Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect /Outlook Express Blocker


  • This topic is locked This topic is locked
20 replies to this topic

#1 SGCrum

SGCrum

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 03 November 2010 - 01:44 PM

I have a computer that is infected with a virus of some kind, possibly google analytics. I am not able to run housecall or update malwarebytes software because they are blocked. I can access the internet via a browser, but if I use search I am redirected or told the internet is not accessible. I have attempted to perform all the steps for entering a post, but when I ran dds.scr it hung and had to unplug the system in order to restart the system. I tried it a couple of times with no luck. I have attached the results of gmer.exe. I am able to run hijackthis, so if that would be helpful I could send the results of that. Please advise me what to try next.
thanks.Attached File  ark.txt   20.68KB   3 downloads

BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:29 AM

Posted 10 November 2010 - 01:56 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 SGCrum

SGCrum
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 11 November 2010 - 07:17 PM

I think/thought I have/had cleaned the desktop, but am not sure. Since my last post, I was able to download Microsoft Security Essentials and change some network settings that allowed me to update it and run it. It found and cleaned Win32/Alureon.h. Since then the system seems to be running fine. When I received this reply, I decided to take the requested steps and post results so I could be sure the system was clean. I have run DDS script and the results are listed below and attached, but when I tried to run gmer.exe first it would just abruptly stop. If I run it again, it appears to finish, but if I try to save it the system hangs and I have to unplug and restart. (I've tried it twice). The original symptoms were that outlook express was unable to connect and send or receive email, I was able to use various browsers, but if I used search I was redirected. I was able to download malware scanning programs, but when they tried to run, they would report that they could not connect to the internet and the Network Connections folder would not display. Everything appears to be back to normal since my successful running of MS Security Essentials, with the exception of gmer.exe. I am accessing this computer via the internet using logmein as it is physically located in another state. If there is something besides the defogger that I need to run or turn off to successfully run gmer.exe, please advise. Ny previous post had the results of the first running of gmer.exe...before I was able to clean it with MS Security Essentials.
Thanks for any help you can offer!Attached File  Attach.zip   4.88KB   1 downloads

DDS (Ver_10-11-10.01) - NTFSx86
Run by Billy Crum at 14:49:51.03 on Wed 11/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.824 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Billy Crum\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2010\Planner\PLNRnote.exe
C:\Program Files\Hallmark\Hallmark Card Studio 2007 Deluxe\Planner\PLNRnote.exe
C:\Sierra\CardStudio\PLNRnote.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\lxbucoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Billy Crum\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Page = hxxp://www.live.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Microsoft Works Update Detection] ?\WkDetect.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
uRun: [SmileboxTray] "c:\documents and settings\billy crum\application data\smilebox\SmileboxTray.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10i_ActiveX.exe -update activex
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [lxbumon.exe] "c:\program files\lexmark 6200 series\lxbumon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [EzPrint] "c:\program files\lexmark 6200 series\ezprint.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ReminderApp] c:\program files\nova development\greeting card factory deluxe 7.0\ReminderApp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LXBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBUtime.dll,_RunDLLEntry@16
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~3.lnk - c:\windows\installer\{601be80d-247b-4084-94c7-7a54369db7a2}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~2.lnk - c:\windows\installer\{5d0df1bb-d82e-4fb2-b98e-4fde42ef7ebb}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\sierra\cardstudio\PLNRnote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\printmaster 16\pmremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\agremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/33.06/uploader2.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://virtualoffice.allkindsofminds.org/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coke/Coupons.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billyc~1\applic~1\mozilla\firefox\profiles\17l56r7l.default\
FF - plugin: c:\program files\free ride games\npExentCtl.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-23 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-9-29 47640]
R2 X4HSX32Ex;X4HSX32Ex;c:\program files\free ride games\X4HSX32Ex.sys [2008-12-29 29856]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\billyc~1\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\billyc~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\billyc~1\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\billyc~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S2 iWinGamesInstaller;iWinGamesInstaller;c:\program files\iwin games\iwingamesinstaller.exe --> c:\program files\iwin games\iWinGamesInstaller.exe [?]
S3 Normandy;Normandy SR2; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-11-09 20:38:22 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-09 20:38:10 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{762e7a12-4d06-4bd7-9085-0394e97e1545}\mpengine.dll
2010-11-07 22:39:59 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-07 22:26:40 26496 ----a-w- c:\windows\system32\drivers\ASC.SYS
2010-11-07 18:45:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-07 18:26:48 2560 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\usmt\iconlib.dll
2010-11-07 05:32:26 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2010-11-07 05:32:26 18944 ----a-w- c:\windows\system32\simptcp.dll
2010-11-07 04:54:27 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-07 03:42:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-11-04 00:21:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-11-04 00:21:24 -------- d-----w- c:\program files\IObit
2010-11-03 22:01:27 -------- d-----w- c:\docume~1\billyc~1\applic~1\SUPERAntiSpyware.com
2010-11-03 22:01:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-02 21:41:39 -------- d-----w- c:\docume~1\billyc~1\locals~1\applic~1\Safe mirror
2010-11-02 21:41:12 -------- d-----w- c:\program files\Cobian Backup 10
2010-11-01 19:22:11 6656 ------w- c:\windows\system32\0DE9B0D9.exe
2010-10-31 18:34:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-25 16:11:38 -------- d-----w- c:\docume~1\billyc~1\applic~1\Tific
2010-10-14 00:20:43 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 00:20:43 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 00:20:21 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-23 20:45:06 83360 ------w- c:\windows\system32\LMIRfsClientNP.dll
2010-09-23 20:44:58 53632 ------w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-09-23 20:44:52 29568 ------w- c:\windows\system32\LMIport.dll
2010-09-23 20:44:46 87424 ------w- c:\windows\system32\LMIinit.dll
2010-09-18 16:23:26 974848 ------w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58:08 916480 ------w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ------w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ------w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ------w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ------w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ------w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ------w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ------w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ------w- c:\windows\system32\rpcrt4.dll
2008-12-09 15:23:13 47616 --sh--r- c:\windows\system32\appconf32.exe

============= FINISH: 14:50:44.60 ===============




#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 13 November 2010 - 07:34 AM

Hello, SGCrum.

Good job on removing it. I do need to warn you that Aleureon is a backdoor rootkit. Your logs show that MSE can't update it's definitions...any idea why? It could be leftover malware if you don't have an explanation. Try to update the definitions manually.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.







Viewpoint (foistware) Warning"

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/clickz/news/1714488/viewpoint-plunge-into-adware

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.







Step 1

Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 SGCrum

SGCrum
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 14 November 2010 - 07:02 PM

After reading the specifics about the Wn32 Alureon.H virus and considering the use of the computer in question, I decided to continue with the cleaning and see what happens. I was sucessful in removing the Viewpoint program. I downloaded combofix and named it etavaresCF.exe. The first time I attempted to run it, it installed the recovery console and indicated it was begining to scan. I was then knocked off the remote connection. The message I received was that the connection timed out. I assume combofix.exe is system intensive? When it finished and I was able to connect to the system remotely again, I did not find a log file, So I tried it again. Same results. Does the comuter need to be disconnected from the internet in order to sucessfully complete? Or does it need to be in safe mode? I am trying to resolve this problem for my father-in-law who lives in a different state, so I am trying to do it remotely. If that won't work, I should be able to talk him through booting into safe mode and running the process, if that is necessary, but wanted to check before I go through all that. Please advise.

