Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus? Rootkit? Help, Please


  • This topic is locked This topic is locked
17 replies to this topic

#1 runtotorun121

runtotorun121

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 19 October 2010 - 01:06 PM

Hi,
A couple of weeks ago I began having some problems with my computer and after doing some research and reading a post from another user who described the exact same problems detail by detail I believe I have an infection with Aleuron H. and/or other rootkit infections. My mother was visiting, and I have 13 month old triplets and two doggies so I have only been sporadically trying to clear up the problem, and after several attempts that seemed somewhat successful I believe I still have either a full-blown or remnants of a nasty infection.

It is terribly frustrating to me because with the babies and the doggies I have neither enough time or skill to figure out what in the world is going wrong! I am hopeful someone here will be able to walk me through what I need to do. I will try to describe the symptoms and what I have done already:

The symptoms include(d)
(Some of them have seemed to been resolved at various steps along the way, but I don’t know if they are permanently resolved or may still be active but just laying dormant. . .):

Initially I had the icons show up in my System Tray for ‘Antivirus Live’. I would get all the annoying pop-up windows claiming my computer was infected and trying to direct me to websites. As is typical, I initially couldn’t access my Task Manager (was denied supposedly by administrator), couldn’t uninstall the Antivirus Live Program, and found my web browser would randomly pop-up sites without any action from me. Eventually I was able to access my Task Manager again, and the ‘Antivirus Live’ icons were gone from my System Tray. As I remember, at first only on or two of the three icons were gone, but later they all disappeared.

While these things were changed, I found my web browser was still popping up browser tabs, and I found I could not download or later update ‘Microsoft Security Essentials’ to allow it to run so I knew something else was still going on. After I finally accessed Microsoft Security Essentials in Safe Mode and was able to directly save the updates I ran it and found it was identifying ‘Alureon H’. I followed the prompts to remove it, but as I found reference to from others with this infection, the infection was found at least twice before I realized Microsoft Security Essentials was apparently unable to remove it successfully. I continued looking for answers while regularly running my MalwareBytes and SUPERAntispyware scans and then saw someone had used the old Microsoft Live OneCare and also was unable to remove the virus after it was found; however they were able to access customer support services to assist with remotely taking over their computer and clearing things up. Live OneCare initially would freeze, and I suspected the virus was shutting things down, but after I successfully completed the run at one point it did not identify the ‘Alureon H.’ as being present.

Now I thought things might be finished, but once again when I opened my web browser I had random tabs opening up that I assume are redirections by a virus. Upon further searching I then found Kapersky and GMER as recommendations for identifying and fixing rootkit problems. I have run Kaspersky for the Rootkit.Win32.TDSS, and it immediately 'found' and 'cured' the RootkitWin32TDSS and did not recognize any problems on subsequent scans so I was hopeful, but the same web-browser-random-tabs-opening thing continued. I have been trying to run GMER, and several times my computer has seemed to freeze up. I tried following suggestions I had found here of unchecking ‘Devices’ to see if it would run without freezing, but it still froze. Then I followed the suggestion of trying to run it with only ‘Sections’ checked. That scan finished but did not find any problem. Of course I am wondering if some problematic virus is detecting GMER once it gets to some point and then causes a problem. A couple of other times I was trying to run GMER I encountered the blue screen and an immediate shut down of my computer.


Recap of things I have done so far:

1. I initially ran Malwarebytes and SuperAntispyware in both Safe Mode with Networking and in regular start-up mode. I also made sure to run the programs under both my user name and the Administrator log-in in Safe Mode, and I checked to make sure that there was no fake proxy server keeping me from getting updates for these programs. I also used ‘rkill’ during these processes and looked in my files and registry for the ‘Antivirus Live’ associated things I had found listed here and other places. I completed the processes to clean up whatever they found, but more continued to show up; however, at some point I was then able to finally access my Task Manager again, and the System Tray Icons for ‘Antivirus Live’ disappeared.

2. I also have SpywareBlaster on my computer.

3. I have run Microsoft Security Essential several times, and it has found Alureon H more than once and supposedly removed it, but it keeps finding it.

4. I have run Live OneCare that froze several times and then found nothing.

5. I have run Kaspersky for the Rootkit.Win32.TDSS, and it immediately 'found' and 'cured' the RootkitWin32TDSS and had not recognized anything again so I was hopeful, but the same web-browser-random-tabs-opening thing continued.

6. I have been trying to run GMER, and several times my computer has seemed to freeze up.


At this point, of course, I am doing NOTHING else until I hear from you and look forward to hearing from someone who knows how to help me.

(edited at 10:17pm CST to add:) I am copying and pasting the DDS.txt log and attaching the DDS attachment and the GMER log I finally was able to complete tonight:


DDS (Ver_10-10-10.03) - NTFSx86
Run by Kristie at 14:38:34.45 on Tue 10/19/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.451 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ico.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\Kristie\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Documents and Settings\Kristie\Desktop\Virus Stuff\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.qvc.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0109&m=aoa150
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Magentic] c:\progra~1\magentic\bin\Magentic.exe /c
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Mouse Suite 98 Daemon] ico.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [zzzHPSETUP] D:\Setup.exe
mRun: [lxctmon.exe] "c:\program files\lexmark 5400 series\lxctmon.exe"
mRun: [Lexmark 5400 Series Fax Server] "c:\program files\lexmark 5400 series\fm3032.exe" /s
mRun: [EzPrint] "c:\program files\lexmark 5400 series\ezprint.exe"
mRun: [LXCTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCTtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [rfagent] "c:\program files\rfa\rfagent.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 8\SnagIt32.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11} - hxxp://192.168.1.104/UltraMJCamX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kristie\applic~1\mozilla\firefox\profiles\vkbsu0rz.default\
FF - prefs.js: browser.startup.homepage - www.qvc.com
FF - component: c:\documents and settings\kristie\application data\mozilla\firefox\profiles\vkbsu0rz.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\kristie\application data\mozilla\firefox\profiles\vkbsu0rz.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 151936]
S0 mtrmmm;mtrmmm;c:\windows\system32\drivers\midx.sys --> c:\windows\system32\drivers\midx.sys [?]
S1 MpKsldb70e1cd;MpKsldb70e1cd;\??\c:\windows\system32\mpenginestore\mpksldb70e1cd.sys --> c:\windows\system32\mpenginestore\MpKsldb70e1cd.sys [?]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-22 30192]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2010-6-24 1464672]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-1-22 96856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-22 38224]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-10-4 50704]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-10-19 14:58:02 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{7ebd1164-676a-42cb-89e9-73ad8d5a7380}\mpengine.dll
2010-10-19 01:50:20 590848 ----a-w- c:\windows\system32\SETA.tmp
2010-10-18 21:11:38 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-10-11 06:37:31 18560 ----a-w- c:\windows\system32\drivers\rxcesvxy.sys
2010-10-11 06:27:13 -------- d-sh--w- c:\documents and settings\kristie\IECompatCache
2010-10-10 18:20:23 18560 ----a-w- c:\windows\system32\drivers\fttegsbi.sys
2010-10-09 06:50:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-10-09 06:13:13 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-09 05:36:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\RFA_Backups
2010-10-09 05:36:02 -------- d-----w- c:\program files\RFA
2010-10-06 07:58:54 161 ----a-w- c:\docume~1\kristie\applic~1\asdsada.bat
2010-10-04 22:50:20 -------- d-s---w- C:\ComboFix
2010-10-04 14:08:35 0 ----a-w- c:\windows\Wwowuvebuqa.bin
2010-10-04 14:08:29 -------- d-----w- c:\docume~1\kristie\locals~1\applic~1\{A6027EF4-43C6-43D9-A10A-A1141B1BEA67}
2010-10-04 14:05:38 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-10-04 14:05:38 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-10-04 14:05:38 100880 ----a-w- c:\windows\system32\Packet.dll

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 14:39:50.95 ===============



Kristie

Attached Files


Edited by runtotorun121, 19 October 2010 - 10:27 PM.


BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:05 PM

Posted 25 October 2010 - 12:57 PM

Hi runtotorun121,




Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\TDSSKiller folder). Please copy and paste the contents of that file here.


Step2

  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:

    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:

1.TDSSKiller.txt
2.OTListIt.txt and Extra.txt Thanks

#3 runtotorun121

runtotorun121
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 25 October 2010 - 02:35 PM

Hi sundavis :)

Thank you for helping me out.

