?

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.



Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Driver::
MT
RAREI
SQILTY
VNUKKRU
YAHD
RegNull::
[HKEY_USERS\S-1-5-21-117609710-1078081533-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2506A6BC-A4AD-6AEB-A080-65D9C54D7376}*]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 absentmind81

absentmind81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 31 July 2010 - 01:34 PM

I haven't experienced any redirects since I first ran combofix. Mind you I haven't been on the internet much so it's hard to tell.
I lost my windowsxp reformat/reinstall disc (so unfortunately I can't do that), so I followed your above instructions for Combofix and here is the requested log (Thanks again):


ComboFix 10-07-28.03 - Owner 07/31/10 13:07:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1549 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\etavaresCF.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MT
-------\Legacy_RAREI
-------\Legacy_SQILTY
-------\Legacy_VNUKKRU
-------\Legacy_YAHD
-------\Service_MT
-------\Service_RAREI
-------\Service_SQILTY
-------\Service_VNUKKRU
-------\Service_YAHD


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-31 12:00 . 2010-07-31 12:00 -------- d-----w- c:\windows\LastGood.Tmp
2010-07-31 02:47 . 2010-07-31 03:06 -------- d-----w- C:\etavaresCF4752e
2010-07-29 14:57 . 2010-07-30 03:47 -------- d-----w- C:\etavaresCF
2010-07-25 22:43 . 2010-07-25 22:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
2010-07-19 00:07 . 2010-07-19 00:07 -------- d-----w- c:\windows\Sun
2010-07-19 00:01 . 2010-07-19 00:01 -------- d-----w- c:\program files\Common Files\Java
2010-07-19 00:00 . 2010-07-19 00:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-19 00:00 . 2010-07-19 00:00 -------- d-----w- c:\program files\Java
2010-07-17 18:18 . 2010-07-17 18:18 -------- d-----w- c:\program files\ConvertHelper
2010-07-16 15:32 . 2010-07-16 15:32 -------- d-----w- c:\documents and settings\Owner\dwhelper
2010-07-15 05:38 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-07-15 05:38 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-07-15 05:38 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-07-15 05:38 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-07-15 05:38 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-07-15 05:38 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-07-15 05:38 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-07-15 05:38 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-07-15 05:38 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-07-15 05:38 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-07-15 05:38 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-15 05:38 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-07-11 20:04 . 2004-03-29 21:23 90112 ----a-w- c:\windows\unvise32.exe
2010-07-08 19:12 . 2010-07-08 19:12 -------- d-----w- c:\program files\Common Files\Control Panels
2010-07-08 19:08 . 2010-07-08 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-07-06 21:44 . 2010-07-06 21:44 -------- d-----w- c:\program files\Bonjour
2010-07-06 21:32 . 2010-07-06 21:32 -------- d-----w- c:\program files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-29 05:53 . 2010-01-14 20:27 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-07-29 04:02 . 2010-04-20 00:00 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-07-19 00:01 . 2010-07-19 00:01 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2c61b0d9-n\msvcp71.dll
2010-07-19 00:01 . 2010-07-19 00:01 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2c61b0d9-n\jmc.dll
2010-07-19 00:01 . 2010-07-19 00:01 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2c61b0d9-n\msvcr71.dll
2010-07-19 00:01 . 2010-07-19 00:01 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6daa8b12-n\decora-sse.dll
2010-07-19 00:01 . 2010-07-19 00:01 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6daa8b12-n\decora-d3d.dll