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 15 November 2010 - 06:40 PM

It often reboots, so you'd lose the remote desktop at that point, but it would still run to completion. Try looking in C:\qoobox or c:\etavaresCF for a logfile. It would be a txt file created when you ran it.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 SGCrum

SGCrum
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 16 November 2010 - 05:11 PM

Attached is the log file from combofix. Please advise if further cleaning is necessary. Thank you.Attached File  ComboFix.txt   17.11KB   2 downloads

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 17 November 2010 - 07:41 PM

Hello, SGCrum.

How is the computer running at this point?



Step 1



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the codebox below into Notepad:

File::
c:\windows\system32\0DE9B0D9.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
Driver::
Normandy
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 SGCrum

SGCrum
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 17 November 2010 - 10:17 PM

The computer seems to be running fine. Attached is the log file.Attached File  ComboFix.txt   16.03KB   1 downloads

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 18 November 2010 - 06:43 PM

Hello, SGCrum.

How is the computer running at this point?



Step 1

Next, we need to remove old Java versions.
Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7
    Java™ SE Runtime Environment 6 Update 1
  • Reboot your computer once all Java components are removed.




Step 2

Please pull anything out of the recycle bin that you want to save. Part of this fix will empty temp files, and that does include the recycle bin.

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    :OTL
    DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coke/Coupons.cab
    :Commands
    [EmptyTemp]
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.



Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 4

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 SGCrum

SGCrum
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 18 November 2010 - 09:08 PM