Here is a current TDSSKiller report:

2010/10/25 14:05:40.0796 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/25 14:05:40.0796 ================================================================================
2010/10/25 14:05:40.0796 SystemInfo:
2010/10/25 14:05:40.0796
2010/10/25 14:05:40.0796 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/25 14:05:40.0796 Product type: Workstation
2010/10/25 14:05:40.0796 ComputerName: MYBDAYGIFT
2010/10/25 14:05:40.0796 UserName: Kristie
2010/10/25 14:05:40.0796 Windows directory: C:\WINDOWS
2010/10/25 14:05:40.0796 System windows directory: C:\WINDOWS
2010/10/25 14:05:40.0796 Processor architecture: Intel x86
2010/10/25 14:05:40.0796 Number of processors: 2
2010/10/25 14:05:40.0796 Page size: 0x1000
2010/10/25 14:05:40.0796 Boot type: Normal boot
2010/10/25 14:05:40.0796 ================================================================================
2010/10/25 14:05:42.0625 Initialize success
2010/10/25 14:05:46.0343 ================================================================================
2010/10/25 14:05:46.0343 Scan started
2010/10/25 14:05:46.0343 Mode: Manual;
2010/10/25 14:05:46.0343 ================================================================================
2010/10/25 14:05:48.0562 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/25 14:05:48.0875 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/25 14:05:48.0953 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/10/25 14:05:49.0046 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/25 14:05:49.0328 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/25 14:05:49.0734 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/25 14:05:49.0828 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/25 14:05:50.0015 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/25 14:05:50.0156 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/25 14:05:50.0265 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/25 14:05:50.0390 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/25 14:05:50.0671 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/25 14:05:50.0828 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/25 14:05:50.0968 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/25 14:05:51.0078 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/25 14:05:51.0328 AR5416 (7cae93fe5511d0c0688cfa56cf241e31) C:\WINDOWS\system32\DRIVERS\athw.sys
2010/10/25 14:05:51.0640 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/25 14:05:51.0750 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/25 14:05:51.0828 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/25 14:05:52.0171 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/25 14:05:52.0296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/25 14:05:52.0406 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/25 14:05:52.0781 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/25 14:05:53.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/25 14:05:53.0296 btaudio (ecdc40cc54603c711e1a7a1c9255184a) C:\WINDOWS\system32\drivers\btaudio.sys
2010/10/25 14:05:53.0484 BTDriver (58a49bd10e08d3d4333a60dedcb1ced8) C:\WINDOWS\system32\DRIVERS\btport.sys
2010/10/25 14:05:53.0593 BTKRNL (885b6d0f826a216eee4c3ad883809012) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2010/10/25 14:05:53.0703 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2010/10/25 14:05:53.0953 btwhid (e48668b4a6a5cf68b33aecad18ee8e1e) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2010/10/25 14:05:54.0062 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys
2010/10/25 14:05:54.0296 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/25 14:05:54.0343 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/25 14:05:54.0437 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/25 14:05:54.0500 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/25 14:05:54.0562 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/25 14:05:54.0734 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/25 14:05:55.0109 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/25 14:05:55.0750 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/25 14:05:55.0781 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/25 14:05:55.0812 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/25 14:05:55.0906 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/25 14:05:56.0109 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/25 14:05:56.0140 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/25 14:05:56.0203 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/25 14:05:56.0281 DKbFltr (08d30af92c270f2e76787c81589dbad6) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2010/10/25 14:05:56.0406 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/25 14:05:56.0609 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/25 14:05:56.0687 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/25 14:05:56.0765 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/25 14:05:56.0875 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/25 14:05:57.0187 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/25 14:05:57.0312 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/25 14:05:57.0484 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/25 14:05:57.0546 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/25 14:05:57.0609 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/25 14:05:57.0812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/25 14:05:58.0046 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/25 14:05:58.0109 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/25 14:05:58.0375 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/25 14:05:58.0515 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/25 14:05:58.0640 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/25 14:05:58.0843 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/25 14:05:59.0046 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/25 14:05:59.0171 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/25 14:05:59.0375 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/25 14:05:59.0437 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/25 14:05:59.0500 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/25 14:05:59.0890 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/10/25 14:06:00.0343 iComp (b4cfe83f1aa235141a62cf4d715c354d) C:\WINDOWS\system32\DRIVERS\HCWUSB2.sys
2010/10/25 14:06:00.0843 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/25 14:06:01.0265 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/25 14:06:01.0562 int15.sys (4d8d5b1c895ea0f2a721b98a7ce198f1) C:\Acer\Empowering Technology\eRecovery\int15.sys
2010/10/25 14:06:02.0843 IntcAzAudAddService (19afbb8427ce65042599555e578170df) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/10/25 14:06:03.0750 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/25 14:06:04.0156 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/25 14:06:04.0437 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/25 14:06:04.0515 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/25 14:06:04.0734 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/25 14:06:04.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/25 14:06:05.0015 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/25 14:06:05.0093 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/25 14:06:05.0234 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/25 14:06:05.0515 JMCR (da971cfc625d13636e04c405948e9d62) C:\WINDOWS\system32\DRIVERS\jmcr.sys
2010/10/25 14:06:05.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/25 14:06:06.0156 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/25 14:06:06.0265 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/25 14:06:06.0468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/25 14:06:06.0703 M3000Srv (29ed05c1dafd2e830dfe48de212dd34f) C:\WINDOWS\system32\Drivers\M3000KNT.sys
2010/10/25 14:06:06.0984 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/25 14:06:07.0078 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/25 14:06:07.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/25 14:06:07.0265 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/25 14:06:07.0343 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/25 14:06:07.0703 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/10/25 14:06:07.0953 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/25 14:06:08.0062 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/25 14:06:08.0156 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/25 14:06:08.0421 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/25 14:06:08.0484 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/25 14:06:08.0562 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/25 14:06:08.0640 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/25 14:06:08.0703 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/25 14:06:08.0875 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/25 14:06:08.0984 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/25 14:06:09.0046 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/25 14:06:09.0171 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/25 14:06:09.0484 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/25 14:06:09.0625 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/25 14:06:09.0843 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/25 14:06:09.0906 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/25 14:06:10.0093 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/25 14:06:10.0265 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/25 14:06:10.0343 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/25 14:06:10.0656 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
2010/10/25 14:06:10.0921 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/25 14:06:11.0031 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/25 14:06:11.0406 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/25 14:06:11.0609 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/25 14:06:11.0875 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/25 14:06:12.0031 PalmUSBD (dc450992eba6f914080c1f7fbeeed72c) C:\WINDOWS\system32\drivers\PalmUSBD.sys
2010/10/25 14:06:12.0093 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/25 14:06:12.0515 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/25 14:06:12.0578 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/25 14:06:12.0625 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/25 14:06:12.0734 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/25 14:06:13.0078 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/25 14:06:13.0359 pelmouse (95b64e97c0b618b90d87a8ff4ac0b53d) C:\WINDOWS\system32\DRIVERS\pelmouse.sys
2010/10/25 14:06:13.0421 pelusblf (6109a990d5832e0a93d1e4948cfa2ae2) C:\WINDOWS\system32\DRIVERS\pelusblf.sys
2010/10/25 14:06:13.0593 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/25 14:06:13.0656 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/25 14:06:13.0890 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/25 14:06:13.0953 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/25 14:06:13.0984 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/25 14:06:14.0015 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/25 14:06:14.0046 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/25 14:06:14.0078 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/25 14:06:14.0125 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/25 14:06:14.0171 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/25 14:06:14.0359 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/25 14:06:14.0437 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/25 14:06:14.0593 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/25 14:06:14.0656 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/25 14:06:14.0718 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/25 14:06:14.0765 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/25 14:06:14.0875 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/25 14:06:15.0109 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/25 14:06:15.0218 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/25 14:06:15.0375 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/10/25 14:06:15.0546 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/10/25 14:06:15.0609 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/10/25 14:06:15.0671 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/10/25 14:06:16.0046 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/25 14:06:16.0296 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/10/25 14:06:16.0437 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/25 14:06:16.0578 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/25 14:06:16.0687 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/25 14:06:16.0921 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/25 14:06:16.0984 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/25 14:06:17.0046 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/25 14:06:17.0156 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/25 14:06:17.0281 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/25 14:06:17.0484 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/25 14:06:17.0546 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/25 14:06:17.0625 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/25 14:06:17.0671 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/25 14:06:17.0734 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/25 14:06:17.0843 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/25 14:06:17.0921 SynTP (409f7eeb079d6154ccb26a02e6e27844) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/10/25 14:06:17.0984 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/25 14:06:18.0203 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/25 14:06:18.0343 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/25 14:06:18.0406 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/25 14:06:18.0484 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/25 14:06:18.0546 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/25 14:06:18.0750 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/25 14:06:18.0812 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/25 14:06:18.0921 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/25 14:06:19.0171 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/25 14:06:19.0296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/25 14:06:19.0375 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/25 14:06:19.0531 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/25 14:06:19.0578 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/25 14:06:19.0703 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/25 14:06:19.0906 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/25 14:06:20.0000 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/25 14:06:20.0062 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/25 14:06:20.0109 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/25 14:06:20.0281 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/25 14:06:20.0421 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/25 14:06:20.0500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/25 14:06:20.0609 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/10/25 14:06:20.0750 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/25 14:06:21.0125 ================================================================================
2010/10/25 14:06:21.0125 Scan finished
2010/10/25 14:06:21.0125 ================================================================================





And here is the OTListIt report:

OTL logfile created on: 10/25/2010 2:24:43 PM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Kristie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,012.00 Mb Total Physical Memory | 172.00 Mb Available Physical Memory | 17.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 50.00% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.17 Gb Total Space | 108.72 Gb Free Space | 75.41% Space Free | Partition Type: NTFS

