Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help with rootkit (i think)


  • This topic is locked This topic is locked
20 replies to this topic

#1 hallsey666

hallsey666

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 01 November 2010 - 09:11 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic357501.html ~ OB

good evening. im very much new to this kind of thing and have alot to learn so i apologize in advance for any frustration on the part of anyone willing to help me. up to this point ive received a wealth of knowledge and assistance from mr. boopme who has been awesome and i appreciate it alot. he believes we are dealing with a rootkit i acquired through foolish p2p usage. im not sure what information would be most helpful so ill start with what the prep guide told me to do. here is the first dds log



DDS (Ver_10-11-01.01) - NTFSx86
Run by Ann at 22:04:18.34 on Mon 11/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.156 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\vVX3000.exe
C:\PROGRA~1\iWonIE\bar\1.bin\idbrmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\mshta.exe
C:\Documents and Settings\Ann\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.msn.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: N/A: {70bd8aab-ad49-42f5-b1bd-240f078c1a11} - c:\program files\iwonie\bar\1.bin\idSrcAs.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar1.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5825.1100\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Toolbar BHO: {fc130ee2-5a2a-45a7-8e09-d2ca06c795a8} - c:\progra~1\iwonie\bar\1.bin\idbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: iWon Toolbar: {44843b6e-d44a-4b4f-bca4-559c86633dc6} - c:\program files\iwonie\bar\1.bin\idbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar1.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [iWonIE Browser Plugin Loader] c:\progra~1\iwonie\bar\1.bin\idbrmon.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: &Search - http://tbedits.iwon.com/one-toolbaredits/menusearch.jhtml?s=100000393&p=ZLxdm246YYUS&si=&a=B82819CF-2ABB-427E-A249-19F9DF274733&n=2010070400
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253135388968
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: credstream.dll mapidev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ann\applic~1\mozilla\firefox\profiles\7d0uxucz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.dymasearch.com/search.php?src=tops&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://www.dymasearch.com/search.php?src=tops&q=
FF - component: c:\program files\mozilla firefox\extensions\{98fbc2a4-6491-46b3-16fe-ab210b239b7b}\components\de4cf5f0-0db6-c43f-b5f5-940e75194027.dll
FF - plugin: c:\program files\gametap web player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: z: No Registry Reference - c:\program files\mozilla firefox\extensions\{98fbc2a4-6491-46b3-16fe-ab210b239b7b}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-15 165584]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-1 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-1 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-1 267432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-15 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-1 60936]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-2 135664]
S2 iWonIEService;iWon Toolbar Service;c:\progra~1\iwonie\bar\1.bin\idbarsvc.exe --> c:\progra~1\iwonie\bar\1.bin\idbarsvc.exe [?]

=============== Created Last 30 ================

2010-11-02 01:35:34 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 01:35:29 -------- d-----w- c:\program files\Avira
2010-11-02 01:35:29 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Avira
2010-11-01 14:22:25 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-11-01 14:22:24 -------- d-----w- c:\docume~1\ann\applic~1\SUPERAntiSpyware.com
2010-11-01 14:21:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-31 01:04:51 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-27 02:17:09 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\STOPzilla!
2010-10-26 15:15:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-26 15:15:55 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-10-20 02:07:35 -------- d-----w- c:\program files\Xenocode
2010-10-20 02:07:34 -------- d-----w- c:\windows\XSxS
2010-10-20 02:07:34 -------- d-----w- c:\docume~1\ann\locals~1\applic~1\Xenocode
2010-10-20 00:20:07 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-10-20 00:20:05 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-10-18 13:49:01 -------- d-----w- c:\docume~1\ann\locals~1\applic~1\Temp
2010-10-06 05:02:56 2401280 ----a-w- c:\program files\mozilla firefox\extensions\{98fbc2a4-6491-46b3-16fe-ab210b239b7b}\components\de4cf5f0-0db6-c43f-b5f5-940e75194027.dll
2010-10-03 13:10:14 -------- d-----w- c:\windows\system32\F012D0521DB

==================== Find3M ====================

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr

============= FINISH: 22:06:23.60 ===============

here is the second

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 01 November 2010 - 10:06 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:03 AM

Posted 09 November 2010 - 04:45 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 hallsey666

hallsey666
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 09 November 2010 - 05:11 PM

hi elise, thank you very very much for devoting your time to helping people. you have no idea how much i appreciate it. damn computer is still running slower than it should be. when i check on the processes through task manager i notice an inordinate amount of memory being used by either mshta or svchost processes. mr boopme graciously informed me that these arent necessarily malware. also page file usuage is way higher than it used to be. often while browsing the internet i notice a tab(usually the one im currently using) acts like its trying to load a page when i didnt direct it to. avast always pops up with a little red window informing me a malicious url or a trojan has been blocked. this happens constantly. im assuming this is whats meant by redirect? occasionally the browser wont work at all or even load up and only after several shut-downs and reboots do i regain access. im trying to think of any other info that might be useful. in the meantime here is both otl logs and ill be right back with the unhooker report. thank you again...