Computer still seems to be running fine. I have completed Step 1, removing all Java and rebooting. And 1st run of OTL followed by reboot. Attached is the log file from that.Attached File  11182010_203927.log   4.88KB   1 downloads Country: United States | Language: ENU | Date Format: M/d/yyyy 1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free 3.00 Gb Paging File | 3.00 Gb Available in Paging File | 84.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 71.59 Gb Total Space | 27.34 Gb Free Space | 38.18% Space Free | Partition Type: NTFS Drive D: | 493.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS Computer Name: D1NTVR61 | User Name: Billy Crum | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Billy Crum\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Documents and Settings\Billy Crum\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.) PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.) PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.) PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation) PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.) PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.) PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation) PRC - C:\Program Files\Creative Home\Hallmark Card Studio 2010\Planner\PLNRnote.exe (Creative Home) PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.) PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.) PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated) PRC - C:\Program Files\Hallmark\Hallmark Card Studio 2007 Deluxe\Planner\PLNRnote.exe (TODO: ) PRC - C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.) PRC - C:\WINDOWS\SYSTEM32\lxbucoms.exe (Lexmark International, Inc.) PRC - C:\Program Files\Lexmark 6200 Series\lxbumon.exE (Lexmark International, Inc.) PRC - C:\Program Files\Lexmark 6200 Series\ezprint.exe () PRC - C:\Program Files\FinePixViewer\QuickDCF.exe (FUJI PHOTO FILM CO., LTD.) PRC - C:\Sierra\CardStudio\PLNRnote.exe (Sierra Online, Inc.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Billy Crum\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (stllssvr) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe File not found SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.) SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.) SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.) SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation) SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.) SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe () SRV - (MSCSPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation) SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation) SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe () SRV - (lxbu_device) -- C:\WINDOWS\System32\lxbucoms.exe (Lexmark International, Inc.) SRV - (Pml Driver HPZ12) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe (HP) ========== Driver Services (SafeList) ========== DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys File not found DRV - (SASKUTIL) -- C:\DOCUME~1\BILLYC~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS File not found DRV - (SASDIFSV) -- C:\DOCUME~1\BILLYC~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS File not found DRV - (catchme) -- C:\etavaresCF\catchme.sys File not found DRV - (asc) -- C:\WINDOWS\SYSTEM32\DRIVERS\ASC.SYS (Advanced System Products, Inc.) DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.) DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.) DRV - (LMIRfsDriver) -- C:\WINDOWS\SYSTEM32\DRIVERS\LMIRfsDriver.sys (LogMeIn, Inc.) DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.) DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation) DRV - (X4HSX32Ex) -- C:\Program Files\Free Ride Games\X4HSX32Ex.sys (Exent Technologies Ltd.) DRV - (dsunidrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys (Gteko Ltd.) DRV - (GoProto) -- C:\WINDOWS\SYSTEM32\DRIVERS\goprot51.sys (Gteko Ltd.) DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.) DRV - (pfc) -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys (Padus, Inc.) DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.) DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic) DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic) DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic) DRV - (symc810) -- C:\WINDOWS\SYSTEM32\DRIVERS\symc810.sys (Symbios Logic Inc.) DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.) DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation) DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation) DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation) DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.) DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation) DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.) DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (nv) -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS (NVIDIA Corporation) DRV - (IntelC53) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys (Intel Corporation) DRV - (IntelC52) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys (Intel Corporation) DRV - (IntelC51) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys (Intel Corporation) DRV - (mohfilt) -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys (Intel Corporation) DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation) DRV - (MASPINT) -- C:\WINDOWS\System32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.) DRV - (HPFECP20) -- C:\WINDOWS\System32\drivers\HPFECP20.SYS () ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.) IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/31 22:48:36 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/07 17:39:59 | 000,000,000 | ---D | M] [2010/10/31 22:48:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Extensions [2010/11/02 18:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Firefox\Profiles\17l56r7l.default\extensions [2010/11/02 18:55:25 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Firefox\Profiles\17l56r7l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/11/18 19:11:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2010/11/17 22:00:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.) O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.) O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.) O3 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.) O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.) O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( ) O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 6200 Series\ezprint.exe () O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe () O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.) O4 - HKLM..\Run: [LXBUCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.DLL () O4 - HKLM..\Run: [lxbumon.exe] C:\Program Files\Lexmark 6200 Series\lxbumon.exe (Lexmark International, Inc.) O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation) O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.) O4 - HKLM..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe () O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions) O4 - HKU\.DEFAULT..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKU\S-1-5-18..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.) O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.) O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.) O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [Microsoft Works Update Detection] File not found O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [SmileboxTray] C:\Documents and Settings\Billy Crum\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.) O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1009..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk = C:\WINDOWS\Installer\{601BE80D-247B-4084-94C7-7A54369DB7A2}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe (Acresso Software Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk = C:\WINDOWS\Installer\{5D0DF1BB-D82E-4FB2-B98E-4FDE42EF7EBB}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk = C:\Sierra\CardStudio\PLNRnote.exe (Sierra Online, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe (Broderbund Properties LLC) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe (FUJI PHOTO FILM CO., LTD.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe (Broderbund Properties LLC) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.) O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia) O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/33.06/uploader2.cab (UploadListView Class) O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab (Reg Error: Key error.) O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://virtualoffice.allkindsofminds.org/msrdp.cab (Microsoft RDP Client Control (redist)) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.) O24 - Desktop WallPaper: C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2001/02/06 10:04:14 | 000,576,512 | R--- | M] () - D:\autoplay.exe -- [ CDFS ] O32 - AutoRun File - [2000/06/06 09:07:06 | 000,000,051 | R--- | M] () - D:\autorun.inf -- [ CDFS ] O32 - AutoRun File - [2000/12/21 07:13:48 | 000,000,051 | R--- | M] () - D:\autorun.inf.bak -- [ CDFS ] O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/11/18 20:39:27 | 000,000,000 | ---D | C] -- C:\_OTL [2010/11/18 20:38:07 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Billy Crum\Desktop\OTL.exe [2010/11/18 20:37:45 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010/11/16 16:52:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp [2010/11/13 19:57:19 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010/11/13 19:54:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/11/13 19:54:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/11/13 19:54:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/11/13 19:54:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/11/13 19:54:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/11/10 14:57:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Desktop\gmer [2010/11/08 15:05:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth [2010/11/07 17:26:40 | 000,026,496 | ---- | C] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\drivers\ASC.SYS [2010/11/07 13:45:51 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe [2010/11/07 00:32:26 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\simptcp.dll [2010/11/07 00:32:26 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll [2010/11/06 23:54:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials [2010/11/06 22:42:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan [2010/11/03 19:21:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit [2010/11/03 19:21:24 | 000,000,000 | ---D | C] -- C:\Program Files\IObit [2010/11/03 17:01:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\SUPERAntiSpyware.com [2010/11/03 17:01:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2010/11/02 16:51:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Desktop\backup [2010/11/02 16:41:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Safe mirror [2010/11/02 16:41:12 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10 [2010/11/01 16:44:21 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/10/31 22:50:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\My Documents\Downloads [2010/10/31 22:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Mozilla [2010/10/31 22:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla [2010/10/31 22:48:23 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/10/31 13:34:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData [2010/10/31 11:28:22 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Billy Crum\Desktop\mbam-setup-1.46.exe [2010/10/25 11:11:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\Tific [2010/10/25 10:49:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton ========== Files - Modified Within 30 Days ========== [2252/01/25 13:28:41 | 000,003,120 | ---- | M] () -- C:\WINDOWS\MF_C420.lfa [2010/11/18 21:08:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CC997D9F-F93A-4071-BA01-69B90B8EC344}.job [2010/11/18 21:05:37 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2010/11/18 21:01:56 | 000,002,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk [2010/11/18 21:01:54 | 000,002,499 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk [2010/11/18 21:00:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL [2010/11/18 21:00:27 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010/11/18 21:00:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT [2010/11/18 20:38:17 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy Crum\Desktop\OTL.exe [2010/11/18 20:34:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010/11/17 22:00:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts [2010/11/16 22:19:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010/11/16 16:48:08 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/11/13 19:57:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini [2010/11/13 19:52:20 | 003,909,080 | R--- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\etavaresCF.exe [2010/11/10 18:40:04 | 000,004,997 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Attach.zip [2010/11/10 14:57:02 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\gmer.zip [2010/11/10 14:56:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Billy Crum\defogger_reenable [2010/11/10 14:55:42 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Defogger.exe [2010/11/08 21:52:58 | 000,001,479 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Solitaire.lnk [2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe [2010/11/07 17:26:40 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\drivers\ASC.SYS [2010/11/07 13:44:55 | 000,443,900 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT [2010/11/07 13:44:55 | 000,072,572 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT [2010/11/07 13:25:39 | 000,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010/11/06 23:54:29 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk [2010/11/06 23:31:56 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk [2010/11/03 19:21:32 | 000,000,157 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\IObit Freeware.url [2010/11/01 11:41:09 | 000,000,882 | ---- | M] () -- C:\WINDOWS\ORUN32.INI [2010/10/31 22:48:28 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2010/10/31 22:48:28 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2010/10/31 22:26:48 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/10/31 11:28:29 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Billy Crum\Desktop\mbam-setup-1.46.exe [2010/10/30 18:13:23 | 000,041,984 | ---- | M] () -- C:\Documents and Settings\Billy Crum\My Documents\traceroute_malwarebytes_cdn.exe [2010/10/28 10:28:47 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [2010/10/26 14:43:10 | 000,000,825 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Norton Installation Files.lnk ========== Files Created - No Company Name ========== [2252/01/25 13:28:41 | 000,003,120 | ---- | C] () -- C:\WINDOWS\MF_C420.lfa [2010/11/16 16:48:08 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/11/13 19:57:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak [2010/11/13 19:57:21 | 000,260,272 | RHS- | C] () -- C:\cmldr [2010/11/13 19:54:57 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/11/13 19:54:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/11/13 19:54:57 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/11/13 19:54:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/11/13 19:54:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/11/13 19:52:05 | 003,909,080 | R--- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\etavaresCF.exe [2010/11/10 18:40:04 | 000,004,997 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Attach.zip [2010/11/10 14:56:58 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\gmer.zip [2010/11/10 14:56:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Billy Crum\defogger_reenable [2010/11/10 14:55:42 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Defogger.exe [2010/11/07 13:15:04 | 000,049,275 | ---- | C] () -- C:\WINDOWS\System32\wfospf.mib [2010/11/07 13:15:04 | 000,038,608 | ---- | C] () -- C:\WINDOWS\System32\nipx.mib [2010/11/07 13:15:04 | 000,034,317 | ---- | C] () -- C:\WINDOWS\System32\msiprip2.mib [2010/11/07 13:15:04 | 000,026,236 | ---- | C] () -- C:\WINDOWS\System32\wins.mib [2010/11/07 13:15:04 | 000,013,767 | ---- | C] () -- C:\WINDOWS\System32\msipbtp.mib [2010/11/07 13:15:04 | 000,004,332 | ---- | C] () -- C:\WINDOWS\System32\smi.mib [2010/11/07 13:15:04 | 000,000,581 | ---- | C] () -- C:\WINDOWS\System32\msft.mib [2010/11/07 13:15:03 | 000,107,882 | ---- | C] () -- C:\WINDOWS\System32\mib_ii.mib [2010/11/07 13:15:03 | 000,048,593 | ---- | C] () -- C:\WINDOWS\System32\hostmib.mib [2010/11/07 13:15:03 | 000,030,448 | ---- | C] () -- C:\WINDOWS\System32\mcastmib.mib [2010/11/07 13:15:03 | 000,026,100 | ---- | C] () -- C:\WINDOWS\System32\lmmib2.mib [2010/11/07 13:15:03 | 000,021,386 | ---- | C] () -- C:\WINDOWS\System32\mipx.mib [2010/11/07 13:15:03 | 000,016,617 | ---- | C] () -- C:\WINDOWS\System32\authserv.mib [2010/11/07 13:15:03 | 000,015,799 | ---- | C] () -- C:\WINDOWS\System32\ipforwd.mib [2010/11/07 13:15:03 | 000,010,313 | ---- | C] () -- C:\WINDOWS\System32\mripsap.mib [2010/11/07 13:15:03 | 000,004,597 | ---- | C] () -- C:\WINDOWS\System32\dhcp.mib [2010/11/07 13:15:02 | 000,015,597 | ---- | C] () -- C:\WINDOWS\System32\accserv.mib [2010/11/06 23:59:43 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2010/11/06 23:54:29 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk [2010/11/03 19:21:32 | 000,000,157 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\IObit Freeware.url [2010/10/31 22:48:28 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk [2010/10/31 22:48:28 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2010/10/31 22:26:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/10/30 18:13:18 | 000,041,984 | ---- | C] () -- C:\Documents and Settings\Billy Crum\My Documents\traceroute_malwarebytes_cdn.exe [2010/10/30 09:51:39 | 002,438,765 | ---- | C] () -- C:\Documents and Settings\Billy Crum\My Documents\DSC_0905.JPG [2010/10/25 10:49:42 | 000,000,825 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Norton Installation Files.lnk [2010/09/29 17:10:32 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\housecall.guid.cache [2010/06/16 04:33:09 | 000,674,536 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2009/06/13 14:54:48 | 000,000,011 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt [2009/02/11 03:05:12 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI [2008/09/08 13:52:14 | 000,000,161 | ---- | C] () -- C:\WINDOWS\System32\vclwiz8.dll [2007/07/23 14:07:55 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\uccspecb.sys [2007/01/17 12:57:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2005/07/07 17:11:34 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2005/07/07 16:09:18 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini [2005/07/01 15:41:31 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL [2005/07/01 15:41:31 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL [2005/07/01 15:34:21 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbuvs.dll [2005/06/30 19:06:39 | 000,000,411 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log [2005/04/20 15:23:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhotoPro.INI [2005/04/19 17:14:32 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini [2005/04/19 17:14:28 | 001,052,672 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P5.dll [2005/04/19 17:14:27 | 001,261,568 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M6.dll [2005/04/19 17:14:26 | 001,228,800 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M5.dll [2005/04/19 17:14:25 | 001,294,336 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2A6.dll [2005/04/19 17:14:25 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2.dll [2005/04/19 17:14:24 | 001,105,920 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P6.dll [2005/04/19 17:14:24 | 001,093,632 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2PX.dll [2005/04/19 17:14:21 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\FPXLIB.DLL [2005/04/19 17:14:21 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\JPEGLIB.DLL [2005/04/19 17:14:20 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EnrouteStitch.dll [2005/04/19 17:14:20 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL [2005/03/28 17:13:06 | 000,000,036 | ---- | C] () -- C:\WINDOWS\cosdtp.ini [2005/03/21 21:31:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI [2005/02/19 17:58:47 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL [2005/02/19 17:58:47 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini [2005/02/19 15:42:08 | 000,001,102 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini [2005/02/19 15:23:14 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini [2005/02/19 15:20:37 | 000,002,230 | ---- | C] () -- C:\WINDOWS\BJWIN.INI [2005/02/19 15:19:23 | 000,000,027 | ---- | C] () -- C:\WINDOWS\VPWIN.INI [2005/02/19 15:12:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2005/02/19 14:14:25 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL [2005/02/19 14:14:24 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL [2005/02/19 14:14:04 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\gif89.dll [2005/02/19 14:13:38 | 000,000,735 | ---- | C] () -- C:\WINDOWS\SIERRA.INI [2005/02/19 13:43:09 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini [2005/02/19 13:43:07 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll [2005/02/19 11:39:12 | 000,000,047 | ---- | C] () -- C:\WINDOWS\splash.ini [2005/02/19 11:28:34 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\fusioncache.dat [2005/02/03 19:08:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2005/02/03 19:02:31 | 000,000,498 | ---- | C] () -- C:\WINDOWS\wininit.ini [2005/02/03 18:31:20 | 000,000,519 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2004/08/10 14:13:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\ORUN32.INI [2004/08/10 14:03:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2004/08/04 06:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI [2002/05/29 08:50:02 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll [1999/07/23 12:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini [1999/07/23 09:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll [1999/03/05 03:27:32 | 000,004,715 | ---- | C] () -- C:\WINDOWS\System32\HPFlnk20.ini [1999/03/05 03:05:28 | 000,194,048 | ---- | C] () -- C:\WINDOWS\System32\HPFcps20.dll [1999/03/05 03:04:56 | 000,076,800 | ---- | C] () -- C:\WINDOWS\System32\HPF24r20.dll [1999/03/05 02:42:56 | 000,048,292 | ---- | C] () -- C:\WINDOWS\System32\HPFlpm20.dll [1999/03/05 02:42:44 | 000,072,368 | ---- | C] () -- C:\WINDOWS\System32\HPFcom20.dll [1999/03/05 02:41:52 | 000,052,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\HPFecp20.sys [1999/03/05 02:32:40 | 000,124,928 | ---- | C] () -- C:\WINDOWS\System32\HPFcnt20.dll [1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A2A20EF9 @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FC420CE6 @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:225C4FFC @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE5AAA59 @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:399441CC @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E22BBE8 @Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:590B1A90 < End of report > Results of Malwarebytes Scan... Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5148 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/18/2010 9:26:48 PM mbam-log-2010-11-18 (21-26-48).txt Scan type: Quick scan Objects scanned: 155523 Time elapsed: 7 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\tst (Trojan.Banker) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
Attached is the results from ESETScan...Attached File  ESETScan.txt   304bytes   1 downloads