Computer Name: MYBDAYGIFT | User Name: Kristie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/25 14:04:32 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kristie\Desktop\OTL.exe
PRC - [2010/10/19 22:52:16 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\31fd459c-937e-4a1c-a47c-e804f24ee32f.com
PRC - [2010/09/22 11:52:16 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/09/22 11:52:09 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/09/15 04:34:02 | 001,094,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/11/13 14:40:39 | 000,323,392 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe
PRC - [2009/07/29 12:19:00 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2009/01/22 14:24:14 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/01/15 15:50:46 | 000,251,264 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\IncrediMail\bin\IncMail.exe
PRC - [2009/01/15 15:50:42 | 000,189,824 | ---- | M] (IncrediMail, Ltd.) -- C:\Program Files\IncrediMail\bin\ImApp.exe
PRC - [2008/11/24 16:48:58 | 000,916,800 | ---- | M] (KsL Software) -- C:\Program Files\RFA\rfagent.exe
PRC - [2008/08/15 12:58:44 | 000,212,992 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\Kristie\Local Settings\Temp\RtkBtMnt.exe
PRC - [2008/08/04 10:51:46 | 000,124,264 | ---- | M] () -- C:\Program Files\Magentic\bin\MgApp.exe
PRC - [2008/06/04 20:10:02 | 000,114,688 | ---- | M] (InterVideo Inc.) -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
PRC - [2008/05/22 16:30:16 | 000,425,984 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
PRC - [2008/05/13 22:14:34 | 000,821,768 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\QtZgAcer.EXE
PRC - [2008/04/14 22:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/28 02:00:10 | 000,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2008/02/21 16:11:34 | 000,147,456 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\PELMICED.EXE
PRC - [2008/01/03 19:28:08 | 001,392,640 | R--- | M] (PalmSource, Inc) -- C:\Program Files\Palm\Hotsync.exe
PRC - [2007/08/23 17:47:40 | 000,077,824 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
PRC - [2007/04/01 10:02:38 | 000,568,176 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2007/01/11 13:57:22 | 000,291,760 | ---- | M] () -- C:\Program Files\Lexmark 5400 Series\lxctmon.exe
PRC - [2007/01/04 21:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/07/13 16:27:16 | 000,528,384 | ---- | M] ( ) -- C:\WINDOWS\system32\lxctcoms.exe
PRC - [2006/06/07 02:05:20 | 000,098,304 | ---- | M] (Lexmark International Inc.) -- C:\Program Files\Lexmark 5400 Series\ezprint.exe
PRC - [2003/11/06 16:51:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\FSRremoS.EXE


========== Modules (SafeList) ==========

MOD - [2010/10/25 14:04:32 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kristie\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/12/10 09:38:14 | 000,138,216 | ---- | M] (Babylon Ltd.) -- C:\Program Files\IncrediMail\bin\B4ImApp.dll
MOD - [2007/08/22 17:01:26 | 000,151,552 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\PELSCRLL.DLL
MOD - [2007/07/30 12:16:08 | 000,081,920 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\PELHOOKS.DLL
MOD - [2007/07/30 12:15:08 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\PELCOMM.DLL
MOD - [2007/04/02 00:00:48 | 000,086,016 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
MOD - [2007/04/01 09:57:16 | 000,053,248 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe -- (McSysmon)
SRV - File not found [Unknown | Stopped] -- C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe -- (McShield)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/07/29 12:19:00 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/01/23 16:37:19 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-092308-165331)
SRV - [2007/01/04 21:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/07/13 16:27:16 | 000,528,384 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxctcoms.exe -- (lxct_device)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\midx.sys -- (mtrmmm)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\MpEngineStore\MpKsldb70e1cd.sys -- (MpKsldb70e1cd)
DRV - [2010/10/04 09:05:38 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF) WinPcap Packet Driver (NPF)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 13:15:58 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2008/08/07 05:14:56 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2008/08/06 17:54:14 | 000,151,936 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\M3000KNT.sys -- (M3000Srv)
DRV - [2008/07/07 20:16:26 | 000,096,856 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\jmcr.sys -- (JMCR)
DRV - [2008/05/20 19:31:26 | 001,312,576 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/05/20 04:53:00 | 004,800,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/24 20:17:10 | 000,225,024 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2008/04/14 22:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2008/04/14 22:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 22:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2008/04/14 22:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2008/04/14 22:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2008/04/14 22:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2008/04/14 22:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2008/04/14 22:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2008/04/14 22:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2008/04/14 22:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2008/04/14 22:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2008/04/14 22:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2008/04/14 22:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2008/04/14 22:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2008/04/14 22:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2008/04/14 22:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2008/04/14 02:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 02:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/02/15 00:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/01/25 15:12:12 | 000,009,728 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PELUSBLF.SYS -- (pelusblf)
DRV - [2007/12/04 18:10:30 | 000,016,640 | R--- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2007/06/07 17:38:32 | 000,017,408 | ---- | M] (Primax Electronics Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PELMouse.SYS -- (pelmouse)
DRV - [2007/03/31 15:02:42 | 000,876,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/03/31 15:02:40 | 000,055,352 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2007/03/23 12:50:42 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/03/23 12:50:24 | 000,149,123 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2007/03/23 12:50:08 | 000,037,424 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2007/03/23 12:49:54 | 000,539,072 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2007/01/22 17:11:02 | 001,464,672 | R--- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HCWUSB2.sys -- (iComp)
DRV - [2005/01/13 15:46:16 | 000,069,632 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)
DRV - [2004/12/08 01:10:00 | 000,016,896 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DKbFltr.SYS -- (DKbFltr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0109&m=aoa150
IE - HKU\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.qvc.com/
IE - HKU\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2508212050-588791912-289167517-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2508212050-588791912-289167517-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.qvc.com"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}:2.7.1.3
FF - prefs.js..extensions.enabledItems: {F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}:3.6
FF - prefs.js..extensions.enabledItems: {33A8946C-B859-4f7d-8382-ADAB29623DEE}:3.6
FF - prefs.js..extensions.enabledItems: {558D3F58-1E89-4fe2-A1F1-5EADC7BC77CB}:3.6
FF - prefs.js..extensions.enabledItems: {285da7e0-729d-11db-9fe1-0800200c9a66}:2.20091201

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/04 09:47:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/27 20:35:37 | 000,000,000 | ---D | M]