-m

OTL logfile created on: 11/9/2010 4:24:02 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Ann\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 92.00 Mb Available Physical Memory | 18.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 22.00% Paging File free
Paging file location(s): c:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 4.96 Gb Free Space | 13.32% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: MANTIA | User Name: Ann | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/09 16:23:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ann\My Documents\Downloads\OTL.exe
PRC - [2010/11/03 17:56:02 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/11/03 17:56:00 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/11/03 17:56:00 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/10/29 19:13:09 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/25 13:46:59 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/09/07 10:12:02 | 002,838,912 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/07/03 23:31:24 | 000,020,480 | ---- | M] (iWon) -- C:\Program Files\iWonIE\bar\1.bin\idbrmon.exe
PRC - [2010/05/20 14:27:26 | 000,762,736 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\vVX3000.exe
PRC - [2010/05/20 14:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/03/05 15:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/02/23 08:05:34 | 000,111,856 | ---- | M] (Yahoo! Inc) -- C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2004/08/04 02:56:49 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/11/09 16:23:05 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ann\My Documents\Downloads\OTL.exe
MOD - [2010/07/03 23:31:24 | 000,024,576 | ---- | M] (iWon) -- C:\Program Files\iWonIE\bar\1.bin\idbrstub.dll
MOD - [2006/08/25 10:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\PROGRA~1\iWonIE\bar\1.bin\idbarsvc.exe -- (iWonIEService)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/11/03 17:56:02 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/11/03 17:56:00 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/09/07 10:11:59 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/05/20 14:27:24 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - [2010/11/03 17:56:03 | 000,126,856 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/11/03 17:56:02 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/09/07 09:52:25 | 000,046,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/09/07 09:52:03 | 000,165,584 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/09/07 09:47:46 | 000,023,376 | ---- | M] (AVAST Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/09/07 09:47:19 | 000,100,176 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/09/07 09:47:07 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/09/07 09:46:51 | 000,028,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/20 14:27:26 | 001,961,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\VX3000.sys -- (VX3000)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/09/03 17:04:06 | 000,024,576 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap Web Player\bin\release\X4HSX32.sys -- (X4HSX32)
DRV - [2009/05/11 11:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 09:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2004/08/04 01:07:55 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2003/08/29 03:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2003/05/15 17:09:32 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/04/15 13:31:50 | 000,107,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97ich4.sys -- (ac97intc) Intel® 82801DB/DBM Audio Driver Service (WDM)
DRV - [2001/08/22 07:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 11:11:44 | 000,026,698 | ---- | M] (D-Link Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DLH5XND5.sys -- (DLH5X)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)


IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 18 25 A2 F3 23 5F CB 01 [binary data]
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\URLSearchHook: *{03402f96-3dc7-4285-bc50-9e81fefafe43} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\URLSearchHook: *{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\URLSearchHook: *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\URLSearchHook: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (America Online, Inc.)
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\URLSearchHook: {70bd8aab-ad49-42f5-b1bd-240f078c1a11} - C:\Program Files\iWonIE\bar\1.bin\idSrcAs.dll (iWon)
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1417001333-651377827-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search"
FF - prefs.js..browser.search.defaulturl: "http://www.dymasearch.com/search.php?src=tops&q="
FF - prefs.js..browser.search.selectedEngine: "Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/?ilc=1"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {98fbc2a4-6491-46b3-16fe-ab210b239b7b}:4.6.7.1
FF - prefs.js..keyword.URL: "http://www.dymasearch.com/search.php?src=tops&q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/29 19:13:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/29 19:13:20 | 000,000,000 | ---D | M]