2010-07-16 13:59 . 2010-01-14 02:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-11 01:40 . 2010-07-11 00:59 2568656 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-07-08 23:32 . 2010-01-13 22:23 31568 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-08 19:12 . 2010-01-14 00:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-08 18:04 . 2010-01-17 23:22 -------- d-----w- c:\program files\QuickTime
2010-06-28 20:57 . 2010-06-29 18:11 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-02-21 22:22 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-02-21 22:22 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-02-21 22:22 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-02-21 22:22 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-02-21 22:22 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-02-21 22:22 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-02-21 22:22 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-02-21 22:22 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-27 16:15 . 2010-06-27 16:15 -------- d-----w- c:\program files\Artist's Butler 2.8
2010-06-27 16:13 . 2010-01-18 18:30 1690 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-06-20 01:20 . 2010-06-20 01:20 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe
2010-06-20 01:20 . 2010-06-20 01:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Facebook
2010-06-18 03:20 . 2010-06-18 03:20 0 ----a-w- c:\windows\nsreg.dat
2010-06-16 02:14 . 2010-06-16 01:58 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-16 01:27 . 2004-08-04 10:00 578560 ----a-w- c:\windows\system32\user32.DLL
2010-06-16 01:26 . 2010-06-16 01:26 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-16 01:26 . 2010-06-16 01:26 -------- d-----w- c:\program files\Trend Micro
2010-06-16 00:27 . 2010-01-19 18:17 -------- d-----w- c:\documents and settings\Owner\Application Data\DVD Flick
2010-06-14 15:36 . 2010-06-14 15:25 -------- d-----w- c:\program files\Spyware Doctor
2010-06-14 15:35 . 2010-01-14 00:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-14 15:25 . 2010-01-14 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-12 23:19 . 2010-01-14 02:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-12 23:02 . 2010-06-12 23:02 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2010-06-12 22:45 . 2010-06-12 21:21 -------- d-----w- c:\program files\Firaxis Games
2010-06-12 03:38 . 2010-05-29 17:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-12 02:25 . 2010-06-12 02:25 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-02 05:15 . 2010-06-02 05:15 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-02 05:15 . 2010-05-29 17:49 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-29 17:49 . 2010-05-29 17:49 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-26 14:19 . 2010-01-13 22:15 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-12 05:19 . 2010-05-12 05:19 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-12 05:18 . 2010-05-12 05:18 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-12 05:18 . 2010-05-12 05:18 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-11 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SVRemote"="c:\program files\SVRemote\USB20Remote.exe" [2007-09-11 28672]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/21/10 5:22 PM 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/11/09 10:44 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/09 10:44 AM 67656]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [1/17/10 5:30 PM 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/21/10 5:22 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/10 1:56 PM 135664]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/09 10:44 AM 12872]
S3 TridVid;OEM 5600AD Analog Video;c:\windows\system32\drivers\TridVid.sys [4/28/10 1:00 PM 77184]
.
Contents of the 'Scheduled Tasks' folder