[2009/01/23 18:21:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Extensions
[2010/10/23 15:37:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions
[2009/12/08 08:27:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/01 17:19:21 | 000,000,000 | ---D | M] (Tinseltown) -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}
[2010/06/01 17:19:37 | 000,000,000 | ---D | M] (Scribblies Kids) -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{33A8946C-B859-4f7d-8382-ADAB29623DEE}
[2010/06/01 17:19:11 | 000,000,000 | ---D | M] (Scribblies Plain) -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{558D3F58-1E89-4fe2-A1F1-5EADC7BC77CB}
[2010/07/29 02:47:59 | 000,000,000 | ---D | M] (Swag Bucks Toolbar) -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
[2010/06/01 17:18:52 | 000,000,000 | ---D | M] (Scribblies Brite) -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}
[2010/06/01 17:19:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}\chrome\mozapps\extensions
[2010/06/01 17:19:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{285da7e0-729d-11db-9fe1-0800200c9a66}\chrome\mozapps\extensions\CVS
[2010/10/25 10:47:48 | 000,001,540 | ---- | M] () -- C:\Documents and Settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\searchplugins\swagbuckscom.xml
[2010/10/23 15:37:38 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/23 15:55:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2008/09/03 19:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/10/09 00:37:46 | 000,001,486 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 awareremover2010.com
O1 - Hosts: 127.0.0.1 winsecurepro2010.com
O1 - Hosts: 127.0.0.1 os-guard2010.com
O1 - Hosts: 127.0.0.1 platinumantivir.com
O1 - Hosts: 127.0.0.1 ms-antivirus.com
O1 - Hosts: 127.0.0.1 desktop-antivirus.com
O1 - Hosts: 127.0.0.1 shopica.com
O1 - Hosts: 127.0.0.1 desktop-antivirus.microsoft.com
O1 - Hosts: 127.0.0.1 windows-antivirus.net
O1 - Hosts: 127.0.0.1 laptopantivirus.net
O1 - Hosts: 127.0.0.1 new-soft.net
O1 - Hosts: 127.0.0.1 winguard2010.com
O1 - Hosts: 127.0.0.1 spydetector2009.com
O1 - Hosts: 127.0.0.1 protectguru.com
O1 - Hosts: 127.0.0.1 dailyconsumerguide.com
O1 - Hosts: 127.0.0.1 registrydefender.com
O1 - Hosts: 127.0.0.1 dailyconsumerguide.com
O1 - Hosts: 127.0.0.1 registrydefender.com/l/indexsg.asp?utm_medium=ctx&utm_campaign=mg1&utm_source=ron3594&utm_term=ron_113594
O2 - BHO: (HelperObject Class) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKU\S-1-5-21-2508212050-588791912-289167517-1006\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 5400 Series\ezprint.exe (Lexmark International Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [HotSync] C:\Program Files\PalmSource\Desktop\HotSync.exe File not found
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Lexmark 5400 Series Fax Server] C:\Program Files\Lexmark 5400 Series\fm3032.exe ()
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE (Dritek System Inc.)
O4 - HKLM..\Run: [LXCTCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.DLL (Lexmark International Inc.)
O4 - HKLM..\Run: [lxctmon.exe] C:\Program Files\Lexmark 5400 Series\lxctmon.exe ()
O4 - HKLM..\Run: [M3000Mnt] File not found
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe (KsL Software)
O4 - HKLM..\Run: [zzzHPSETUP] D:\Setup.exe File not found
O4 - HKU\S-1-5-21-2508212050-588791912-289167517-1006..\Run: [BitTorrent DNA] C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
O4 - HKU\S-1-5-21-2508212050-588791912-289167517-1006..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe (IncrediMail, Ltd.)
O4 - HKU\S-1-5-21-2508212050-588791912-289167517-1006..\Run: [Magentic] C:\Program Files\Magentic\bin\Magentic.exe ()
O4 - HKU\S-1-5-21-2508212050-588791912-289167517-1006..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-21-2508212050-588791912-289167517-1006..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-2508212050-588791912-289167517-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-2508212050-588791912-289167517-1006..\RunOnce: [ypagerps] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe (TechSmith Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11} http://192.168.1.104/UltraMJCamX.cab (UltraMJCamX Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 76.85.229.110 76.85.229.111
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Kristie\Local Settings\Application Data\Magentic\Runtime\Magentic Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Kristie\Local Settings\Application Data\Magentic\Runtime\Magentic Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/15 12:37:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2ab810cb-2a71-11df-9541-001a0e95fffb}\Shell\AutoRun\command - "" = D:\install.bat -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/10/25 14:04:19 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kristie\Desktop\OTL.exe
[2010/10/23 15:21:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kristie\Application Data\Yahoo!
[2010/10/19 08:46:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/10/18 19:06:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kristie\Desktop\Virus Stuff
[2010/10/11 01:29:28 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/10/11 01:27:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Kristie\IECompatCache
[2010/10/09 22:31:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/10/09 01:13:13 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/10/09 01:12:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2010/10/09 00:36:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RFA_Backups
[2010/10/09 00:36:02 | 000,000,000 | ---D | C] -- C:\Program Files\RFA
[2010/10/04 21:27:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/10/04 21:27:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/10/04 17:59:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/10/04 17:50:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/04 17:50:20 | 000,000,000 | --SD | C] -- C:\ComboFix
[2010/10/04 17:40:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/04 12:45:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/10/04 12:45:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/10/04 09:26:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/10/04 09:25:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/10/04 09:08:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Kristie\Local Settings\Application Data\{A6027EF4-43C6-43D9-A10A-A1141B1BEA67}
[2010/10/04 09:05:38 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2010/10/04 09:05:38 | 000,100,880 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2010/10/04 09:05:38 | 000,050,704 | ---- | C] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2006/07/13 16:38:18 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctpmui.dll
[2006/07/13 16:37:04 | 001,187,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctserv.dll
[2006/07/13 16:32:18 | 000,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctcomm.dll
[2006/07/13 16:30:18 | 000,393,216 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctiesc.dll
[2006/07/13 16:28:08 | 000,409,600 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctinpa.dll
[2006/07/13 16:27:24 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctpplc.dll
[2006/07/13 16:26:42 | 000,667,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctcomc.dll
[2006/07/13 16:26:12 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctprox.dll
[2006/07/13 16:19:32 | 000,983,040 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctusb1.dll
[2006/07/13 16:16:42 | 000,528,384 | ---- | C] ( ) -- C:\WINDOWS\System32\lxctlmpm.dll
[2006/07/13 16:15:54 | 000,696,320 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcthbn3.dll
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Kristie\Desktop\*.tmp files -> C:\Documents and Settings\Kristie\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/25 14:04:32 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kristie\Desktop\OTL.exe
[2010/10/25 02:17:07 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/10/22 23:41:06 | 000,045,056 | ---- | M] () -- C:\Documents and Settings\Kristie\Desktop\UsernamesPasswords.doc
[2010/10/22 23:38:45 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Kristie\Desktop\~$ernamesPasswords.doc
[2010/10/22 16:58:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/19 18:53:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/19 18:53:51 | 1061,105,664 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/19 14:36:33 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Kristie\defogger_reenable
[2010/10/19 09:55:33 | 000,341,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/19 09:09:10 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/10/19 09:01:39 | 000,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/19 09:01:39 | 000,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/12 00:28:55 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/11 01:41:26 | 000,039,936 | ---- | M] () -- C:\Documents and Settings\Kristie\My Documents\Virus Removal.doc
[2010/10/09 01:13:17 | 000,000,824 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/10/09 01:12:24 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/06 02:58:54 | 000,000,161 | ---- | M] () -- C:\Documents and Settings\Kristie\Application Data\asdsada.bat
[2010/10/05 10:08:26 | 000,027,136 | ---- | M] () -- C:\Documents and Settings\Kristie\Desktop\Ideas of Places to Go and Things to Do - KC.doc
[2010/10/05 08:14:26 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Kristie\Desktop\Renaissance Lists.doc
[2010/10/05 08:01:43 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/04 21:28:05 | 000,001,100 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/10/04 17:39:18 | 003,860,477 | R--- | M] () -- C:\Documents and Settings\Kristie\Desktop\ComboFix.exe
[2010/10/04 14:45:48 | 000,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/10/04 09:08:35 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Kbire.dat
[2010/10/04 09:08:35 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wwowuvebuqa.bin
[2010/10/04 09:05:38 | 000,281,104 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\wpcap.dll
[2010/10/04 09:05:38 | 000,100,880 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\Packet.dll
[2010/10/04 09:05:38 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\System32\drivers\npf.sys
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Kristie\Desktop\*.tmp files -> C:\Documents and Settings\Kristie\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/22 23:38:45 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Kristie\Desktop\~$ernamesPasswords.doc
[2010/10/19 14:36:33 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Kristie\defogger_reenable
[2010/10/19 14:18:22 | 1061,105,664 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/11 01:41:25 | 000,039,936 | ---- | C] () -- C:\Documents and Settings\Kristie\My Documents\Virus Removal.doc
[2010/10/09 01:18:55 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/10/09 01:13:17 | 000,000,824 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/10/06 02:58:54 | 000,000,161 | ---- | C] () -- C:\Documents and Settings\Kristie\Application Data\asdsada.bat
[2010/10/05 08:14:26 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Kristie\Desktop\Renaissance Lists.doc
[2010/10/05 08:11:13 | 000,027,136 | ---- | C] () -- C:\Documents and Settings\Kristie\Desktop\Ideas of Places to Go and Things to Do - KC.doc
[2010/10/05 08:01:43 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/04 21:28:05 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/04 17:39:05 | 003,860,477 | R--- | C] () -- C:\Documents and Settings\Kristie\Desktop\ComboFix.exe
[2010/10/04 14:00:23 | 000,001,100 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/10/04 09:08:35 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Kbire.dat
[2010/10/04 09:08:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wwowuvebuqa.bin
[2010/06/24 16:50:01 | 000,040,960 | R--- | C] () -- C:\WINDOWS\System32\hcwXDS.dll
[2010/06/20 22:29:30 | 000,000,219 | ---- | C] () -- C:\Documents and Settings\Kristie\Application Data\default.rss
[2010/06/03 01:18:54 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/24 17:02:51 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxctpmon.dll
[2010/05/24 17:02:51 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXCTFXPU.DLL
[2010/05/24 17:00:55 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\LXCTinst.dll
[2010/05/23 21:34:35 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\VegaShEx.dll
[2010/05/23 21:34:25 | 000,091,136 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2010/05/23 21:34:24 | 000,308,224 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[2010/02/06 06:17:32 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\ybtgpmw.sys
[2009/03/16 23:10:17 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/18 19:17:40 | 000,000,224 | ---- | C] () -- C:\Documents and Settings\Kristie\Application Data\wklnhst.dat
[2009/01/24 20:47:11 | 000,008,062 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini
[2009/01/24 20:47:11 | 000,000,313 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini
[2009/01/24 20:46:49 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\PELCPEXT.DLL
[2009/01/24 20:46:49 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
[2009/01/22 21:14:36 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Kristie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/15 15:37:42 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/08/15 12:37:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/30 21:37:26 | 000,006,782 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/05/05 11:01:02 | 000,151,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\M3000KNT.sys
[2008/04/14 22:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/02/15 00:21:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2007/07/13 10:49:00 | 000,233,472 | ---- | C] () -- C:\WINDOWS\System32\M3000DIF.dll
[2007/04/01 10:00:28 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/04/01 09:41:52 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2006/07/23 21:11:38 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\lxctgrd.dll
[2006/07/11 17:54:16 | 000,335,872 | ---- | C] () -- C:\WINDOWS\System32\lxctcoin.dll
[2006/06/20 12:40:14 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxctdrs.dll
[2006/05/18 10:01:34 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxctcaps.dll
[2006/05/03 13:31:04 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\lxctcnv4.dll
[2005/06/24 01:37:50 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxctvs.dll
[2005/03/28 17:45:26 | 000,000,153 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2003/09/22 09:49:36 | 000,015,190 | ---- | C] () -- C:\WINDOWS\M3000Twn.ini
[2002/11/22 04:57:26 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2002/11/22 04:57:26 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2002/11/22 04:57:26 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2002/11/22 04:57:26 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2002/11/22 04:57:26 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2002/11/22 04:57:24 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2010/05/24 17:02:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\5400 Series
[2010/03/01 23:29:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2009/01/21 23:51:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM
[2009/01/21 23:49:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail
[2009/01/23 15:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Partner
[2010/10/09 00:56:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RFA_Backups
[2009/01/25 09:58:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2010/10/19 14:28:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/01/18 14:56:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/24 17:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\5400 Series
[2010/06/20 22:00:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\Amazon
[2009/04/17 21:14:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\Bidgood Svcs
[2009/01/25 10:28:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\BitTorrent
[2010/10/25 14:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\DNA
[2010/03/01 23:29:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\HotSync
[2009/01/22 14:08:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\InterVideo
[2009/02/18 19:17:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kristie\Application Data\Template
[2009/01/25 18:33:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2010/10/25 02:17:07 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/08/15 05:29:32 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/08/15 05:29:32 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/08/15 05:29:32 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/10/10 13:20:23 | 000,018,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\fttegsbi.sys
[2010/10/18 16:33:45 | 000,018,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\i2omp.sys
[2010/10/04 09:05:38 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) -- C:\WINDOWS\system32\drivers\npf.sys
[2010/10/11 01:37:31 | 000,018,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rxcesvxy.sys
[2010/08/26 08:39:50 | 000,357,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >






And the Extras report:

OTL Extras logfile created on: 10/25/2010 2:24:43 PM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Kristie\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,012.00 Mb Total Physical Memory | 172.00 Mb Available Physical Memory | 17.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 50.00% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.17 Gb Total Space | 108.72 Gb Free Space | 75.41% Space Free | Partition Type: NTFS

Computer Name: MYBDAYGIFT | User Name: Kristie | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\IncrediMail\bin\ImApp.exe" = C:\Program Files\IncrediMail\bin\ImApp.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Program Files\IncrediMail\bin\IncMail.exe" = C:\Program Files\IncrediMail\bin\IncMail.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Program Files\IncrediMail\bin\ImpCnt.exe" = C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Enabled:IncrediMail -- (IncrediMail, Ltd.)
"C:\Program Files\Magentic\bin\MgImp.exe" = C:\Program Files\Magentic\bin\MgImp.exe:*:Enabled:Magentic -- (IncrediMail, Ltd.)
"C:\Program Files\Magentic\bin\Magentic.exe" = C:\Program Files\Magentic\bin\Magentic.exe:*:Enabled:Magentic -- ()
"C:\Program Files\Magentic\bin\MgApp.exe" = C:\Program Files\Magentic\bin\MgApp.exe:*:Enabled:Magentic -- ()
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\system32\lxctcoms.exe" = C:\WINDOWS\system32\lxctcoms.exe:*:Enabled:5400 Series Server -- ( )


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{02627ee5-eaca-4742-a9cc-e687631773e4}" = Nero ShowTime
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1c00c7c5-e615-4139-b817-7f4003de68c0}" = Nero PhotoSnap Help
"{20400dbd-e6db-45b8-9b6b-1dd7033818ec}" = Nero InfoTool Help
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2348b586-c9ae-46ce-936c-a68e9426e214}" = Nero StartSmart Help
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 20
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros for Acer Driver v7.6.0.224_Foxconn Installation Program
"{33cf58f5-48d8-4575-83d6-96f574e4d83a}" = Nero DriveSpeed
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{359cfc0a-beb1-440d-95ba-cf63a86da34f}" = Nero Recode
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{43e39830-1826-415d-8bae-86845787b54b}" = Nero Vision
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D43D635-6FDA-4fa5-AA9B-23CF73D058EA}" = Nero StartSmart OEM
"{524228C9-826F-4B58-9E47-4F2E5C7E9F45}" = SnagIt 8
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{595a3116-40bb-4e0f-a2e8-d7951da56270}" = NeroExpress
"{5d9be3c1-8ba4-4e7e-82fd-9f74fa6815d1}" = Nero Vision Help
"{62ac81f6-bdd3-4110-9d36-3e9eaab40999}" = Nero CoverDesigner
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{72b6307a-b3af-46ad-8ace-06c14e007a39}" = Nero 9 Essentials
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7748ac8c-18e3-43bb-959b-088faea16fb2}" = Nero StartSmart
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7829db6f-a066-4e40-8912-cb07887c20bb}" = Nero BurnRights
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{83202942-84b3-4c50-8622-b8c0aa2d2885}" = Nero Express Help
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = Bluetooth by hp
"{869200db-287a-4dc0-b02b-2b6787fbcd4c}" = Nero DiscSpeed
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9e82b934-9a25-445b-b8df-8012808074ac}" = Nero PhotoSnap
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{ad6bc5cc-2ef0-49c4-b33d-cdc8b2c4dc80}" = Nero Recode Help
"{b1adf008-e898-4fe2-8a1f-690d9a06acaf}" = DolbyFiles
"{b2ec4a38-b545-4a00-8214-13fe0e915e6d}" = Advertising Center
"{b86754dd-2ddb-4ac0-9015-cb487277254e}" = InCD Help
"{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}" = Nero ControlCenter
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{cc019e3f-59d2-4486-8d4b-878105b62a71}" = Nero DiscSpeed Help
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{ce96f5a5-584d-4f8f-aa3e-9baed413db72}" = Nero CoverDesigner Help
"{d9dcf92e-72eb-412d-ac71-3b01276e5f8b}" = Nero ShowTime
"{dba84796-8503-4ff0-af57-1747dd9a166d}" = Nero Online Upgrade
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{e5c7d048-f9b4-4219-b323-8bdb01a2563d}" = Nero DriveSpeed Help
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{e8a80433-302b-4ff1-815d-fcc8eac482ff}" = Nero Installer
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{f4041dce-3fe1-4e18-8a9e-9de65231ee36}" = Nero ControlCenter
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}" = Omron Health Management Software
"{f6bdd7c5-89ed-4569-9318-469aa9732572}" = Nero BurnRights Help
"{F7952CA2-A925-4CA1-A934-A46E8EC9CA18}" = Acer Crystal Eye Webcam
"{fbcdfd61-7dcf-4e71-9226-873ba0053139}" = Nero InfoTool
"{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}" = Palm Desktop by ACCESS
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.5
"Audacity_is1" = Audacity 1.2.6
"AudibleDownloadManager" = Audible Download Manager
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Google Desktop" = Google Desktop
"Greeting Card Creator 32" = Greeting Card Creator 32
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IncrediMail" = IncrediMail
"Lexmark 5400 Series" = Lexmark 5400 Series
"LManager" = Launch Manager
"Magentic" = Magentic
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"MouseSuite98" = Rocketfish Apple Bluetooth Driver
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Picasa 3" = Picasa 3
"Picture Resize_is1" = Free Picture Resize Starter 4.5
"Registry First Aid_is1" = Registry First Aid
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2508212050-588791912-289167517-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/18/2010 6:38:50 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application explorer.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/19/2010 4:22:13 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3593, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2010 12:40:16 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application SUPERAntiSpyware.exe, version 4.26.0.1000, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2010 12:42:15 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3593, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2010 1:09:25 PM | Computer Name = MYBDAYGIFT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 1/25/2010 1:20:05 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3593, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2010 1:25:03 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3593, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2010 1:31:41 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3593, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2010 3:49:21 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/25/2010 3:49:23 PM | Computer Name = MYBDAYGIFT | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 10/19/2010 6:43:24 PM | Computer Name = MYBDAYGIFT | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/19/2010 7:17:49 PM | Computer Name = MYBDAYGIFT | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/19/2010 7:18:10 PM | Computer Name = MYBDAYGIFT | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/19/2010 7:18:11 PM | Computer Name = MYBDAYGIFT | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/19/2010 7:18:11 PM | Computer Name = MYBDAYGIFT | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 10/19/2010 7:55:36 PM | Computer Name = MYBDAYGIFT | Source = Service Control Manager | ID = 7000
Description = The McAfee Real-time Scanner service failed to start due to the following
error: %%3

Error - 10/19/2010 9:10:18 PM | Computer Name = MYBDAYGIFT | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/19/2010 9:11:46 PM | Computer Name = MYBDAYGIFT | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 10/20/2010 9:46:41 AM | Computer Name = MYBDAYGIFT | Source = Microsoft Antimalware | ID = 2001
Description = %%861 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.93.63.0 Update Source: %%859 Update Stage:
%%852 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error
code: 0x8024402c Error description: An unexpected problem occurred while checking
for updates. For information on installing or troubleshooting updates, see Help
and Support.

Error - 10/23/2010 3:21:19 PM | Computer Name = MYBDAYGIFT | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.


< End of report >





Thanks again for your time, sundavis!