[2010/08/02 21:10:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Extensions
[2010/08/02 21:10:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/11/08 08:22:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\7d0uxucz.default\extensions
[2010/07/19 06:49:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\7d0uxucz.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/21 07:13:23 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\7d0uxucz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/10/26 09:36:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\7d0uxucz.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2010/10/06 00:03:02 | 000,000,254 | ---- | M] () -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\7d0uxucz.default\searchplugins\Search.xml
[2010/08/06 11:56:26 | 000,001,201 | ---- | M] () -- C:\Documents and Settings\Ann\Application Data\Mozilla\Firefox\Profiles\7d0uxucz.default\searchplugins\winamp-search.xml
[2010/11/08 08:22:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/05/23 16:02:22 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/10/06 00:02:56 | 000,000,000 | ---D | M] (z) -- C:\Program Files\Mozilla Firefox\extensions\{98fbc2a4-6491-46b3-16fe-ab210b239b7b}
[2008/05/23 16:01:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\real-networks@partners.mozilla.com
[2007/12/19 07:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
[2007/04/16 12:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/10/26 21:23:19 | 000,422,707 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14575 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar1.dll (Ask.com)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AOLSearchHook Class) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (America Online, Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5825.1100\swg.dll (Google Inc.)
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Toolbar BHO) - {fc130ee2-5a2a-45a7-8e09-d2ca06c795a8} - C:\Program Files\iWonIE\bar\1.bin\idbar.dll (iWon)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar1.dll (Ask.com)
O3 - HKLM\..\Toolbar: (iWon Toolbar) - {44843b6e-d44a-4b4f-bca4-559c86633dc6} - C:\Program Files\iWonIE\bar\1.bin\idbar.dll (iWon)
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar1.dll (Ask.com)
O3 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\Toolbar\WebBrowser: (iWon Toolbar) - {44843B6E-D44A-4B4F-BCA4-559C86633DC6} - C:\Program Files\iWonIE\bar\1.bin\idbar.dll (iWon)
O3 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [iWonIE Browser Plugin Loader] C:\Program Files\iWonIE\bar\1.bin\idbrmon.exe (iWon)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [VX3000] C:\WINDOWS\vVX3000.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-1417001333-651377827-725345543-1005..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-21-1417001333-651377827-725345543-1005..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-1417001333-651377827-725345543-1005..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-1417001333-651377827-725345543-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1417001333-651377827-725345543-1005..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10h_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\Anne Mantia\Start Menu\Programs\Startup\TurnTo10.com Live Online.lnk = C:\Program Files\TurnTo10.com Live Online\liveonline_2441681.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253135388968 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab (GameTap Web Updater)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (credstream.dll) - File not found
O20 - AppInit_DLLs: (mapidev.dll) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Ann\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ann\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/09 15:03:05 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{31cf07da-78a0-11df-9087-000bdbb6efe4}\Shell\AutoRun\command - "" = p6xebrnt.exe
O33 - MountPoints2\{31cf07da-78a0-11df-9087-000bdbb6efe4}\Shell\open\Command - "" = p6xebrnt.exe
O33 - MountPoints2\{509791e5-da3d-11df-90a8-000bdbb6efe4}\Shell - "" = AutoRun
O33 - MountPoints2\{509791e5-da3d-11df-90a8-000bdbb6efe4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1417001333-651377827-725345543-1005\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/11/07 11:44:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ann\Recent
[2010/11/01 22:55:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Local Settings\Application Data\Yahoo!
[2010/11/01 20:35:38 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/11/01 20:35:34 | 000,126,856 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/11/01 20:35:34 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/11/01 20:35:34 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/11/01 20:35:34 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/11/01 20:35:29 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/11/01 20:35:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira
[2010/11/01 09:22:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
[2010/11/01 09:22:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Application Data\SUPERAntiSpyware.com
[2010/11/01 09:21:59 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/10/30 20:04:51 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2010/10/26 21:17:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
[2010/10/26 10:30:08 | 001,317,464 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ann\Desktop\TDSSKiller.exe
[2010/10/26 10:15:55 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/10/26 10:15:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
[2010/10/19 21:07:35 | 000,000,000 | ---D | C] -- C:\Program Files\Xenocode
[2010/10/19 21:07:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\XSxS
[2010/10/19 21:07:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Local Settings\Application Data\Xenocode
[2010/10/18 08:49:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ann\Local Settings\Application Data\Temp
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Ann\Desktop\*.tmp files -> C:\Documents and Settings\Ann\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/09 15:54:02 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/09 15:47:12 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/11/09 15:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/11/09 14:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/11/09 13:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/11/09 12:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/11/09 11:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/11/09 10:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/11/09 09:54:02 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/09 09:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/11/07 08:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/11/07 07:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/11/07 06:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/11/07 05:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/11/07 04:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/11/07 03:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/11/07 02:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/11/07 00:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/11/06 23:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/11/06 22:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/11/06 21:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/11/06 20:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/11/06 19:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/11/06 18:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/11/06 17:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/11/06 16:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/11/06 07:47:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/05 12:39:54 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/05 09:24:30 | 000,000,504 | ---- | M] () -- C:\WINDOWS\DELLSTAT.INI
[2010/11/05 09:13:03 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Ann\Desktop\Microsoft Word.lnk
[2010/11/05 08:46:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/03 17:56:03 | 000,126,856 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/11/03 17:56:02 | 000,060,936 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/11/02 13:43:39 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\CCleaner.lnk
[2010/11/01 22:47:52 | 414,475,412 | ---- | M] () -- C:\Documents and Settings\Ann\My Documents\magic-_the_gathering.zip
[2010/11/01 21:44:07 | 000,004,195 | ---- | M] () -- C:\Documents and Settings\Ann\Desktop\Attach.zip
[2010/11/01 20:36:17 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Avira AntiVir Control Center.lnk
[2010/11/01 09:22:14 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/10/30 20:02:11 | 001,317,464 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Ann\Desktop\TDSSKiller.exe
[2010/10/29 21:13:15 | 000,001,520 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/10/26 21:23:19 | 000,422,707 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/10/26 10:16:03 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Ann\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/10/26 10:16:03 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Ann\Desktop\Spybot - Search & Destroy.lnk
[2010/10/26 09:43:32 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Ann\Desktop\*.tmp files -> C:\Documents and Settings\Ann\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/02 13:43:39 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\CCleaner.lnk
[2010/11/01 21:44:07 | 000,004,195 | ---- | C] () -- C:\Documents and Settings\Ann\Desktop\Attach.zip
[2010/11/01 20:36:17 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Avira AntiVir Control Center.lnk
[2010/11/01 09:22:14 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/10/29 21:11:49 | 000,001,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/10/26 10:16:03 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Ann\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/10/26 10:16:03 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Ann\Desktop\Spybot - Search & Destroy.lnk
[2010/10/20 21:26:54 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2010/10/20 21:26:54 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2010/10/20 21:26:54 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2010/10/20 21:26:50 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2010/10/20 21:26:49 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2010/10/20 21:26:49 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2010/10/20 21:26:48 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2010/10/20 21:26:47 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2010/10/20 21:26:47 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2010/10/20 21:26:47 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2010/10/20 21:26:47 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2010/10/20 21:26:47 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2010/10/20 21:26:47 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2010/10/20 21:26:47 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2010/10/20 21:26:47 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2010/10/20 21:26:46 | 000,000,402 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2010/07/20 08:49:15 | 000,000,833 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/04/28 20:32:09 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2009/12/28 12:46:03 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Ann\Application Data\B239F0
[2009/12/28 12:46:02 | 000,870,128 | ---- | C] () -- C:\Documents and Settings\Ann\Application Data\mcs.rma
[2009/09/23 14:01:08 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/09/10 19:41:18 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Ann\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/10 16:44:20 | 000,000,504 | ---- | C] () -- C:\WINDOWS\DELLSTAT.INI
[2009/09/09 10:13:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/15 22:06:55 | 000,196,470 | ---- | C] () -- C:\Program Files\ePSXeCutor1060.zip
[2009/08/15 21:58:29 | 000,529,265 | ---- | C] () -- C:\Program Files\epsxe170.zip
[2009/08/14 00:47:35 | 000,011,982 | ---- | C] () -- C:\Program Files\Final_Fantasy_VII_PC_(Not_Ultimate_Edition).4090171.TPB.torrent
[2004/12/13 15:05:02 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbavs.dll
[2004/12/13 15:04:05 | 000,000,177 | ---- | C] () -- C:\WINDOWS\System32\dlbacoin.ini
[2002/09/03 11:58:49 | 000,028,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== LOP Check ==========