2010-07-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 18:55]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 18:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 13:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Alwil Software\Avast5\AvastUI.exe
.
**************************************************************************
.
Completion time: 2010-07-31 13:30:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-31 18:30
ComboFix2.txt 2010-07-31 03:06

Pre-Run: 26,958,266,368 bytes free
Post-Run: 26,899,468,288 bytes free

- - End Of File - - 3D1FF21E5E58A944A9A1AD43BD2F7BEE


#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 PM

Posted 31 July 2010 - 02:47 PM

Hello, absentmind81.
Ok, making progress. Please post a fresh OTL quick scan.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 absentmind81

absentmind81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 01 August 2010 - 11:13 AM

Hope I did this right. I wasn't sure, so I just followed the instructions for the OTL scan from post#2. Here are the results:


OTL logfile created on: 8/01/10 11:55:45 AM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: M/dd/yy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 24.74 Gb Free Space | 33.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 931.51 Gb Total Space | 488.78 Gb Free Space | 52.47% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAVOY
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/07/25 08:30:16 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/25 08:30:15 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/07/06 16:32:51 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/11 06:27:06 | 000,028,672 | R--- | M] () -- C:\Program Files\SVRemote\USB20Remote.exe
PRC - [2007/05/10 22:46:20 | 000,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/07/06 16:32:51 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/03/20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\PfModNT.sys -- (PfModNT)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\etavaresCF23411e\catchme.sys -- (catchme)
DRV - [2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/29 13:06:59 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/05/29 13:06:59 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/05/29 13:06:59 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2007/09/11 06:26:58 | 000,077,184 | R--- | M] (Trident Multimedia Technologies Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TridVid.sys -- (TridVid)
DRV - [2006/03/01 21:30:54 | 000,618,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2005/05/06 15:42:26 | 001,339,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2005/05/06 15:40:50 | 000,047,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2005/05/06 15:40:20 | 000,036,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2001/12/19 12:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\VCdRom.sys -- (vcdrom)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-117609710-1078081533-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/25 08:30:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 08:30:22 | 000,000,000 | ---D | M]