Edited by SGCrum, 18 November 2010 - 11:48 PM.


#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 19 November 2010 - 07:19 PM

OK, Please run MBAM again to confirm it's clean as it did find something in that scan. Please also run an OTL quick scan and attach the file. For some reason, it didn't paste properly.

I think we're ready to clean up after this post.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 SGCrum

SGCrum
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 19 November 2010 - 09:16 PM

Results from MBAM:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5148

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/19/2010 9:09:41 PM
mbam-log-2010-11-19 (21-09-41).txt

Scan type: Quick scan
Objects scanned: 155709
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Results from OTL scan:
OTL logfile created on: 11/19/2010 9:17:00 PM - Run 3
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Billy Crum\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.59 Gb Total Space | 27.04 Gb Free Space | 37.77% Space Free | Partition Type: NTFS
Drive D: | 493.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: D1NTVR61 | User Name: Billy Crum | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Billy Crum\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Billy Crum\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Creative Home\Hallmark Card Studio 2010\Planner\PLNRnote.exe (Creative Home)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Hallmark\Hallmark Card Studio 2007 Deluxe\Planner\PLNRnote.exe (TODO: <Company name>)
PRC - C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
PRC - C:\WINDOWS\SYSTEM32\lxbucoms.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark 6200 Series\lxbumon.exE (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark 6200 Series\ezprint.exe ()
PRC - C:\Program Files\FinePixViewer\QuickDCF.exe (FUJI PHOTO FILM CO., LTD.)
PRC - C:\Sierra\CardStudio\PLNRnote.exe (Sierra Online, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Billy Crum\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (stllssvr) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (MSCSPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)
SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)
SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe ()
SRV - (lxbu_device) -- C:\WINDOWS\System32\lxbucoms.exe (Lexmark International, Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys File not found
DRV - (SASKUTIL) -- C:\DOCUME~1\BILLYC~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS File not found
DRV - (SASDIFSV) -- C:\DOCUME~1\BILLYC~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS File not found
DRV - (catchme) -- C:\etavaresCF\catchme.sys File not found
DRV - (asc) -- C:\WINDOWS\SYSTEM32\DRIVERS\ASC.SYS (Advanced System Products, Inc.)
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (LMIRfsDriver) -- C:\WINDOWS\SYSTEM32\DRIVERS\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (X4HSX32Ex) -- C:\Program Files\Free Ride Games\X4HSX32Ex.sys (Exent Technologies Ltd.)
DRV - (dsunidrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys (Gteko Ltd.)
DRV - (GoProto) -- C:\WINDOWS\SYSTEM32\DRIVERS\goprot51.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (pfc) -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys (Padus, Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\SYSTEM32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nv) -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS (NVIDIA Corporation)
DRV - (IntelC53) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys (Intel Corporation)
DRV - (IntelC52) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys (Intel Corporation)
DRV - (IntelC51) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys (Intel Corporation)
DRV - (mohfilt) -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys (Intel Corporation)
DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation)
DRV - (MASPINT) -- C:\WINDOWS\System32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.)
DRV - (HPFECP20) -- C:\WINDOWS\System32\drivers\HPFECP20.SYS ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/31 22:48:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/07 17:39:59 | 000,000,000 | ---D | M]