[2009/08/18 23:34:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2009/08/18 23:35:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM Toolbar
[2006/08/26 10:59:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Authentium
[2004/09/22 22:32:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/08/31 19:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2009/07/25 17:08:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2009/08/05 23:22:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GameTap Web Player
[2008/07/23 12:50:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Individual Software
[2009/08/14 00:50:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/08/18 23:35:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/10/28 23:45:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AIM
[2009/10/28 23:45:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AIM Toolbar
[2010/06/15 12:08:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2010/04/11 13:51:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
[2010/06/16 12:13:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
[2009/09/10 16:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\BVRP Software
[2009/09/24 00:01:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\GameTap Web Player
[2010/09/17 17:54:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\PMB Files
[2010/10/29 22:19:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
[2010/08/03 00:01:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/28 23:46:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\acccore
[2010/11/03 11:17:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\LimeWire
[2009/09/16 18:57:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\OpenOffice.org
[2010/09/15 07:36:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ann\Application Data\PriceGong
[2009/08/18 23:40:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anne Mantia\Application Data\acccore
[2009/08/14 09:29:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anne Mantia\Application Data\DriverCure
[2008/07/23 12:52:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anne Mantia\Application Data\Individual Software
[2009/02/19 19:10:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anne Mantia\Application Data\Leadertech
[2007/11/01 17:53:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anne Mantia\Application Data\Viewpoint
[2006/08/21 18:40:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Anne Mantia\Application Data\Walgreens
[2008/12/19 23:53:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kimberly Mantia\Application Data\Leadertech
[2010/09/13 08:31:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard\Application Data\PriceGong
[2009/08/14 20:59:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Richard Mantia\Application Data\DriverCure
[2010/11/06 23:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2010/11/09 09:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At10.job
[2010/11/09 15:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At11.job
[2010/11/09 14:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At12.job
[2010/11/09 13:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At13.job
[2010/11/09 10:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At14.job
[2010/11/09 11:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At15.job
[2010/11/09 12:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At16.job
[2010/11/09 15:47:12 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At17.job
[2010/11/06 19:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At18.job
[2010/11/06 18:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At19.job
[2010/11/07 02:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job
[2010/11/06 17:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At20.job
[2010/11/06 16:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At21.job
[2010/11/06 22:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At22.job
[2010/11/06 20:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At23.job
[2010/11/06 21:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At24.job
[2010/11/07 00:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At3.job
[2010/11/07 03:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At4.job
[2010/11/07 05:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At5.job
[2010/11/07 04:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At6.job
[2010/11/07 06:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At7.job
[2010/11/07 07:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At8.job
[2010/11/07 08:47:00 | 000,000,402 | ---- | M] () -- C:\WINDOWS\Tasks\At9.job

========== Purity Check ==========



< End of report >

#4 hallsey666

hallsey666
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 09 November 2010 - 05:13 PM

OTL Extras logfile created on: 11/9/2010 4:24:02 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Ann\My Documents\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 92.00 Mb Available Physical Memory | 18.00% Memory free
1.00 Gb Paging File | 0.00 Gb Available in Paging File | 22.00% Paging File free
Paging file location(s): c:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 4.96 Gb Free Space | 13.32% Space Free | Partition Type: NTFS
Unable to calculate disk information.