[2010/06/17 22:14:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/07/31 07:36:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions
[2010/07/16 10:29:09 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/07/16 10:26:49 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/06/18 12:29:11 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2010/07/31 07:36:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/18 19:00:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/18 19:00:31 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/07/31 13:20:15 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe ()
O4 - HKU\S-1-5-21-117609710-1078081533-839522115-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.71.255.198
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/13 17:15:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.IYUV - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.YVU9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/07/30 22:06:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/07/30 21:47:01 | 000,000,000 | ---D | C] -- C:\etavaresCF4752e
[2010/07/29 10:02:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/29 09:58:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/29 09:58:13 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/29 09:58:13 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/29 09:58:13 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/29 09:57:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/29 09:57:48 | 000,000,000 | ---D | C] -- C:\etavaresCF
[2010/07/29 09:57:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/25 17:43:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
[2010/07/25 11:34:25 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/23 17:29:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/18 19:07:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/07/18 19:01:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/18 19:01:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/18 19:00:49 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/18 19:00:49 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/18 19:00:49 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/18 19:00:49 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/18 19:00:49 | 000,073,728 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/18 19:00:25 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/07/18 18:59:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Sun
[2010/07/18 18:59:01 | 000,875,296 | ---- | C] (Oracle) -- C:\Documents and Settings\Owner\Desktop\jre-6u21-windows-i586-iftw-rv.exe
[2010/07/18 09:26:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2010/07/17 13:18:38 | 000,000,000 | ---D | C] -- C:\Program Files\ConvertHelper
[2010/07/16 10:32:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\dwhelper
[2010/07/11 15:04:05 | 000,090,112 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe
[2010/07/08 14:12:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Control Panels
[2010/07/08 14:08:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ALM
[2010/07/06 16:44:49 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/07/06 16:32:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2010/06/30 11:46:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\rscgdoafn
[2010/06/29 13:11:29 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/06/27 11:16:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\FileMaker
[2010/06/27 11:15:03 | 000,000,000 | ---D | C] -- C:\Program Files\Artist's Butler 2.8
[2010/06/19 20:20:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Facebook
[2010/06/17 22:14:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla
[2010/06/17 22:14:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Mozilla
[2010/06/17 22:12:43 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/06/15 20:58:30 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/06/15 20:26:19 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/14 10:25:06 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/06/12 18:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\My Games
[2010/06/12 18:32:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\My Games
[2010/06/12 18:02:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\InstallShield
[2010/06/12 16:21:13 | 000,000,000 | ---D | C] -- C:\Program Files\Firaxis Games
[2010/06/12 13:24:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/06/02 00:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/06/02 00:25:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/02 00:25:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/31 17:46:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\.mcreference
[2010/05/31 17:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\AcceleratorKit
[2010/05/31 17:45:38 | 000,000,000 | ---D | C] -- C:\Program Files\MainConcept
[2010/05/31 16:55:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\MainConcept
[2010/05/31 16:43:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MainConcept
[2010/05/31 10:30:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\WinRAR
[2010/05/31 10:30:06 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/05/31 09:44:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\MPEG Streamclip
[2010/05/29 12:48:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/05/29 12:48:34 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/29 12:48:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2010/05/29 12:48:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/26 09:38:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2010/05/26 09:16:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2010/05/26 09:16:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2010/05/26 09:16:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2010/05/26 09:16:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2010/05/26 09:11:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2010/05/26 09:06:29 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2010/05/26 09:05:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2010/05/19 11:48:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Aiseesoft Studio
[2010/05/19 11:48:16 | 000,000,000 | ---D | C] -- C:\Program Files\Aiseesoft Studio
[2010/05/13 23:31:24 | 000,000,000 | ---D | C] -- C:\Program Files\AC3Filter
[2010/05/12 12:13:16 | 000,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2010/05/12 00:13:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/08/01 11:46:43 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/01 11:46:40 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/01 11:46:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/01 01:18:38 | 006,291,456 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/08/01 01:18:38 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/08/01 01:18:30 | 003,783,934 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/08/01 01:16:05 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/07/31 18:42:52 | 001,444,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/31 18:04:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/31 13:20:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/31 13:20:15 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/31 08:48:46 | 000,154,937 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Internet-legendesA.pdf
[2010/07/29 10:02:10 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/29 09:50:52 | 003,746,693 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\etavaresCF.exe
[2010/07/28 22:54:33 | 000,185,344 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/28 16:16:45 | 006,069,448 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\DK_Quebec%20guide.pdf