[2010/10/31 22:48:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Extensions
[2010/11/02 18:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Firefox\Profiles\17l56r7l.default\extensions
[2010/11/02 18:55:25 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Firefox\Profiles\17l56r7l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/18 19:11:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/11/17 22:00:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 6200 Series\ezprint.exe ()
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [LXBUCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.DLL ()
O4 - HKLM..\Run: [lxbumon.exe] C:\Program Files\Lexmark 6200 Series\lxbumon.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)
O4 - HKLM..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe ()
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKU\.DEFAULT..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
O4 - HKU\S-1-5-18..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [Microsoft Works Update Detection] File not found
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [SmileboxTray] C:\Documents and Settings\Billy Crum\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1009..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk = C:\WINDOWS\Installer\{601BE80D-247B-4084-94C7-7A54369DB7A2}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe (Acresso Software Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk = C:\WINDOWS\Installer\{5D0DF1BB-D82E-4FB2-B98E-4FDE42EF7EBB}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk = C:\Sierra\CardStudio\PLNRnote.exe (Sierra Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe (Broderbund Properties LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe (FUJI PHOTO FILM CO., LTD.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe (Broderbund Properties LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/33.06/uploader2.cab (UploadListView Class)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://virtualoffice.allkindsofminds.org/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/02/06 10:04:14 | 000,576,512 | R--- | M] () - D:\autoplay.exe -- [ CDFS ]
O32 - AutoRun File - [2000/06/06 09:07:06 | 000,000,051 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2000/12/21 07:13:48 | 000,000,051 | R--- | M] () - D:\autorun.inf.bak -- [ CDFS ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/18 21:37:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/11/18 21:17:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/18 21:17:45 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/18 20:39:27 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/18 20:38:07 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Billy Crum\Desktop\OTL.exe
[2010/11/18 20:37:45 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/11/16 16:52:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/11/13 19:57:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/11/13 19:54:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/11/13 19:54:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/11/13 19:54:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/11/13 19:54:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/11/13 19:54:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/11/10 14:57:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Desktop\gmer
[2010/11/08 15:05:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/11/07 17:26:40 | 000,026,496 | ---- | C] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\drivers\ASC.SYS
[2010/11/07 13:45:51 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/11/07 00:32:26 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\simptcp.dll
[2010/11/07 00:32:26 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll
[2010/11/06 23:54:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/11/06 22:42:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/11/03 19:21:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/11/03 19:21:24 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/11/03 17:01:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\SUPERAntiSpyware.com
[2010/11/03 17:01:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/11/02 16:51:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Desktop\backup
[2010/11/02 16:41:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Safe mirror
[2010/11/02 16:41:12 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2010/11/01 16:44:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/31 22:50:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\My Documents\Downloads
[2010/10/31 22:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Mozilla
[2010/10/31 22:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla
[2010/10/31 22:48:23 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/10/31 13:34:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/10/31 11:28:22 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Billy Crum\Desktop\mbam-setup-1.46.exe
[2010/10/25 11:11:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\Tific
[2010/10/25 10:49:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton

========== Files - Modified Within 30 Days ==========

[2252/01/25 13:28:41 | 000,003,120 | ---- | M] () -- C:\WINDOWS\MF_C420.lfa
[2010/11/19 21:18:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CC997D9F-F93A-4071-BA01-69B90B8EC344}.job
[2010/11/19 20:34:14 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/19 19:34:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/18 21:17:50 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/18 21:16:04 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Billy Crum\Desktop\mbam-setup-1.46.exe
[2010/11/18 21:05:37 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/11/18 21:01:56 | 000,002,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk
[2010/11/18 21:01:54 | 000,002,499 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk
[2010/11/18 21:00:57 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/11/18 21:00:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/11/18 20:38:17 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy Crum\Desktop\OTL.exe
[2010/11/17 22:00:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2010/11/16 22:19:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/16 16:48:08 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/13 19:57:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/11/13 19:52:20 | 003,909,080 | R--- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\etavaresCF.exe
[2010/11/10 18:40:04 | 000,004,997 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Attach.zip
[2010/11/10 14:57:02 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\gmer.zip
[2010/11/10 14:56:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Billy Crum\defogger_reenable
[2010/11/10 14:55:42 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Defogger.exe
[2010/11/08 21:52:58 | 000,001,479 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Solitaire.lnk
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/11/07 17:26:40 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\drivers\ASC.SYS
[2010/11/07 13:44:55 | 000,443,900 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/11/07 13:44:55 | 000,072,572 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/11/07 13:25:39 | 000,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/11/06 23:54:29 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/11/06 23:31:56 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/11/03 19:21:32 | 000,000,157 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\IObit Freeware.url
[2010/11/01 11:41:09 | 000,000,882 | ---- | M] () -- C:\WINDOWS\ORUN32.INI
[2010/10/31 22:48:28 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/31 22:48:28 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/10/31 22:26:48 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/30 18:13:23 | 000,041,984 | ---- | M] () -- C:\Documents and Settings\Billy Crum\My Documents\traceroute_malwarebytes_cdn.exe
[2010/10/28 10:28:47 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/10/26 14:43:10 | 000,000,825 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Norton Installation Files.lnk