Computer Name: MANTIA | User Name: Ann | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"58431:TCP" = 58431:TCP:*:Enabled:Pando Media Booster
"58431:UDP" = 58431:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"58431:TCP" = 58431:TCP:*:Enabled:Pando Media Booster
"58431:UDP" = 58431:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\GameTap Web Player\bin\release\GameTapPlayer.exe" = C:\Program Files\GameTap Web Player\bin\release\GameTapPlayer.exe:*:Enabled:GameTap Web Player -- (Metaboli)
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL LLC)
"E:\RECYCLER\S-51-9-25-3434476501-1644491933-601013366-1214\Cafgm.exe" = E:\RECYCLER\S-51-9-25-3434476501-1644491933-601013366-1214\Cafgm.exe:*:C:\WINDOWS\system32\drivers\Cafgm.exe -- File not found
"C:\DOCUME~1\Richard\LOCALS~1\Temp\eraseme_03464.exe" = C:\DOCUME~1\Richard\LOCALS~1\Temp\eraseme_03464.exe:*:C:\WINDOWS\system32\drivers\Cbccm.exe -- File not found
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeEnC2.exe" = C:\Program Files\Microsoft LifeCam\LifeEnC2.exe:*:Enabled:LifeEnC2.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeTray.exe" = C:\Program Files\Microsoft LifeCam\LifeTray.exe:*:Enabled:LifeTray.exe -- (Microsoft Corporation)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Documents and Settings\Ann\My Documents\magic-_the_gathering\Magic\Manalink.exe" = C:\Documents and Settings\Ann\My Documents\magic-_the_gathering\Magic\Manalink.exe:*:Enabled:manalink -- (MicroProse Software, Inc.)
"C:\DOCUME~1\Ann\LOCALS~1\Temp\ijuB4.tmp" = C:\DOCUME~1\Ann\LOCALS~1\Temp\ijuB4.tmp:*:enabled:@xpsp2res.dll,-22019 -- File not found
"C:\DOCUME~1\Ann\LOCALS~1\Temp\xxxwrp010yyzz\bin\javaw.exe" = C:\DOCUME~1\Ann\LOCALS~1\Temp\xxxwrp010yyzz\bin\javaw.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
"C:\Program Files\Anarchy\AgeOfCastles\Age-of-Castles.exe" = C:\Program Files\Anarchy\AgeOfCastles\Age-of-Castles.exe:*:Disabled:Age of Castles -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0DEA94ED-915A-4834-A87E-388D012C8E02}" = Medal of Honor Allied Assault
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3560CE5A-C4EF-4DB0-9ECC-BA035FE309C5}" = MSN Toolbar
"{4468EF97-A253-4699-9E1C-88CAE2C6832D}" = ABBYY FineReader 5.0 Sprint
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{5FC7AB5C-61FC-42DF-A923-5139BCF10D42}" = Microsoft LifeCam
"{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}" = Command & Conquer The First Decade
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86C0E2A3-1EDA-4F01-A43D-80DA8642813C}_is1" = GameTap Web Player
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM Search" = AIM Search
"AIM Toolbar" = AIM Toolbar
"AIM_7" = AIM 7
"Ask Toolbar_is1" = Ask Toolbar
"avast5" = avast! Free Antivirus
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Defraggler" = Defraggler
"Dell AIO Printer A940" = Dell AIO Printer A940
"ESET Online Scanner" = ESET Online Scanner v3
"ie8" = Windows Internet Explorer 8
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"iWonIEbar Uninstall" = iWon Toolbar
"LimeWire" = LimeWire 5.5.16
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.15)" = Mozilla Firefox (3.5.15)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1417001333-651377827-725345543-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/30/2010 9:39:33 PM | Computer Name = MANTIA | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3909, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 9/30/2010 9:40:44 PM | Computer Name = MANTIA | Source = Application Hang | ID = 1001
Description = Fault bucket 2030410484.

Error - 10/3/2010 9:50:41 PM | Computer Name = MANTIA | Source = Application Error | ID = 1000
Description = Faulting application shandalar.exe, version 6.1.0.0, faulting module
shandalar.exe, version 6.1.0.0, fault address 0x0017bd4c.

Error - 10/6/2010 1:06:44 AM | Computer Name = MANTIA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 10/10/2010 3:13:36 AM | Computer Name = MANTIA | Source = Application Error | ID = 1000
Description = Faulting application shandalar.exe, version 6.1.0.0, faulting module
shandalar.exe, version 6.1.0.0, fault address 0x0017bc1a.

Error - 10/10/2010 1:52:00 PM | Computer Name = MANTIA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/10/2010 1:52:00 PM | Computer Name = MANTIA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 10/10/2010 10:06:28 PM | Computer Name = MANTIA | Source = Application Error | ID = 1000
Description = Faulting application shandalar.exe, version 6.1.0.0, faulting module
shandalar.exe, version 6.1.0.0, fault address 0x0017bd4c.

Error - 10/11/2010 4:54:45 PM | Computer Name = MANTIA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module 997fa2d5-9fe2-6ccc-9020-d740aea3f884.dll, version 0.0.0.0, fault address
0x00043e74.

Error - 10/11/2010 4:54:53 PM | Computer Name = MANTIA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/2/2010 6:55:18 PM | Computer Name = MANTIA | Source = Service Control Manager | ID = 7000
Description = The iWon Toolbar Service service failed to start due to the following
error: %%2

Error - 11/2/2010 6:55:18 PM | Computer Name = MANTIA | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 11/5/2010 1:38:02 PM | Computer Name = MANTIA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 11/5/2010 1:38:32 PM | Computer Name = MANTIA | Source = DCOM | ID = 10010
Description = The server {B2B3C70A-B20F-40B7-90C5-EA7E946C16E0} did not register
with DCOM within the required timeout.