[2010/07/28 10:00:56 | 000,296,400 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\aug tide tables hopewell rocks.pdf
[2010/07/28 09:10:24 | 000,055,296 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
[2010/07/27 15:59:34 | 003,277,800 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\map of plains of abraham.pdf
[2010/07/26 21:42:10 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/23 13:58:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/18 19:00:31 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/18 19:00:31 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/18 19:00:31 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/18 19:00:31 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/18 19:00:31 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/18 18:59:00 | 000,875,296 | ---- | M] (Oracle) -- C:\Documents and Settings\Owner\Desktop\jre-6u21-windows-i586-iftw-rv.exe
[2010/07/18 09:23:55 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/07/18 09:18:21 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/07/18 09:16:01 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/07/16 08:59:35 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/14 01:58:11 | 000,000,312 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\spider.sav
[2010/07/08 18:32:38 | 000,031,568 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/08 12:50:27 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/06/29 13:11:30 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/28 15:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/06/28 15:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/06/28 15:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/06/27 11:15:36 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Artist's Butler 2.8.lnk
[2010/06/27 11:13:25 | 000,001,690 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\wklnhst.dat
[2010/06/21 13:52:11 | 002,792,740 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\carte-map.pdf
[2010/06/21 13:43:35 | 000,037,235 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\10437401.jpg
[2010/06/21 13:41:03 | 000,282,850 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\15650254.jpg
[2010/06/20 12:48:10 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/06/17 23:00:27 | 000,355,086 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/17 23:00:27 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/17 23:00:27 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/17 22:20:59 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/06/17 22:13:30 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/17 22:13:29 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\celestial.lnk
[2010/06/14 09:53:23 | 025,870,336 | ---- | M] () -- C:\WINDOWS\System32\KJCMS
[2010/06/12 18:26:24 | 000,002,130 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sid Meier's Civilization 4 - Beyond the Sword.lnk
[2010/06/12 18:05:46 | 000,000,947 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Sid Meier's Civilization 4 - Warlords.lnk
[2010/06/12 18:03:24 | 000,000,977 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch Sid Meier's Civilization 4.lnk
[2010/06/12 13:28:25 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/06/12 13:28:23 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/11 21:25:32 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/06/10 14:21:19 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/05/31 17:45:58 | 000,000,756 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MainConcept Reference.lnk
[2010/05/29 12:48:42 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/26 09:41:01 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/05/26 09:10:55 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/16 07:16:16 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/12 00:18:55 | 000,001,469 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\DivX Movies.lnk
[2010/05/12 00:18:27 | 000,000,777 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/05/12 00:18:01 | 000,000,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[11 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/31 08:48:46 | 000,154,937 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Internet-legendesA.pdf
[2010/07/29 10:02:09 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/29 10:02:04 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/29 09:58:13 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/29 09:58:13 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/29 09:58:13 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/29 09:58:13 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/29 09:58:13 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/29 09:51:10 | 003,746,693 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\etavaresCF.exe
[2010/07/28 16:16:44 | 006,069,448 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\DK_Quebec%20guide.pdf
[2010/07/28 10:00:56 | 000,296,400 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\aug tide tables hopewell rocks.pdf
[2010/07/28 09:10:30 | 000,055,296 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
[2010/07/27 15:59:34 | 003,277,800 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\map of plains of abraham.pdf
[2010/07/18 09:24:03 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/07/18 09:18:28 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/07/18 09:16:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/07/08 12:50:27 | 000,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/06/27 11:15:36 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Artist's Butler 2.8.lnk
[2010/06/21 13:52:11 | 002,792,740 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\carte-map.pdf
[2010/06/21 13:43:35 | 000,037,235 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\10437401.jpg
[2010/06/21 13:41:03 | 000,282,850 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\15650254.jpg
[2010/06/17 22:20:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/06/17 22:13:30 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/06/17 22:13:29 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\celestial.lnk
[2010/06/15 20:26:21 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HiJackThis.lnk
[2010/06/14 09:52:39 | 025,870,336 | ---- | C] () -- C:\WINDOWS\System32\KJCMS
[2010/06/12 18:26:24 | 000,002,130 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Sid Meier's Civilization 4 - Beyond the Sword.lnk
[2010/06/12 17:53:15 | 000,000,947 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Launch Sid Meier's Civilization 4 - Warlords.lnk
[2010/06/12 16:21:18 | 000,000,977 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Launch Sid Meier's Civilization 4.lnk
[2010/06/11 21:25:32 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/31 17:45:58 | 000,000,756 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MainConcept Reference.lnk
[2010/05/29 12:48:42 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/16 07:16:16 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/13 23:31:25 | 000,497,664 | ---- | C] () -- C:\WINDOWS\System32\ac3filter.acm
[2010/05/12 00:18:27 | 000,000,777 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Player.lnk
[2010/05/12 00:18:01 | 000,000,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Plus Converter.lnk
[2010/01/25 13:39:24 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\AlbumDSLR.dll
[2010/01/18 13:19:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/17 18:13:39 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2010/01/14 14:49:06 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2010/01/13 19:36:42 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old