Kristie

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:05 PM

Posted 25 October 2010 - 04:39 PM

Hi runtotorun121,





Step1

  • Please go to Virus Total .
  • Copy /paste the below bold files path one at time into the text box next to the Browse button at the top of the page.

    c:\windows\system32\drivers\rxcesvxy.sys
  • If the file was analyzed before click Reanalyse file now button.
  • Click Send File button and copy "Scanner results", and paste the contents into your next reply.
  • Repeat the process with the following file:

    c:\windows\system32\drivers\fttegsbi.sys



Step2

  • Please start OTL on your desktop.
  • Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    :OTL
    DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\midx.sys -- (mtrmmm)
    DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\MpEngineStore\MpKsldb70e1cd.sys -- (MpKsldb70e1cd)
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 awareremover2010.com
    O1 - Hosts: 127.0.0.1 winsecurepro2010.com
    O1 - Hosts: 127.0.0.1 os-guard2010.com
    O1 - Hosts: 127.0.0.1 platinumantivir.com
    O1 - Hosts: 127.0.0.1 ms-antivirus.com
    O1 - Hosts: 127.0.0.1 desktop-antivirus.com
    O1 - Hosts: 127.0.0.1 shopica.com
    O1 - Hosts: 127.0.0.1 desktop-antivirus.microsoft.com
    O1 - Hosts: 127.0.0.1 windows-antivirus.net
    O1 - Hosts: 127.0.0.1 laptopantivirus.net
    O1 - Hosts: 127.0.0.1 new-soft.net
    O1 - Hosts: 127.0.0.1 winguard2010.com
    O1 - Hosts: 127.0.0.1 spydetector2009.com
    O1 - Hosts: 127.0.0.1 protectguru.com
    O1 - Hosts: 127.0.0.1 dailyconsumerguide.com
    O1 - Hosts: 127.0.0.1 registrydefender.com
    O1 - Hosts: 127.0.0.1 dailyconsumerguide.com
    O1 - Hosts: 127.0.0.1 registrydefender.com/l/indexsg.asp?utm_medium=ctx&utm_campaign=mg1&utm_source=ron3594&utm_term=ron_113594
    O4 - HKLM..\Run: [M3000Mnt] File not found
    O4 - HKLM..\Run: [zzzHPSETUP] D:\Setup.exe File not found
    O33 - MountPoints2\{2ab810cb-2a71-11df-9541-001a0e95fffb}\Shell\AutoRun\command - "" = D:\install.bat -- File not found
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    [2010/10/19 09:01:39 | 000,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/10/19 09:01:39 | 000,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/10/06 02:58:54 | 000,000,161 | ---- | M] () -- C:\Documents and Settings\Kristie\Application Data\asdsada.bat
    [2010/10/04 21:28:05 | 000,001,100 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
    [2010/10/04 09:08:35 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Kbire.dat
    [2010/10/04 09:08:35 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wwowuvebuqa.bin
    [2010/02/06 06:17:32 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\ybtgpmw.sys
    
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [resethosts]
    [start explorer]
    [Reboot]
    
  • Click Run Fix button on the top.
  • Click OK and let it run unhindered.
  • OTL will ask to reboot the machine. Please OK the prompt.
  • A report will open. Copy and Paste that report in your next reply.

Step3

  • If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  • Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow Combofix to continue scanning for malware.
  • When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  • Do not mouse click on Combofix while it is running. That may cause it to stall.



In your next reply, please post back:

1.Virus Total scan results
2.OTL delete log
3.ComboFix log

Let me know if you still have any remaining issues on your pc.

#5 runtotorun121

runtotorun121
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 25 October 2010 - 07:55 PM

I don't know if this is significant, but I wanted to let you know that I was not able to run VirusTotal from my Firefox browser. Each time I would try to paste the text you provided I could neither paste nor type in the field. I then opened the VirusTotal link in IE and was able to run the process that way.

Also, when I ran ComboFix my computer shut down and restarted. I was initially concerned that perhaps a virus intervened and shut down the ComboFix process, but even though I have no idea how to read any of these logs it looks like maybe ComboFix shut itself down after fixing something. I was just worried since I didn't see that as a possibility listed in the directions on how to run ComboFix. Additionally, when my computer restarted SUPERantispyware and some other programs (not antivirus, malware protection, or firewall though) started up automatically. I had shut down SUPERantispyware before I began ComboFix, but I don't know if any problems might have happened after the reboot since the ComboFix directions also specify to NOT run any programs while the report was being generated. . .?


Okay, here are the reports from the VirusTotal:

Antivirus Version Last Update Result
AhnLab-V3 2010.10.26.00 2010.10.25 -
AntiVir 7.10.13.37 2010.10.25 -
Antiy-AVL 2.0.3.7 2010.10.25 -
Authentium 5.2.0.5 2010.10.25 -
Avast 4.8.1351.0 2010.10.25 -
Avast5 5.0.594.0 2010.10.25 -
AVG 9.0.0.851 2010.10.25 -
BitDefender 7.2 2010.10.25 -
CAT-QuickHeal 11.00 2010.10.25 -
ClamAV 0.96.2.0-git 2010.10.25 -
Comodo 6507 2010.10.25 -
DrWeb 5.0.2.03300 2010.10.25 -
eSafe 7.0.17.0 2010.10.25 -
eTrust-Vet 36.1.7933 2010.10.25 -
F-Prot 4.6.2.117 2010.10.25 -
F-Secure 9.0.16160.0 2010.10.25 -
Fortinet 4.2.249.0 2010.10.25 -
GData 21 2010.10.25 -
Ikarus T3.1.1.90.0 2010.10.25 -
Jiangmin 13.0.900 2010.10.25 -
K7AntiVirus 9.66.2830 2010.10.25 -
Kaspersky 7.0.0.125 2010.10.25 -
McAfee 5.400.0.1158 2010.10.25 -
McAfee-GW-Edition 2010.1C 2010.10.25 -
Microsoft 1.6301 2010.10.25 -
NOD32 5562 2010.10.25 -
Norman 6.06.10 2010.10.25 -
nProtect 2010-10-25.01 2010.10.25 -
Panda 10.0.2.7 2010.10.25 -
PCTools 7.0.3.5 2010.10.25 -
Prevx 3.0 2010.10.25 -
Rising 22.70.06.04 2010.10.25 -
Sophos 4.58.0 2010.10.25 -
Sunbelt 7139 2010.10.25 -
SUPERAntiSpyware 4.40.0.1006 2010.10.25 -
Symantec 20101.2.0.161 2010.10.25 -
TheHacker 6.7.0.1.066 2010.10.25 -
TrendMicro 9.120.0.1004 2010.10.25 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.25 -
VBA32 3.12.14.1 2010.10.25 -
ViRobot 2010.10.25.4110 2010.10.25 -
VirusBuster 12.70.4.0 2010.10.25 -
Additional informationShow all
MD5 : f10863bf1ccc290babd1a09188ae49e0
SHA1 : f25501d8753613ae1c0e7d75cbd72991458ede70
SHA256: bc038eae6c8a76d56a5ad27035dc0369d6e766711e9faa7467144370851f1615





and:

Antivirus Version Last Update Result
AhnLab-V3 2010.10.26.00 2010.10.25 -
AntiVir 7.10.13.37 2010.10.25 -
Antiy-AVL 2.0.3.7 2010.10.25 -
Authentium 5.2.0.5 2010.10.25 -
Avast 4.8.1351.0 2010.10.25 -
Avast5 5.0.594.0 2010.10.25 -
AVG 9.0.0.851 2010.10.25 -
BitDefender 7.2 2010.10.25 -
CAT-QuickHeal 11.00 2010.10.25 -
ClamAV 0.96.2.0-git 2010.10.25 -
Comodo 6507 2010.10.25 -
DrWeb 5.0.2.03300 2010.10.25 -
Emsisoft 5.0.0.50 2010.10.25 -
eSafe 7.0.17.0 2010.10.25 -
eTrust-Vet 36.1.7933 2010.10.25 -
F-Prot 4.6.2.117 2010.10.25 -
F-Secure 9.0.16160.0 2010.10.25 -
Fortinet 4.2.249.0 2010.10.25 -
GData 21 2010.10.25 -
Ikarus T3.1.1.90.0 2010.10.25 -
Jiangmin 13.0.900 2010.10.25 -
K7AntiVirus 9.66.2830 2010.10.25 -
Kaspersky 7.0.0.125 2010.10.25 -
McAfee 5.400.0.1158 2010.10.25 -
McAfee-GW-Edition 2010.1C 2010.10.25 -
Microsoft 1.6301 2010.10.25 -
NOD32 5562 2010.10.25 -
Norman 6.06.10 2010.10.25 -
nProtect 2010-10-25.01 2010.10.25 -
Panda 10.0.2.7 2010.10.25 -
PCTools 7.0.3.5 2010.10.25 -
Prevx 3.0 2010.10.26 -
Rising 22.70.06.04 2010.10.25 -
Sophos 4.58.0 2010.10.25 -
Sunbelt 7139 2010.10.25 -
SUPERAntiSpyware 4.40.0.1006 2010.10.25 -
Symantec 20101.2.0.161 2010.10.25 -
TheHacker 6.7.0.1.066 2010.10.25 -
TrendMicro 9.120.0.1004 2010.10.25 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.25 -
VBA32 3.12.14.1 2010.10.25 -
ViRobot 2010.10.25.4110 2010.10.25 -
VirusBuster 12.70.4.0 2010.10.25 -
Additional informationShow all
MD5 : f10863bf1ccc290babd1a09188ae49e0
SHA1 : f25501d8753613ae1c0e7d75cbd72991458ede70
SHA256: bc038eae6c8a76d56a5ad27035dc0369d6e766711e9faa7467144370851f1615






OTL report:

All processes killed
========== OTL ==========
Service mtrmmm stopped successfully!
Service mtrmmm deleted successfully!
File C:\WINDOWS\System32\drivers\midx.sys not found.
Service MpKsldb70e1cd stopped successfully!
Service MpKsldb70e1cd deleted successfully!
File C:\WINDOWS\System32\MpEngineStore\MpKsldb70e1cd.sys not found.
127.0.0.1 localhost removed from HOSTS file successfully
127.0.0.1 awareremover2010.com removed from HOSTS file successfully
127.0.0.1 winsecurepro2010.com removed from HOSTS file successfully
127.0.0.1 os-guard2010.com removed from HOSTS file successfully
127.0.0.1 platinumantivir.com removed from HOSTS file successfully
127.0.0.1 ms-antivirus.com removed from HOSTS file successfully
127.0.0.1 desktop-antivirus.com removed from HOSTS file successfully
127.0.0.1 shopica.com removed from HOSTS file successfully
127.0.0.1 desktop-antivirus.microsoft.com removed from HOSTS file successfully
127.0.0.1 windows-antivirus.net removed from HOSTS file successfully
127.0.0.1 laptopantivirus.net removed from HOSTS file successfully
127.0.0.1 new-soft.net removed from HOSTS file successfully
127.0.0.1 winguard2010.com removed from HOSTS file successfully
127.0.0.1 spydetector2009.com removed from HOSTS file successfully
127.0.0.1 protectguru.com removed from HOSTS file successfully
127.0.0.1 dailyconsumerguide.com removed from HOSTS file successfully
127.0.0.1 registrydefender.com removed from HOSTS file successfully
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\M3000Mnt deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\zzzHPSETUP deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ab810cb-2a71-11df-9541-001a0e95fffb}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2ab810cb-2a71-11df-9541-001a0e95fffb}\ not found.
File D:\install.bat not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
C:\WINDOWS\system32\perfh009.dat moved successfully.
C:\WINDOWS\system32\perfc009.dat moved successfully.
C:\Documents and Settings\Kristie\Application Data\asdsada.bat moved successfully.
C:\WINDOWS\system32\d3d8caps.dat moved successfully.
C:\WINDOWS\Kbire.dat moved successfully.
C:\WINDOWS\Wwowuvebuqa.bin moved successfully.
C:\WINDOWS\system32\drivers\ybtgpmw.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 983061 bytes
->Temporary Internet Files folder emptied: 9677182 bytes
->FireFox cache emptied: 30297629 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 212992 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 321 bytes

User: Kristie
->Temp folder emptied: 3584213970 bytes
->Temporary Internet Files folder emptied: 168438534 bytes
->Java cache emptied: 109713348 bytes
->FireFox cache emptied: 58096289 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 2910258 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 14981207 bytes
->Java cache emptied: 3281492 bytes
->Flash cache emptied: 69489 bytes

User: NetworkService
->Temp folder emptied: 198602 bytes
->Temporary Internet Files folder emptied: 97904829 bytes
->Java cache emptied: 6575422 bytes
->Flash cache emptied: 65331 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 593425 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 108021069 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 101207678 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 771648058 bytes

Total Files Cleaned = 4,834.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Kristie
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.17.1 log created on 10252010_170843

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...






and ComboFix report:

ComboFix 10-10-24.06 - Kristie 10/25/2010 18:52:15.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.425 [GMT -5:00]
Running from: c:\documents and settings\Kristie\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kristie\Local Settings\Application Data\{A6027EF4-43C6-43D9-A10A-A1141B1BEA67}
c:\documents and settings\Kristie\Local Settings\Application Data\{A6027EF4-43C6-43D9-A10A-A1141B1BEA67}\chrome.manifest
c:\documents and settings\Kristie\Local Settings\Application Data\{A6027EF4-43C6-43D9-A10A-A1141B1BEA67}\chrome\content\_cfg.js
c:\documents and settings\Kristie\Local Settings\Application Data\{A6027EF4-43C6-43D9-A10A-A1141B1BEA67}\chrome\content\overlay.xul
c:\documents and settings\Kristie\Local Settings\Application Data\{A6027EF4-43C6-43D9-A10A-A1141B1BEA67}\install.rdf
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-09-26 to 2010-10-26 )))))))))))))))))))))))))))))))
.

2010-10-25 22:08 . 2010-10-25 22:08 -------- d-----w- C:\_OTL
2010-10-25 07:19 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE66F801-5D3D-48FA-AC43-51BC7C18F900}\mpengine.dll
2010-10-23 20:21 . 2010-10-23 20:21 -------- d-----w- c:\documents and settings\Kristie\Application Data\Yahoo!
2010-10-18 21:11 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-11 06:37 . 2010-10-11 06:37 18560 ----a-w- c:\windows\system32\drivers\rxcesvxy.sys
2010-10-11 06:29 . 2010-10-18 21:45 -------- d-----w- c:\program files\Windows Live Safety Center
2010-10-11 06:27 . 2010-10-11 06:27 -------- d-sh--w- c:\documents and settings\Kristie\IECompatCache
2010-10-10 18:20 . 2010-10-10 18:20 18560 ----a-w- c:\windows\system32\drivers\fttegsbi.sys
2010-10-10 03:31 . 2010-10-10 03:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-10-09 06:50 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-09 06:13 . 2010-10-09 06:13 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-09 05:36 . 2010-10-09 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\RFA_Backups
2010-10-09 05:36 . 2010-10-09 05:36 -------- d-----w- c:\program files\RFA
2010-10-05 02:27 . 2010-10-05 02:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-04 14:34 . 2010-10-04 14:44 -------- d-----w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-18 21:33 . 2008-04-15 03:00 18560 ----a-w- c:\windows\system32\drivers\i2omp.sys
2010-09-18 17:23 . 2008-04-15 03:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-15 03:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-15 03:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-15 03:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2007-08-14 01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2007-08-14 01:45 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2007-08-14 01:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-01 11:51 . 2008-04-15 03:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-15 03:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-15 03:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-15 03:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-15 03:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-12-02 21:50 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-15 03:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-15 03:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-04-15 03:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2009-01-23 21:37 . 2009-01-23 21:37 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-15 251264]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]
"Magentic"="c:\progra~1\Magentic\bin\Magentic.exe" [2008-08-04 488808]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 68856]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-23 30192]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Mouse Suite 98 Daemon"="ico.EXE" [2007-08-23 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe" [2007-01-11 291760]
"Lexmark 5400 Series Fax Server"="c:\program files\Lexmark 5400 Series\fm3032.exe" [2006-07-11 294912]
"EzPrint"="c:\program files\Lexmark 5400 Series\ezprint.exe" [2006-06-07 98304]
"LXCTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-06-07 106496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"rfagent"="c:\program files\RFA\rfagent.exe" [2008-11-24 916800]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe [2009-12-17 1795488]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2006-6-20 5976064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"c:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"c:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 11:01 AM 151936]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/22/2009 2:23 PM 30192]
S3 iComp;Hauppauge WinTV PVR2 USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [6/24/2010 4:49 PM 1464672]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [1/22/2009 2:26 PM 96856]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 1:15 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-10-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.qvc.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11} - hxxp://192.168.1.104/UltraMJCamX.cab
FF - ProfilePath - c:\documents and settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\
FF - prefs.js: browser.startup.homepage - www.qvc.com
FF - component: c:\documents and settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Kristie\Application Data\Mozilla\Firefox\Profiles\vkbsu0rz.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\RadioWMPCore.dll
FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-25 19:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2128)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\pelscrll.dll
c:\windows\system32\PELCOMM.dll
c:\windows\system32\PELHOOKS.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxctcoms.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\ico.EXE
c:\windows\system32\Pelmiced.exe
c:\progra~1\Magentic\bin\MgApp.exe
c:\windows\system32\igfxext.exe
c:\docume~1\Kristie\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\IncrediMail\bin\IMApp.exe
c:\program files\TechSmith\SnagIt 8\TSCHelp.exe
.
**************************************************************************
.
Completion time: 2010-10-25 19:06:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-26 00:06

Pre-Run: 121,865,060,352 bytes free
Post-Run: 121,737,728,000 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7D4F92D57CF7751E15188D546CA30E2F

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:05 PM

Posted 25 October 2010 - 09:40 PM

Hi runtotorun121,



I could neither paste nor type in the field...

If you're using FF, you can click on Browser button to select the target file to upload for scanning.

I was just worried since I didn't see that as a possibility listed in the directions on how to run ComboFix...

That's normal. If CF need to remove obstinate files or persistent services, it will reboot the system and desktop icons would be empty for a while in the process.

other programs (not antivirus, malware protection, or firewall though) started up automatically...

That's abnormal. I have no idea how that happened. Need to ... Anyway, it seems not to do any damages, isn't it? Hopefully. What you have done is perfect and report everthing in detail. :thumbup2: OK! let's move on...


Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)

On the Update tab, click on Update Now buttons. When done, press Apply and OK the button. Then clear your java cache as instructed in this thread .


Step1

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step2

  • Go here to run an online scannner from ESET and Save the file to your Desktop.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install.
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:

    Scan for potentially unwanted applications
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic and also let me know how things are now.


In your next reply, please post back:

1.Eset Online Scanner Report.

Let me know if you have any remaining concerns on your pc.

#7 runtotorun121

runtotorun121
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 25 October 2010 - 09:47 PM

Just an aside if you are still around as I begin to follow your next steps. . .

I just noticed that since ComboFix ran now when I click on links in my emails from you my windows are automatically opening in IE browser rather than Firefox, which was links previously opened (and which I prefer).

This is just annoying and not a crisis, but if you are able to direct me how to get back to Firefox while I am working on these next steps that would be super nice! :wink:

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:05 PM

Posted 25 October 2010 - 09:59 PM

Hi runtotorun121,



Disable IE as default borwser: From Here

Set firefox as default browser: From Here

Let me know if it's working for you. :thumbup2:

#9 runtotorun121

runtotorun121
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 26 October 2010 - 01:07 AM

Quote
I could neither paste nor type in the field...