Error - 11/5/2010 1:40:43 PM | Computer Name = MANTIA | Source = Service Control Manager | ID = 7000
Description = The iWon Toolbar Service service failed to start due to the following
error: %%2

Error - 11/5/2010 1:40:43 PM | Computer Name = MANTIA | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2

Error - 11/5/2010 1:41:41 PM | Computer Name = MANTIA | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Application Layer Gateway
Service service to connect.

Error - 11/5/2010 1:41:41 PM | Computer Name = MANTIA | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%1053

Error - 11/6/2010 8:48:14 AM | Computer Name = MANTIA | Source = Service Control Manager | ID = 7000
Description = The iWon Toolbar Service service failed to start due to the following
error: %%2

Error - 11/6/2010 8:48:14 AM | Computer Name = MANTIA | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error: %%2


< End of report >

#5 hallsey666

hallsey666
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 09 November 2010 - 05:32 PM

i cant get the rootkit unhooker link to load up the page. is there another place i can acquire this?

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:03 AM

Posted 10 November 2010 - 05:10 AM

Unfortunately RKU is down, so lets skip it.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 hallsey666

hallsey666
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 November 2010 - 11:01 AM

ComboFix 10-11-09.02 - Ann 11/10/2010 10:31:29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.198 [GMT -5:00]
Running from: c:\documents and settings\Ann\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ann\Application Data\PriceGong
c:\documents and settings\Ann\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Ann\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Ann\Desktop\Internet Explorer.lnk
c:\documents and settings\Ann\Local Settings\Temporary Internet Files\3128f984-e4dd-d640-d2d6-c9121bf475f3
c:\documents and settings\Ann\Local Settings\Temporary Internet Files\49bacf8e-0f9d-369d-9c2c-607439189875
c:\documents and settings\Ann\Local Settings\Temporary Internet Files\4ff59faf-3081-556c-b2df-9664c6431f40
c:\documents and settings\Ann\Local Settings\Temporary Internet Files\59876de9-82b5-5b10-dea8-25ad53d12777
c:\documents and settings\Ann\Local Settings\Temporary Internet Files\63e68068-be81-e462-01ea-15d6d74a7cd6
c:\documents and settings\Ann\Local Settings\Temporary Internet Files\678d0766-b3d5-cf3f-a251-b280c1d07161
c:\documents and settings\Ann\Local Settings\Temporary Internet Files\6f88ae87-ba4a-4801-5da6-08564c586190
c:\documents and settings\Ann\Local Settings\Temporary Internet Files\e6cd19ff-29af-0841-2a24-d565545906f6
c:\documents and settings\Richard\Application Data\install
c:\documents and settings\Richard\Application Data\PriceGong
c:\documents and settings\Richard\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Richard\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\3128f984-e4dd-d640-d2d6-c9121bf475f3
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\49bacf8e-0f9d-369d-9c2c-607439189875
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\59876de9-82b5-5b10-dea8-25ad53d12777
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\63e68068-be81-e462-01ea-15d6d74a7cd6
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\678d0766-b3d5-cf3f-a251-b280c1d07161
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\6f88ae87-ba4a-4801-5da6-08564c586190
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\e6cd19ff-29af-0841-2a24-d565545906f6
C:\p2hhr.bat
c:\progra~1\iWonIE\bar\1.bin\idBAr.dll
c:\program files\iWonIE\bar\1.bin\idBAr.dll
c:\program files\iWonIE\bar\1.bin\idSRcas.dll
c:\program files\Shared
c:\windows\system32\_003526_.tmp.dll
c:\windows\system32\images
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

----- File Replicators -----

c:\program files\Google\Google Desktop Search\gcdtmp10\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp100\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp101\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp102\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp11\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp12\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp13\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp14\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp15\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp16\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp17\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp18\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp19\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp20\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp21\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp22\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp23\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp24\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp25\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp26\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp27\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp28\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp29\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp30\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp31\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp32\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp33\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp34\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp35\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp36\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp37\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp38\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp39\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp4\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp40\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp41\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp42\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp43\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp44\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp45\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp46\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp47\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp48\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp49\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp5\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp50\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp51\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp52\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp53\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp54\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp55\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp56\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp57\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp58\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp59\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp6\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp60\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp61\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp62\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp63\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp64\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp65\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp66\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp67\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp68\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp69\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp70\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp71\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp72\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp73\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp74\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp75\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp76\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp77\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp78\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp79\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp8\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp80\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp81\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp82\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp83\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp84\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp85\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp86\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp87\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp88\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp89\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp9\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp90\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp91\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp92\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp93\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp94\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp95\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp96\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp97\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp98\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\gcdtmp99\GoogleDesktopSetupHelper.exe
c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PASSWORD