========== Files Created - No Company Name ==========

[2252/01/25 13:28:41 | 000,003,120 | ---- | C] () -- C:\WINDOWS\MF_C420.lfa
[2010/11/18 21:17:50 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/16 16:48:08 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/13 19:57:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/11/13 19:57:21 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/11/13 19:54:57 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/11/13 19:54:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/11/13 19:54:57 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/11/13 19:54:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/11/13 19:54:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/11/13 19:52:05 | 003,909,080 | R--- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\etavaresCF.exe
[2010/11/10 18:40:04 | 000,004,997 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Attach.zip
[2010/11/10 14:56:58 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\gmer.zip
[2010/11/10 14:56:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Billy Crum\defogger_reenable
[2010/11/10 14:55:42 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Defogger.exe
[2010/11/07 13:15:04 | 000,049,275 | ---- | C] () -- C:\WINDOWS\System32\wfospf.mib
[2010/11/07 13:15:04 | 000,038,608 | ---- | C] () -- C:\WINDOWS\System32\nipx.mib
[2010/11/07 13:15:04 | 000,034,317 | ---- | C] () -- C:\WINDOWS\System32\msiprip2.mib
[2010/11/07 13:15:04 | 000,026,236 | ---- | C] () -- C:\WINDOWS\System32\wins.mib
[2010/11/07 13:15:04 | 000,013,767 | ---- | C] () -- C:\WINDOWS\System32\msipbtp.mib
[2010/11/07 13:15:04 | 000,004,332 | ---- | C] () -- C:\WINDOWS\System32\smi.mib
[2010/11/07 13:15:04 | 000,000,581 | ---- | C] () -- C:\WINDOWS\System32\msft.mib
[2010/11/07 13:15:03 | 000,107,882 | ---- | C] () -- C:\WINDOWS\System32\mib_ii.mib
[2010/11/07 13:15:03 | 000,048,593 | ---- | C] () -- C:\WINDOWS\System32\hostmib.mib
[2010/11/07 13:15:03 | 000,030,448 | ---- | C] () -- C:\WINDOWS\System32\mcastmib.mib
[2010/11/07 13:15:03 | 000,026,100 | ---- | C] () -- C:\WINDOWS\System32\lmmib2.mib
[2010/11/07 13:15:03 | 000,021,386 | ---- | C] () -- C:\WINDOWS\System32\mipx.mib
[2010/11/07 13:15:03 | 000,016,617 | ---- | C] () -- C:\WINDOWS\System32\authserv.mib
[2010/11/07 13:15:03 | 000,015,799 | ---- | C] () -- C:\WINDOWS\System32\ipforwd.mib
[2010/11/07 13:15:03 | 000,010,313 | ---- | C] () -- C:\WINDOWS\System32\mripsap.mib
[2010/11/07 13:15:03 | 000,004,597 | ---- | C] () -- C:\WINDOWS\System32\dhcp.mib
[2010/11/07 13:15:02 | 000,015,597 | ---- | C] () -- C:\WINDOWS\System32\accserv.mib
[2010/11/06 23:59:43 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/11/06 23:54:29 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/11/03 19:21:32 | 000,000,157 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\IObit Freeware.url
[2010/10/31 22:48:28 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/31 22:48:28 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/10/31 22:26:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/30 18:13:18 | 000,041,984 | ---- | C] () -- C:\Documents and Settings\Billy Crum\My Documents\traceroute_malwarebytes_cdn.exe
[2010/10/30 09:51:39 | 002,438,765 | ---- | C] () -- C:\Documents and Settings\Billy Crum\My Documents\DSC_0905.JPG
[2010/10/25 10:49:42 | 000,000,825 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Norton Installation Files.lnk
[2010/09/29 17:10:32 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\housecall.guid.cache
[2010/06/16 04:33:09 | 000,674,536 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/06/13 14:54:48 | 000,000,011 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
[2009/02/11 03:05:12 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/09/08 13:52:14 | 000,000,161 | ---- | C] () -- C:\WINDOWS\System32\vclwiz8.dll
[2007/07/23 14:07:55 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\uccspecb.sys
[2007/01/17 12:57:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/07/07 17:11:34 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/07 16:09:18 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/07/01 15:41:31 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2005/07/01 15:41:31 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2005/07/01 15:34:21 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbuvs.dll
[2005/06/30 19:06:39 | 000,000,411 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/04/20 15:23:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhotoPro.INI
[2005/04/19 17:14:32 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2005/04/19 17:14:28 | 001,052,672 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P5.dll
[2005/04/19 17:14:27 | 001,261,568 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M6.dll
[2005/04/19 17:14:26 | 001,228,800 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M5.dll
[2005/04/19 17:14:25 | 001,294,336 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2A6.dll
[2005/04/19 17:14:25 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2.dll
[2005/04/19 17:14:24 | 001,105,920 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P6.dll
[2005/04/19 17:14:24 | 001,093,632 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2PX.dll
[2005/04/19 17:14:21 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\FPXLIB.DLL
[2005/04/19 17:14:21 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\JPEGLIB.DLL
[2005/04/19 17:14:20 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EnrouteStitch.dll
[2005/04/19 17:14:20 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL
[2005/03/28 17:13:06 | 000,000,036 | ---- | C] () -- C:\WINDOWS\cosdtp.ini
[2005/03/21 21:31:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2005/02/19 17:58:47 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2005/02/19 17:58:47 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2005/02/19 15:42:08 | 000,001,102 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/02/19 15:23:14 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/02/19 15:20:37 | 000,002,230 | ---- | C] () -- C:\WINDOWS\BJWIN.INI
[2005/02/19 15:19:23 | 000,000,027 | ---- | C] () -- C:\WINDOWS\VPWIN.INI
[2005/02/19 15:12:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/02/19 14:14:25 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2005/02/19 14:14:24 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2005/02/19 14:14:04 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\gif89.dll
[2005/02/19 14:13:38 | 000,000,735 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/02/19 13:43:09 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2005/02/19 13:43:07 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2005/02/19 11:39:12 | 000,000,047 | ---- | C] () -- C:\WINDOWS\splash.ini
[2005/02/19 11:28:34 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\fusioncache.dat
[2005/02/03 19:08:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/02/03 19:02:31 | 000,000,498 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/02/03 18:31:20 | 000,000,519 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 14:13:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/10 14:03:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/04 06:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2002/05/29 08:50:02 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[1999/07/23 12:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1999/03/05 03:27:32 | 000,004,715 | ---- | C] () -- C:\WINDOWS\System32\HPFlnk20.ini
[1999/03/05 03:05:28 | 000,194,048 | ---- | C] () -- C:\WINDOWS\System32\HPFcps20.dll
[1999/03/05 03:04:56 | 000,076,800 | ---- | C] () -- C:\WINDOWS\System32\HPF24r20.dll
[1999/03/05 02:42:56 | 000,048,292 | ---- | C] () -- C:\WINDOWS\System32\HPFlpm20.dll
[1999/03/05 02:42:44 | 000,072,368 | ---- | C] () -- C:\WINDOWS\System32\HPFcom20.dll
[1999/03/05 02:41:52 | 000,052,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\HPFecp20.sys
[1999/03/05 02:32:40 | 000,124,928 | ---- | C] () -- C:\WINDOWS\System32\HPFcnt20.dll
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A2A20EF9
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FC420CE6
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:225C4FFC
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE5AAA59
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:399441CC
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E22BBE8
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:590B1A90


< End of report >





Edited by SGCrum, 19 November 2010 - 09:23 PM.


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 20 November 2010 - 08:19 AM

Hello, SGCrum.
Ok, one more thing.



Step 1

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    :OTL
    DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys File not found
    DRV - (SASKUTIL) -- C:\DOCUME~1\BILLYC~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS File not found
    DRV - (SASDIFSV) -- C:\DOCUME~1\BILLYC~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS File not found
    DRV - (catchme) -- C:\etavaresCF\catchme.sys File not found
    SRV - (stllssvr) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe File not found
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab (Reg Error: Key error.)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    @Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A2A20EF9
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FC420CE6
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:225C4FFC
    @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE5AAA59
    @Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:399441CC
    @Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E22BBE8
    @Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:590B1A90
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 SGCrum

SGCrum
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 20 November 2010 - 05:33 PM

Okay...here is the log from the fix run...
========== OTL ==========
Error: No service named wanatw) WAN Miniport (ATW was found to stop!
Service\Driver key wanatw) WAN Miniport (ATW not found.
File C:\WINDOWS\System32\DRIVERS\wanatw4.sys File not found not found.
Service SASKUTIL stopped successfully!
Service SASKUTIL deleted successfully!
File C:\DOCUME~1\BILLYC~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS File not found not found.
Service SASDIFSV stopped successfully!
Service SASDIFSV deleted successfully!
File C:\DOCUME~1\BILLYC~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS File not found not found.
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\etavaresCF\catchme.sys File not found not found.
Service stllssvr stopped successfully!
Service stllssvr deleted successfully!
File C:\Program Files\Common Files\SureThing Shared\stllssvr.exe File not found not found.
Starting removal of ActiveX control {33564D57-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wmv9dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
C:\WINDOWS\Downloaded Program Files\mcinsctl.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A2A20EF9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FC420CE6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:225C4FFC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:CE5AAA59 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:399441CC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9E22BBE8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:590B1A90 deleted successfully.