If you're using FF, you can click on Browser button to select the target file to upload for scanning.


Tried that, but I suppose it is neither here nor there since I was able to get it done with IE. :huh: :)


1. Okay, when I went to update JAVA it had me install and led me through several pop-up windows to that. Was that okay???

Then the windows I got from my attempts to clear the Java cache looked different, perhaps because I have an updated version; however, I clicked on the "Temporary Files Settings" window I did click "Delete Files".

A question, though: At the top of that "Temporary Files Settings" window there was a box checked by "Keep temporary files on my computer." Was I suppose to leave that checked, or uncheck it? I left it checked since the directions on the link you provided to clear the cache didn't specify to uncheck it, but since the windows look different from that tutorial to my Java program I thought I should check with you! :unsure:



2. Completed ATF Cleaner.




3. Just FYI, the ESET Online Scanner 'Advanced Settings' showed my Microsoft Security Essentials was detected, but I had already deactivated the real time, and I was never asked about the 'ActiveX control'. . . :huh:

So I unticked 'Remove found threats', ticked 'Scan archives' (they were backwards when the scanner opened)and ticked the three boxes you indicated in the 'Advanced Settings' area.

Here is the log file: (I hope I copied and pasted the correct document. This is all I found, but it doesn't seem like a very long log.)

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e0ee927da8ba4a4995320247f477af79
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-26 06:00:27
# local_time=2010-10-26 01:00:27 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776869 100 100 0 17573782 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=75297
# found=0
# cleaned=0
# scan_time=6825





Before you picked up my topic post things seemed to have died down with random tabs on my browser opening up, but it was strange because it didn't seem to have occurred as a result of anything I had recently done. It was as though the tabs opening were regular and then began to be more intermittent and then stopped, but there was nothing I was doing that would have correlated with the timing of these changes. This is why I have been wondering if something was laying around dormant and going to jump out later. I don't know how viruses work, but I thought maybe it could be programmed to hide for a while so it would be less suspicious and then start wreaking havoc again. Or maybe continue wreaking havoc but less obviously.

As far as any current noticeable symptoms, I am not seeing anything happening right now, but I don't know whether that indicates that everything is fixed or that there still might be something dormant lurking around in there. What do you think? Are you seeing anything in any of the logs you have requested that would suggest I still have a problem?

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:05 PM

Posted 26 October 2010 - 01:45 AM

Hi runtotorun121,




Was I suppose to leave that checked, or uncheck it?


  • Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave both Checked

    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


then began to be more intermittent and then stopped...


  • It is likely your browser was modified by the malware or rogue programs. Let's do some maintenance and hope to get it back to working order.
  • Click Start>Run>Type CMD>A command prompt DOS window will open. Type/Paste ipconfig /flushdns and then press Enter to purge the DNS resolver cache.
  • Please proceed to do some disk cleanup, disk defragmenter, and check disk as instructed in this thread .
  • Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
  • Start your FF> Tools menu> Clear Private data , check all boxes and press clear private data now button
  • If your Firefox isn't working properly, you're well advised to uninstall FF completely and do a clean reinstall. You may backup Bookmark before proceeding. Please go to Here and Here for your reference.

Are you seeing anything in any of the logs you have requested that would suggest I still have a problem...

No, i don't see any problems from your logs or symptoms as you described presenting any malacious items lurking or "dormant" out there.

Other than that, your system appears to be clean now. :thumbsup: If you have no remaining concerns on your pc, lets do some tidy up and we can send you on your way.



Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Start OTL from your desktop.
  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:


  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#11 runtotorun121

runtotorun121
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 26 October 2010 - 01:48 AM

Well crud.

It is either late, and I am tired so my brain is not working, or I have three babies, and I am tired so my brain is not working. . .

After I ran Eset and finished my post to you here I Googled something and went to two websites to read an article WITHOUT restarting my SpywareBlaster or my Microsoft Security Essentials OR enabling my firewall. Should I be frightened???

When I realized it I jumped out of bed and came in to set things straight and post this stupidity in case there is something I need to do to make sure I didn't reinfect or do something worse after all our work!!!

Grrrrr.

(and by the way, the emoticons are not showing up on this page for my post. That is not a scan-related thing, is it?)

#12 runtotorun121

runtotorun121
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 26 October 2010 - 02:05 AM

Okay, I am going to have to follow your steps in your last post to me tomorrow because I have to get a little sleep before the babies get up for the day, but I wanted to clarify something regarding the Java cache.

I did have both the boxes checked that you described:
Applications and Applets
Trace and Log Files

The box about which I was inquiring was actually at the top of the screen prior to that. It said "Keep temporary files on my computer."

So to try to not be confusing, after I went to the General tab, under Temporary Internet Files and clicked the Settings button the "Temporary Files Settings" window opened and at the top it had that "Keep temporary files on my computer" box checked. It was down at the bottom where I clicked Delete Files, which brings up the next window with the Applications and Applets and Trace and Log Files boxes. So is the "Keep temporary files on my computer" box suppose to be checked for ongoing?

Have I confused you?

Okay, I just wanted to clarify that because from your redirection to me on clearing the cache again it looked as though I hadn't explained which check box I was actually wondering about.


There is a bit to do on your next list for me, and I have some things I have to do tomorrow, but I will get back to it ASAP. :)

Thank you tremendously for all your help today!!!

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:05 PM

Posted 26 October 2010 - 02:20 AM

Hi runtotorun121,



Should I be frightened???

Easy!! If that bad luck happened, we know how to amend it asap.

the emoticons are not showing up on this page for my post. That is not a scan-related thing, is it?

Press F5 button, and it will refresh the page. the icons should be present as usual.

So is the "Keep temporary files on my computer" box suppose to be checked for ongoing?

Yes, the Keep temporary files on my computer should be checked. Take easy and have a sweet dream. :thumbup2:

#14 runtotorun121

runtotorun121
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 26 October 2010 - 10:43 PM

Hi sundavis! :)

First, my browser if back to Firefox, the emoticons are showing up here, and I left alone the temporary files you said to keep checked. THANK YOU!!! :thumbsup:

Second, just so I don't sit around and worry about the two websites I went to before I realized I hadn't turned on my real-time virus protection, firewall, and antispyware, is there anything I can/should do to try to check on those two sites or otherwise check my computer? The links were these:

1. http://wiki.answers.com/Q/What_is_Gracie_Thompson_from_the_movie_Gracie%27s_Choice_doing_now

2. http://www.rd.com/your-america-inspiring-people-and-stories/rd-on-tv-gracies-choice/article18017.html

I have done all the steps you recommended in your last post, and after I completed each of those tasks I then ran my updated and ran my SUPERAntiSpyware, upgraded it to the real-time version, updated and ran my Malwarebytes, and updated and enabled all the definitions for my SpywareBlaster. I have not yet run a new Microsoft Security Essentials scan, but I will be doing that after Malwarebytes finishes.

One of the things I found from F-Secure Health Check was I needed to update my Adobe Reader. When I tried that I received an error at the end of the process. I did go to the website to troubleshoot, but even though I found the error code I have absolutely no idea what they are suggesting I do to fix this error. They give some directions, but I don't understand what they are saying to do. Is that in your section here, or do I need to get help elsewhere for that?

Here is the error message I received: Error 1402. Could not open key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL. Verify that you have sufficient access to that key, or contact your support personnel.




Finally, two last things. . .I think. ;)

1. Have you heard about the Swagbucks toolbar,and what is the general consensus about it?

2. While I understand it may be a personal choice from individual to individual, are there specific programs you would recommend to help keep my computer(s) secure?

As a reminder, I am running Microsoft Security Essentials. I had read reviews that it was doing pretty good, and, importantly, doesn't have a lot of the drag some other programs have on your computer while they are running. I have it running with the real time protection.

I also have SUPERantispyware and SpywareBlaster running on my computer. Additionally, I have Malwarbytes that I run.

I am using only the free editions of all of these because. . .well, I have 13 month old triplets and am now a stay at home mom making things work with one income since the babies came! I am wondering whether or not these things are adequate, or am I missing something critical?

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:05 PM

Posted 27 October 2010 - 12:07 AM

Hi runtotorun121,




Have you heard about the Swagbucks toolbar..

Swagbucks seems to be fine if one desires to collect special offers, code hunt,or free Swag buck for net-shopping,etc. Franking speaking, i don't use any commerical toolbars. but you should be extremely careful when it comes to coupons related. There are lots of security leak for that kind of stuff.

specific programs you would recommend ...or not these things are adequate, or am I missing something critical

One should not have more than one antivirus product installed and running on his computer at a time. It will cause False Alarms and System Performance Problems. As to those free antimalware programs, it's jsut fine since they are no real time protection. but too many security programs can't ensure your security at all. Sometimes, it's just a resource hog. The security programs in your system seem to be good enough. Update those programs virus definitions regularly and scan your computer on a regular basis. Everythig should go smoothly. If not, you know where to turn to... :wink:

Those two sites seem normal BTW. After running the following script with ComboFix, you should be able to update your Adobe Reader. The easy way is to uninstall adobe reader and get a new one.

Anyway, please download a new copy of ComboFix to your desktop and do the following:


Step1

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\.lst\PersistentHandler]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]



Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Let me know If you still need assistance. :thumbup2:

Edited by sundavis, 27 October 2010 - 12:24 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users