((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-10 15:17 . 2010-11-10 15:17 -------- d-----w- c:\documents and settings\Ann\Application Data\Avira
2010-11-02 03:55 . 2010-11-02 03:55 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Yahoo!
2010-11-02 01:35 . 2010-11-03 22:56 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-02 01:35 . 2010-11-03 22:56 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-02 01:35 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-02 01:35 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-02 01:35 . 2010-11-02 01:35 -------- d-----w- c:\program files\Avira
2010-11-02 01:35 . 2010-11-02 01:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2010-11-01 14:22 . 2010-11-01 14:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-11-01 14:22 . 2010-11-01 14:22 -------- d-----w- c:\documents and settings\Ann\Application Data\SUPERAntiSpyware.com
2010-11-01 14:21 . 2010-11-01 14:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-31 01:04 . 2010-10-31 01:04 -------- d-----w- C:\TDSSKiller_Quarantine
2010-10-27 02:17 . 2010-10-30 03:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-10-26 15:15 . 2010-10-28 17:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-10-26 15:15 . 2010-10-26 15:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-10-23 22:54 . 2010-10-23 22:55 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Temp
2010-10-23 08:57 . 2010-10-26 01:41 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
2010-10-20 21:25 . 2010-10-20 21:25 -------- d-----w- c:\documents and settings\Richard\Application Data\MSN6
2010-10-20 02:07 . 2010-10-20 02:07 -------- d-----w- c:\program files\Xenocode
2010-10-20 02:07 . 2010-10-20 02:07 -------- d-----w- c:\windows\XSxS
2010-10-20 02:07 . 2010-10-20 02:07 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Xenocode
2010-10-20 00:20 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-10-20 00:20 . 2004-08-04 07:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-10-18 13:49 . 2010-10-18 13:49 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 15:12 . 2010-10-01 16:08 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-06-15 17:08 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-06-15 17:09 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-06-15 17:09 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-06-15 17:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-06-15 17:09 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-06-15 17:09 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-06-15 17:09 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-06-15 17:09 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2008-08-30 02:33 . 2008-08-30 02:33 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 19:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar1.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar1.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-28 68856]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-09-17 2969496]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 86102]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"VX3000"="c:\windows\vVX3000.exe" [2010-05-20 762736]
"iWonIE Browser Plugin Loader"="c:\progra~1\iWonIE\bar\1.bin\idbrmon.exe" [2010-07-04 20480]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]

c:\documents and settings\Anne Mantia\Start Menu\Programs\Startup\
TurnTo10.com Live Online.lnk - c:\program files\TurnTo10.com Live Online\liveonline_2441681.exe [2006-9-26 389120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-10-01 20:20 3634024 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2010-05-20 19:27 119152 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-28 22:55 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2010-05-20 19:27 762736 ----a-w- c:\windows\vVX3000.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\GameTap Web Player\\bin\\release\\GameTapPlayer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Ann\\My Documents\\magic-_the_gathering\\Magic\\Manalink.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58431:TCP"= 58431:TCP:Pando Media Booster
"58431:UDP"= 58431:UDP:Pando Media Booster

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/15/2010 12:09 PM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/1/2010 8:35 PM 135336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/15/2010 12:09 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/2/2010 2:38 PM 135664]
S2 iWonIEService;iWon Toolbar Service;c:\progra~1\iWonIE\bar\1.bin\idbarsvc.exe --> c:\progra~1\iWonIE\bar\1.bin\idbarsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-02 19:37]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-02 19:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &Search
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\7d0uxucz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.dymasearch.com/search.php?src=tops&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://www.dymasearch.com/search.php?src=tops&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{98fbc2a4-6491-46b3-16fe-ab210b239b7b}\components\de4cf5f0-0db6-c43f-b5f5-940e75194027.dll
FF - plugin: c:\documents and settings\Ann\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\GameTap Web Player\bin\release\npGameTapWebPlayer.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{fc130ee2-5a2a-45a7-8e09-d2ca06c795a8} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3560)
c:\windows\system32\WININET.dll
c:\progra~1\iWonIE\bar\1.bin\idbrstub.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\BCMSMMSG.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
.
**************************************************************************
.
Completion time: 2010-11-10 10:56:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 15:55

Pre-Run: 5,552,189,440 bytes free
Post-Run: 6,645,583,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - B5A054128C37F10FFDC75FF0B7046468

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:03 AM

Posted 10 November 2010 - 11:19 AM

Hi, please let me know how things are running now.

Please upload the following file to http://www.virustotal.com and post me the results.

c:\qoobox\quarantine\c\program files\Google\Google Desktop Search\GoogleDesktop.vir

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 hallsey666

hallsey666
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 November 2010 - 11:26 AM

page file usage is down and cpu usage seems stable. still getting pop-ups by netbits and attempted re-direct alerts from avast. as far as i can tell the computer seems to be running like before save for the afforementioned items. thank you so much elise. ill be right back with the virustotal log...

#10 hallsey666

hallsey666
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 November 2010 - 11:32 AM

i cant seem to find c:\qoobox\quarantine\c\program files\Google\Google Desktop Search\GoogleDesktop.vir

and now im getting "redeem your prize" pop-ups

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:03 AM

Posted 10 November 2010 - 11:39 AM

Do the following and try it again.