OTL by OldTimer - Version 3.2.17.3 log created on 11202010_162936


And here is the log from the scan...
OTL logfile created on: 11/20/2010 4:55:01 PM - Run 4
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Billy Crum\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.59 Gb Total Space | 27.07 Gb Free Space | 37.81% Space Free | Partition Type: NTFS
Drive D: | 493.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: D1NTVR61 | User Name: Billy Crum | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Billy Crum\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Creative Home\Hallmark Card Studio 2010\Planner\PLNRnote.exe (Creative Home)
PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Hallmark\Hallmark Card Studio 2007 Deluxe\Planner\PLNRnote.exe (TODO: <Company name>)
PRC - C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
PRC - C:\WINDOWS\SYSTEM32\lxbucoms.exe (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark 6200 Series\lxbumon.exE (Lexmark International, Inc.)
PRC - C:\Program Files\Lexmark 6200 Series\ezprint.exe ()
PRC - C:\Program Files\FinePixViewer\QuickDCF.exe (FUJI PHOTO FILM CO., LTD.)
PRC - C:\Sierra\CardStudio\PLNRnote.exe (Sierra Online, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Billy Crum\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (LMIGuardianSvc) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe (LogMeIn, Inc.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (DSBrokerService) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (MSCSPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (Sony Corporation)
SRV - (SPTISRV) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (Sony Corporation)
SRV - (PACSPTISVR) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe ()
SRV - (lxbu_device) -- C:\WINDOWS\System32\lxbucoms.exe (Lexmark International, Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (wanatw) WAN Miniport (ATW) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys File not found
DRV - (asc) -- C:\WINDOWS\SYSTEM32\DRIVERS\ASC.SYS (Advanced System Products, Inc.)
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)
DRV - (LMIRfsDriver) -- C:\WINDOWS\SYSTEM32\DRIVERS\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (X4HSX32Ex) -- C:\Program Files\Free Ride Games\X4HSX32Ex.sys (Exent Technologies Ltd.)
DRV - (dsunidrv) -- C:\WINDOWS\SYSTEM32\DRIVERS\dsunidrv.sys (Gteko Ltd.)
DRV - (GoProto) -- C:\WINDOWS\SYSTEM32\DRIVERS\goprot51.sys (Gteko Ltd.)
DRV - (DSproct) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (pfc) -- C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys (Padus, Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\SYSTEM32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (nv) -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS (NVIDIA Corporation)
DRV - (IntelC53) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC53.sys (Intel Corporation)
DRV - (IntelC52) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC52.sys (Intel Corporation)
DRV - (IntelC51) -- C:\WINDOWS\SYSTEM32\DRIVERS\IntelC51.sys (Intel Corporation)
DRV - (mohfilt) -- C:\WINDOWS\SYSTEM32\DRIVERS\mohfilt.sys (Intel Corporation)
DRV - (omci) -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Computer Corporation)
DRV - (MASPINT) -- C:\WINDOWS\System32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.)
DRV - (HPFECP20) -- C:\WINDOWS\System32\drivers\HPFECP20.SYS ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.msn.com/sphome.aspx
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/31 22:48:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/07 17:39:59 | 000,000,000 | ---D | M]

[2010/10/31 22:48:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Extensions
[2010/11/02 18:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Firefox\Profiles\17l56r7l.default\extensions
[2010/11/02 18:55:25 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla\Firefox\Profiles\17l56r7l.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/18 19:11:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/11/17 22:00:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark 6200 Series\ezprint.exe ()
O4 - HKLM..\Run: [FaxCenterServer] C:\Program Files\Lexmark Fax Solutions\fm3032.exe ()
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [LXBUCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.DLL ()
O4 - HKLM..\Run: [lxbumon.exe] C:\Program Files\Lexmark 6200 Series\lxbumon.exe (Lexmark International, Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)
O4 - HKLM..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe ()
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKU\.DEFAULT..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
O4 - HKU\S-1-5-18..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [Microsoft Works Update Detection] File not found
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [SmileboxTray] C:\Documents and Settings\Billy Crum\Application Data\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
O4 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk = C:\WINDOWS\Installer\{601BE80D-247B-4084-94C7-7A54369DB7A2}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe (Acresso Software Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk = C:\WINDOWS\Installer\{5D0DF1BB-D82E-4FB2-B98E-4FDE42EF7EBB}\Shortcut_EventPlan_5D0DF1BBD82E4FB2B98E4FDE42EF7EBB.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk = C:\Sierra\CardStudio\PLNRnote.exe (Sierra Online, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe (Broderbund Properties LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe (FUJI PHOTO FILM CO., LTD.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGremind.exe (Broderbund Properties LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1893157748-162867314-4250899267-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/33.06/uploader2.cab (UploadListView Class)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} https://virtualoffice.allkindsofminds.org/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.73.246 68.87.71.230
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/02/06 10:04:14 | 000,576,512 | R--- | M] () - D:\autoplay.exe -- [ CDFS ]
O32 - AutoRun File - [2000/06/06 09:07:06 | 000,000,051 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2000/12/21 07:13:48 | 000,000,051 | R--- | M] () - D:\autorun.inf.bak -- [ CDFS ]
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/18 21:37:09 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/11/18 21:17:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/18 21:17:45 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/11/18 20:39:27 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/11/18 20:38:07 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Billy Crum\Desktop\OTL.exe
[2010/11/18 20:37:45 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/11/16 16:52:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/11/13 19:57:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/11/13 19:54:57 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/11/13 19:54:57 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/11/13 19:54:57 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/11/13 19:54:57 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/11/13 19:54:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/11/10 14:57:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Desktop\gmer
[2010/11/08 15:05:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/11/07 17:26:40 | 000,026,496 | ---- | C] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\drivers\ASC.SYS
[2010/11/07 13:45:51 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/11/07 00:32:26 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\simptcp.dll
[2010/11/07 00:32:26 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll
[2010/11/06 23:54:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/11/06 22:42:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/11/03 19:21:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/11/03 19:21:24 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/11/03 17:01:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\SUPERAntiSpyware.com
[2010/11/03 17:01:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/11/02 16:51:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Desktop\backup
[2010/11/02 16:41:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Safe mirror
[2010/11/02 16:41:12 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2010/11/01 16:44:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/31 22:50:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\My Documents\Downloads
[2010/10/31 22:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\Mozilla
[2010/10/31 22:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\Mozilla
[2010/10/31 22:48:23 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/10/31 13:34:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/10/31 11:28:22 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Billy Crum\Desktop\mbam-setup-1.46.exe
[2010/10/25 11:11:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Billy Crum\Application Data\Tific
[2010/10/25 10:49:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton

========== Files - Modified Within 30 Days ==========

[2252/01/25 13:28:41 | 000,003,120 | ---- | M] () -- C:\WINDOWS\MF_C420.lfa
[2010/11/20 16:53:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{CC997D9F-F93A-4071-BA01-69B90B8EC344}.job
[2010/11/20 16:38:40 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/11/20 16:34:03 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/20 16:33:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/11/20 16:33:23 | 000,002,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder.lnk
[2010/11/20 16:33:22 | 000,002,499 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Planner Reminder 2010.lnk
[2010/11/20 16:33:16 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/20 16:33:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/11/18 21:17:50 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/18 21:16:04 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Billy Crum\Desktop\mbam-setup-1.46.exe
[2010/11/18 20:38:17 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Billy Crum\Desktop\OTL.exe
[2010/11/17 22:00:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts
[2010/11/16 22:19:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/16 16:48:08 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/13 19:57:24 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/11/13 19:52:20 | 003,909,080 | R--- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\etavaresCF.exe
[2010/11/10 18:40:04 | 000,004,997 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Attach.zip
[2010/11/10 14:57:02 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\gmer.zip
[2010/11/10 14:56:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Billy Crum\defogger_reenable
[2010/11/10 14:55:42 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Defogger.exe
[2010/11/08 21:52:58 | 000,001,479 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Solitaire.lnk
[2010/11/08 01:20:24 | 000,089,088 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/11/07 17:26:40 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\drivers\ASC.SYS
[2010/11/07 13:44:55 | 000,443,900 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/11/07 13:44:55 | 000,072,572 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/11/07 13:25:39 | 000,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/11/06 23:54:29 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/11/06 23:31:56 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/11/03 19:21:32 | 000,000,157 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\IObit Freeware.url
[2010/11/01 11:41:09 | 000,000,882 | ---- | M] () -- C:\WINDOWS\ORUN32.INI
[2010/10/31 22:48:28 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/31 22:48:28 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/10/31 22:26:48 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/30 18:13:23 | 000,041,984 | ---- | M] () -- C:\Documents and Settings\Billy Crum\My Documents\traceroute_malwarebytes_cdn.exe
[2010/10/28 10:28:47 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/10/26 14:43:10 | 000,000,825 | ---- | M] () -- C:\Documents and Settings\Billy Crum\Desktop\Norton Installation Files.lnk