========== LOP Check ==========

[2010/02/21 17:22:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/13 19:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rogers Online Protection
[2010/06/14 10:35:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/26 18:58:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ameCache
[2010/07/29 00:53:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\BitTorrent
[2010/06/19 20:20:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Facebook
[2010/05/31 16:55:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MainConcept
[2010/05/31 09:44:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MPEG Streamclip
[2010/01/13 19:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Rogers Online Protection

========== Purity Check ==========



========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.sys /90 >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2010/02/10 15:27:54 | 000,237,568 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/02/09 20:27:50 | 000,040,960 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2010/02/10 15:27:54 | 025,690,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/02/10 15:27:54 | 003,932,160 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %SYSTEMDRIVE%\*.* >
[2010/01/13 17:15:58 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/06/12 13:28:25 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/07/29 10:02:10 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/07/31 13:30:53 | 000,019,588 | ---- | M] () -- C:\ComboFix.txt
[2010/01/13 17:15:58 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/01/13 17:15:58 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/13 17:15:58 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/05/26 09:10:55 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/01 11:45:58 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2009/07/31 15:58:00 | 000,192,512 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll

< %systemroot%\*. /mp /s >


< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2010/05/26 09:05:00 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2010/05/26 09:05:00 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 05:00:00 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2010/05/26 09:05:00 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/05/26 09:05:00 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\Qoobox\32788R22FWJFW\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2006/05/11 11:30:52 | 000,247,808 | ---- | M] (Intel Corporation) MD5=294110966CEDD127629C5BE48367C8CF -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2006/03/16 19:51:32 | 000,099,840 | ---- | M] (NVIDIA Corporation) MD5=B7FB72492B753930EC70A0F49D04F12F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USER32.DLL >
[2010/06/15 20:27:05 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\ERDNT\cache\user32.DLL
[2008/04/13 19:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\ServicePackFiles\i386\user32.dll
[2010/06/15 20:27:05 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.DLL
[2004/08/04 05:00:00 | 000,577,024 | ---- | M] (Microsoft Corporation) MD5=C72661F8552ACE7C5C85E16A3CF505C4 -- C:\WINDOWS\$NtServicePackUninstall$\user32.dll

< MD5 for: WS2_32.DLL >
[2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\ERDNT\cache\ws2_32.dll
[2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
[2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
[2004/08/04 05:00:00 | 000,082,944 | ---- | M] (Microsoft Corporation) MD5=2ED0B7F12A60F90092081C50FA0EC2B2 -- C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

========== Alternate Data Streams ==========

@Alternate Data Stream - 177 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >



Thanks again for all your help! - Andrea

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 PM

Posted 01 August 2010 - 03:24 PM

Hello, absentmind81.

We're getting there. How is it running? Let's get a second opinion with an online scan.



Step 1

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  1. Please download OTL from one of the following mirrors if you do not still have it.
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    CODE
    :OTL
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\PfModNT.sys -- (PfModNT)
    O3 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O3 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll File not found
    :Commands
    [EmptyTemp]
  5. Click the Run Fix button at the top.
  6. let the program run unhindered and reboot when it is done.
  7. You will get a log when it is done, please post that in your reply.
  8. Please then create a new OTL report....
  9. Click the "Scan All Users" checkbox.
  10. Push the button.
  11. A report will open, copy and paste it in a reply here.



Step 2

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 absentmind81

absentmind81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 03 August 2010 - 08:15 AM

My computer seems to be running better. I have not had any browser redirects. When I ran the ESET scan, it said there were no threats, and it gave me no option other than to finish, so I do not have a log file for that.
Here are the other log files as requested. Does this mean my computer is safe now??
Thanks, Andrea


All processes killed
========== OTL ==========
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File C:\WINDOWS\System32\hidserv.dll not found.
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File C:\WINDOWS\System32\appmgmts.dll not found.
Service PfModNT stopped successfully!
Service PfModNT deleted successfully!
File C:\WINDOWS\System32\PfModNT.sys not found.
Registry value HKEY_USERS\S-1-5-21-117609710-1078081533-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-117609710-1078081533-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 13 bytes
->Flash cache emptied: 17610 bytes

User: Owner
->Temp folder emptied: 18807920 bytes
->Temporary Internet Files folder emptied: 37414546 bytes
->Java cache emptied: 1330606 bytes
->FireFox cache emptied: 92302199 bytes
->Google Chrome cache emptied: 7551129 bytes
->Flash cache emptied: 2682752 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4370793 bytes
%systemroot%\System32 .tmp files removed: 2832913 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6466 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 2413367 bytes
RecycleBin emptied: 3536927058 bytes

Total Files Cleaned = 3,535.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08022010_170318

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...









OTL logfile created on: 8/02/10 5:11:43 PM - Run 3
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: M/dd/yy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 26.97 Gb Free Space | 36.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 931.51 Gb Total Space | 485.35 Gb Free Space | 52.10% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAVOY
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/07/06 16:32:51 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/11 06:27:06 | 000,028,672 | R--- | M] () -- C:\Program Files\SVRemote\USB20Remote.exe
PRC - [2007/05/10 22:46:20 | 000,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/07/06 16:32:51 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 15:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2007/03/20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\etavaresCF23411e\catchme.sys -- (catchme)
DRV - [2010/06/28 15:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 15:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 15:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 15:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 15:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 15:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/29 13:06:59 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/05/29 13:06:59 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/05/29 13:06:59 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2007/09/11 06:26:58 | 000,077,184 | R--- | M] (Trident Multimedia Technologies Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TridVid.sys -- (TridVid)
DRV - [2006/03/01 21:30:54 | 000,618,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2005/05/06 15:42:26 | 001,339,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2005/05/06 15:40:50 | 000,047,360 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2005/05/06 15:40:20 | 000,036,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2001/12/19 12:45:00 | 000,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\VCdRom.sys -- (vcdrom)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-117609710-1078081533-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/25 08:30:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/25 08:30:22 | 000,000,000 | ---D | M]