SHOW HIDDEN FILES AND FOLDERS
-------------------------------------------------
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 hallsey666

hallsey666
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 November 2010 - 02:34 PM

i still dont see it anywhere? the only thing in program files is the iwon toolbar

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:03 AM

Posted 10 November 2010 - 02:39 PM

Try this file:

c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 hallsey666

hallsey666
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 10 November 2010 - 02:43 PM

i got this, wasnt sure exactly what you wanted so i clicked on view last report and copied it too...


File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: 969aa477b2b854fc4305e0f45740b828
Date first seen: 2009-05-03 01:51:03 (UTC)
Date last seen: 2010-11-08 14:31:23 (UTC)
Detection ratio: 0/43

What do you wish to do?


and here it is

VT Community Sign in ▼ My account ▼ Sign out Signing out... Languages ▼
VirusTotal's website has changed, we need new translations, do you feel like helping the community?
info@virustotal.com
Sign in to VT Community

Safety ratings and user comments (disinfection, in-the-wild locations, reverse engineering reports, etc.) on malware and URLs, free and easy.
email
password
Keep me logged in

Sign in
Signing in, please wait...
Login failed, please try again
Forgot your password? Create an account
Edit my profile
View my profile
Inbox
Virus Total
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
aa ### WARNING - Do not
Submission date:
2010-11-08 14:31:23 (UTC)
Current status:
finished
Result:
0 /43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.08.00 2010.11.08 -
AntiVir 7.10.13.168 2010.11.08 -
Antiy-AVL 2.0.3.7 2010.11.08 -
Authentium 5.2.0.5 2010.11.08 -
Avast 4.8.1351.0 2010.11.08 -
Avast5 5.0.594.0 2010.11.08 -
AVG 9.0.0.851 2010.11.08 -
BitDefender 7.2 2010.11.08 -
CAT-QuickHeal 11.00 2010.11.04 -
ClamAV 0.96.4.0-git 2010.11.08 -
Comodo 6654 2010.11.08 -
DrWeb 5.0.2.03300 2010.11.08 -
Emsisoft 5.0.0.50 2010.11.08 -
eSafe 7.0.17.0 2010.11.08 -
eTrust-Vet 36.1.7961 2010.11.08 -
F-Prot 4.6.2.117 2010.11.08 -
F-Secure 9.0.16160.0 2010.11.08 -
Fortinet 4.2.249.0 2010.11.08 -
GData 21 2010.11.08 -
Ikarus T3.1.1.90.0 2010.11.08 -
Jiangmin 13.0.900 2010.11.08 -
K7AntiVirus 9.67.2903 2010.11.03 -
Kaspersky 7.0.0.125 2010.11.08 -
McAfee 5.400.0.1158 2010.11.08 -
McAfee-GW-Edition 2010.1C 2010.11.08 -
Microsoft 1.6301 2010.11.08 -
NOD32 5601 2010.11.08 -
Norman 6.06.10 2010.11.08 -
nProtect 2010-11-08.02 2010.11.08 -
Panda 10.0.2.7 2010.11.08 -
PCTools 7.0.3.5 2010.11.08 -
Prevx 3.0 2010.11.08 -
Rising 22.72.06.04 2010.11.08 -
Sophos 4.59.0 2010.11.08 -
Sunbelt 7250 2010.11.08 -
SUPERAntiSpyware 4.40.0.1006 2010.11.08 -
Symantec 20101.2.0.161 2010.11.08 -
TheHacker 6.7.0.1.080 2010.11.08 -
TrendMicro 9.120.0.1004 2010.11.08 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.08 -
VBA32 3.12.14.1 2010.11.08 -
ViRobot 2010.10.4.4074 2010.11.08 -
VirusBuster 12.72.2.0 2010.11.08 -
Additional information
Show all
MD5 : 969aa477b2b854fc4305e0f45740b828
SHA1 : 6253cab5930f938e4487d20248b1b5f93e810248
SHA256: 6de03aefe35e6deffd1e91f696197ad5a3b4cde430b2a8992120e02ec9e62d4d
ssdeep: 12:NEnsTIilISvKg3CiGojJVIXsBniHQ80181XG3n:NHcij351IAniHQ80eX+n
File size : 386 bytes
First seen: 2009-05-03 01:51:03
Last seen : 2010-11-08 14:31:23
Magic: data
TrID:
Lumena CEL bitmap (60.5%)
Corel Photo Paint (39.4%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: -
packers (F-Prot): Unicode
ExifTool:
-

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team
Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold
text -- italics
text -- underline
text -- strikethrough
text
- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

Goodware
Malware
Spam attachment/link

P2P download
Propagating via IM
Network worm

Drive-by-download


Anonymous limit exceeded: anonymous users can only make one comment per file or URL, either sign in or register in order to continue making reviews on this item. Note that anonymous user discrimination is based on IP addresses, hence, it may be possible that another user behind your same proxy or NAT connection already made a review.
Preview comment Edit comment
Post comment
Posting comment...
Comment successfully posted




ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
VirusTotal © Hispasec Sistemas - Blog - Twitter - Contact: info@virustotal.com - Terms of Service & Privacy Policy

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:03 AM

Posted 10 November 2010 - 02:46 PM

Please upload this one as well: c:\program files\Google\Google Desktop Search\gcdtmp84\GoogleDesktopSetupHelper.exe

Reanalyze if you are asked.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users