========== Files Created - No Company Name ==========

[2252/01/25 13:28:41 | 000,003,120 | ---- | C] () -- C:\WINDOWS\MF_C420.lfa
[2010/11/18 21:17:50 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/11/16 16:48:08 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/13 19:57:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/11/13 19:57:21 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/11/13 19:54:57 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/11/13 19:54:57 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/11/13 19:54:57 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/11/13 19:54:57 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/11/13 19:54:57 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/11/13 19:52:05 | 003,909,080 | R--- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\etavaresCF.exe
[2010/11/10 18:40:04 | 000,004,997 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Attach.zip
[2010/11/10 14:56:58 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\gmer.zip
[2010/11/10 14:56:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Billy Crum\defogger_reenable
[2010/11/10 14:55:42 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Defogger.exe
[2010/11/07 13:15:04 | 000,049,275 | ---- | C] () -- C:\WINDOWS\System32\wfospf.mib
[2010/11/07 13:15:04 | 000,038,608 | ---- | C] () -- C:\WINDOWS\System32\nipx.mib
[2010/11/07 13:15:04 | 000,034,317 | ---- | C] () -- C:\WINDOWS\System32\msiprip2.mib
[2010/11/07 13:15:04 | 000,026,236 | ---- | C] () -- C:\WINDOWS\System32\wins.mib
[2010/11/07 13:15:04 | 000,013,767 | ---- | C] () -- C:\WINDOWS\System32\msipbtp.mib
[2010/11/07 13:15:04 | 000,004,332 | ---- | C] () -- C:\WINDOWS\System32\smi.mib
[2010/11/07 13:15:04 | 000,000,581 | ---- | C] () -- C:\WINDOWS\System32\msft.mib
[2010/11/07 13:15:03 | 000,107,882 | ---- | C] () -- C:\WINDOWS\System32\mib_ii.mib
[2010/11/07 13:15:03 | 000,048,593 | ---- | C] () -- C:\WINDOWS\System32\hostmib.mib
[2010/11/07 13:15:03 | 000,030,448 | ---- | C] () -- C:\WINDOWS\System32\mcastmib.mib
[2010/11/07 13:15:03 | 000,026,100 | ---- | C] () -- C:\WINDOWS\System32\lmmib2.mib
[2010/11/07 13:15:03 | 000,021,386 | ---- | C] () -- C:\WINDOWS\System32\mipx.mib
[2010/11/07 13:15:03 | 000,016,617 | ---- | C] () -- C:\WINDOWS\System32\authserv.mib
[2010/11/07 13:15:03 | 000,015,799 | ---- | C] () -- C:\WINDOWS\System32\ipforwd.mib
[2010/11/07 13:15:03 | 000,010,313 | ---- | C] () -- C:\WINDOWS\System32\mripsap.mib
[2010/11/07 13:15:03 | 000,004,597 | ---- | C] () -- C:\WINDOWS\System32\dhcp.mib
[2010/11/07 13:15:02 | 000,015,597 | ---- | C] () -- C:\WINDOWS\System32\accserv.mib
[2010/11/06 23:59:43 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/11/06 23:54:29 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/11/03 19:21:32 | 000,000,157 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\IObit Freeware.url
[2010/10/31 22:48:28 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2010/10/31 22:48:28 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/10/31 22:26:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/30 18:13:18 | 000,041,984 | ---- | C] () -- C:\Documents and Settings\Billy Crum\My Documents\traceroute_malwarebytes_cdn.exe
[2010/10/30 09:51:39 | 002,438,765 | ---- | C] () -- C:\Documents and Settings\Billy Crum\My Documents\DSC_0905.JPG
[2010/10/25 10:49:42 | 000,000,825 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Desktop\Norton Installation Files.lnk
[2010/09/29 17:10:32 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\housecall.guid.cache
[2010/06/16 04:33:09 | 000,674,536 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/06/13 14:54:48 | 000,000,011 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
[2009/02/11 03:05:12 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/09/08 13:52:14 | 000,000,161 | ---- | C] () -- C:\WINDOWS\System32\vclwiz8.dll
[2007/07/23 14:07:55 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\uccspecb.sys
[2007/01/17 12:57:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/07/07 17:11:34 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/07/07 16:09:18 | 000,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/07/01 15:41:31 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXPRMON.DLL
[2005/07/01 15:41:31 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\LXPMONUI.DLL
[2005/07/01 15:34:21 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbuvs.dll
[2005/06/30 19:06:39 | 000,000,411 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/04/20 15:23:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhotoPro.INI
[2005/04/19 17:14:32 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2005/04/19 17:14:28 | 001,052,672 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P5.dll
[2005/04/19 17:14:27 | 001,261,568 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M6.dll
[2005/04/19 17:14:26 | 001,228,800 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2M5.dll
[2005/04/19 17:14:25 | 001,294,336 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2A6.dll
[2005/04/19 17:14:25 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2.dll
[2005/04/19 17:14:24 | 001,105,920 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2P6.dll
[2005/04/19 17:14:24 | 001,093,632 | ---- | C] () -- C:\WINDOWS\System32\MGIIpl2PX.dll
[2005/04/19 17:14:21 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\FPXLIB.DLL
[2005/04/19 17:14:21 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\JPEGLIB.DLL
[2005/04/19 17:14:20 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EnrouteStitch.dll
[2005/04/19 17:14:20 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\CPUINF32.DLL
[2005/03/28 17:13:06 | 000,000,036 | ---- | C] () -- C:\WINDOWS\cosdtp.ini
[2005/03/21 21:31:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2005/02/19 17:58:47 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2005/02/19 17:58:47 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2005/02/19 15:42:08 | 000,001,102 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/02/19 15:23:14 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/02/19 15:20:37 | 000,002,230 | ---- | C] () -- C:\WINDOWS\BJWIN.INI
[2005/02/19 15:19:23 | 000,000,027 | ---- | C] () -- C:\WINDOWS\VPWIN.INI
[2005/02/19 15:12:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/02/19 14:14:25 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2005/02/19 14:14:24 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.DLL
[2005/02/19 14:14:04 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\gif89.dll
[2005/02/19 14:13:38 | 000,000,735 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/02/19 13:43:09 | 000,000,158 | ---- | C] () -- C:\WINDOWS\pagesuit.ini
[2005/02/19 13:43:07 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2005/02/19 11:39:12 | 000,000,047 | ---- | C] () -- C:\WINDOWS\splash.ini
[2005/02/19 11:28:34 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Billy Crum\Local Settings\Application Data\fusioncache.dat
[2005/02/03 19:08:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/02/03 19:02:31 | 000,000,498 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/02/03 18:31:20 | 000,000,519 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 14:13:12 | 000,000,882 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/10 14:03:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/04 06:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2002/05/29 08:50:02 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[1999/07/23 12:46:48 | 000,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 09:53:20 | 000,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1999/03/05 03:27:32 | 000,004,715 | ---- | C] () -- C:\WINDOWS\System32\HPFlnk20.ini
[1999/03/05 03:05:28 | 000,194,048 | ---- | C] () -- C:\WINDOWS\System32\HPFcps20.dll
[1999/03/05 03:04:56 | 000,076,800 | ---- | C] () -- C:\WINDOWS\System32\HPF24r20.dll
[1999/03/05 02:42:56 | 000,048,292 | ---- | C] () -- C:\WINDOWS\System32\HPFlpm20.dll
[1999/03/05 02:42:44 | 000,072,368 | ---- | C] () -- C:\WINDOWS\System32\HPFcom20.dll
[1999/03/05 02:41:52 | 000,052,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\HPFecp20.sys
[1999/03/05 02:32:40 | 000,124,928 | ---- | C] () -- C:\WINDOWS\System32\HPFcnt20.dll
[1980/01/01 01:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

< End of report >

Thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users