[2010/06/17 22:14:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/08/02 16:44:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions
[2010/07/16 10:29:09 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/07/16 10:26:49 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/06/18 12:29:11 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\frhcpx6r.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2010/08/02 16:44:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/18 19:00:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/18 19:00:31 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/07/31 13:20:15 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [SVRemote] c:\Program Files\SVRemote\USB20Remote.exe ()
O4 - HKU\S-1-5-21-117609710-1078081533-839522115-1003..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-117609710-1078081533-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.71.255.198
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/13 17:15:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "%1" %*
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/02 17:03:18 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/08/01 13:17:24 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/07/31 07:02:31 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/31 07:01:48 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/07/30 22:06:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/07/30 21:47:01 | 000,000,000 | ---D | C] -- C:\etavaresCF4752e
[2010/07/29 10:02:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/07/29 09:58:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/07/29 09:58:13 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/07/29 09:58:13 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/07/29 09:58:13 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/07/29 09:57:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/29 09:57:48 | 000,000,000 | ---D | C] -- C:\etavaresCF
[2010/07/29 09:57:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/07/25 17:43:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\WMTools Downloaded Files
[2010/07/25 11:34:25 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/23 17:29:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/18 19:07:01 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2010/07/18 19:01:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/18 19:01:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/18 19:00:49 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/18 19:00:49 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/18 19:00:49 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/18 19:00:49 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/18 19:00:49 | 000,073,728 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/18 19:00:25 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/07/18 18:59:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Sun
[2010/07/18 18:59:01 | 000,875,296 | ---- | C] (Oracle) -- C:\Documents and Settings\Owner\Desktop\jre-6u21-windows-i586-iftw-rv.exe
[2010/07/18 09:26:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2010/07/17 13:18:38 | 000,000,000 | ---D | C] -- C:\Program Files\ConvertHelper
[2010/07/16 10:32:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\dwhelper
[2010/07/15 00:38:45 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdjpn.dll
[2010/07/15 00:38:45 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdjpn.dll
[2010/07/15 00:38:45 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkor.dll
[2010/07/15 00:38:45 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdkor.dll
[2010/07/15 00:38:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101c.dll
[2010/07/15 00:38:45 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101c.dll
[2010/07/15 00:38:45 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd103.dll
[2010/07/15 00:38:45 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd103.dll
[2010/07/15 00:38:37 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101b.dll
[2010/07/15 00:38:37 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101b.dll
[2010/07/15 00:38:36 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd106.dll
[2010/07/15 00:38:36 | 000,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106.dll
[2010/07/11 15:04:05 | 000,090,112 | ---- | C] (MindVision Software) -- C:\WINDOWS\unvise32.exe
[2010/07/08 14:12:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Control Panels
[2010/07/08 14:08:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ALM
[2010/07/06 16:44:49 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/07/06 16:32:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared

========== Files - Modified Within 30 Days ==========

[2010/08/02 17:06:58 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/02 17:06:57 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/02 17:06:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/02 17:05:48 | 006,291,456 | ---- | M] () -- C:\Documents and Settings\Owner\ntuser.dat
[2010/08/02 17:05:48 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/08/02 16:59:46 | 000,185,344 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/02 16:16:05 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/08/01 20:14:40 | 001,856,075 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\MainEntranceSign.JPG
[2010/08/01 01:18:30 | 003,783,934 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/07/31 18:42:52 | 001,444,896 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/31 18:04:12 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/31 13:20:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/31 13:20:15 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/31 08:48:46 | 000,154,937 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Internet-legendesA.pdf
[2010/07/29 10:02:10 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/07/29 09:50:52 | 003,746,693 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\etavaresCF.exe
[2010/07/28 16:16:45 | 006,069,448 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\DK_Quebec%20guide.pdf
[2010/07/28 10:00:56 | 000,296,400 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\aug tide tables hopewell rocks.pdf
[2010/07/28 09:10:24 | 000,055,296 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
[2010/07/27 15:59:34 | 003,277,800 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\map of plains of abraham.pdf
[2010/07/26 21:42:10 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/07/25 11:34:21 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/07/23 13:58:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/18 19:00:31 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/18 19:00:31 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/18 19:00:31 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/18 19:00:31 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/18 19:00:31 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/18 18:59:00 | 000,875,296 | ---- | M] (Oracle) -- C:\Documents and Settings\Owner\Desktop\jre-6u21-windows-i586-iftw-rv.exe
[2010/07/18 09:23:55 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/07/18 09:18:21 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/07/18 09:16:01 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/07/16 08:59:35 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/14 01:58:11 | 000,000,312 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\spider.sav
[2010/07/08 18:32:38 | 000,031,568 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/07/08 12:50:27 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 8 Professional.lnk

========== Files Created - No Company Name ==========

[2010/08/01 20:14:38 | 001,856,075 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\MainEntranceSign.JPG
[2010/07/31 08:48:46 | 000,154,937 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Internet-legendesA.pdf
[2010/07/29 10:02:09 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/07/29 10:02:04 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/29 09:58:13 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/07/29 09:58:13 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/07/29 09:58:13 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/07/29 09:58:13 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/07/29 09:58:13 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/07/29 09:51:10 | 003,746,693 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\etavaresCF.exe
[2010/07/28 16:16:44 | 006,069,448 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\DK_Quebec%20guide.pdf
[2010/07/28 10:00:56 | 000,296,400 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\aug tide tables hopewell rocks.pdf
[2010/07/28 09:10:30 | 000,055,296 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBRCheck.exe
[2010/07/27 15:59:34 | 003,277,800 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\map of plains of abraham.pdf
[2010/07/18 09:24:03 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip
[2010/07/18 09:18:28 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/07/18 09:16:01 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/07/08 12:50:27 | 000,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Acrobat 8 Professional.lnk
[2010/01/25 13:39:24 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\AlbumDSLR.dll
[2010/01/18 13:19:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/17 18:13:39 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2010/01/14 14:49:06 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2010/01/13 19:36:42 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old

========== Alternate Data Streams ==========

@Alternate Data Stream - 177 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 PM

Posted 04 August 2010 - 06:22 PM

Hello, absentmind81.

Ok, good news. Your log appears clean. Let's clean up our mess. If your computer is running well; please do the steps listed below. At the end, I've also listed a few completely optional things you can do to further secure your computer. Safe surfing!



Step 1

Uninstall ComboFix and Clean Up
Click Start > Run and type combofix /Uninstall click OK (Note the space between combofix and /Uninstall) See below:

Please advise if this step is missed for any reason as it performs some important actions.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • If that link doesn't work, try this one.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Optional Items

Please take the time to read below to secure your machine and take the necessary steps to keep it that way.


System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If you are running Windows Vista or Windows 7, please right-click on the icon, and select "Run As Administrator"; otherwise it won't work.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

Protect yourself from malicious sites

The HOSTS file can protect you from connecting to bad sites. See The Hosts File and what it can do for you for more background.

Please download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
  4. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Keep Windows Up to Date
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

Install an AntiSpyware Program

A highly recommended AntiSpyware program isMalwarebytes Anti-Malware. You can download the free version..

Installing this program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Update all these programs regularly
Make sure you update all your programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Good luck!

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 absentmind81

absentmind81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 05 August 2010 - 12:13 AM

THANK YOU!!!!! thank you so much for all your help. much appreciated!!!!!!
Sincerely, Andrea




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users