Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan:DOS/Alureon.A


  • Please log in to reply
11 replies to this topic

#1 pdenner

pdenner

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 12 December 2010 - 11:53 PM

Hi,

I just got over a virus which totally ruined my computer. It had all the google ads and stuff, so I had a professional come to my house and clean it for me. It worked fine for a while, but now Microsoft Security Essentials found "Trojan:DOS/Alureon.A. and I'm kinda annoyed, because that hoser obviously didnt fix it completely. So, I decided not to ask him again, and go to you guys. MSE says:

"Microsoft Security Essentials encountered the following error: Error code 0x800704ec. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:C:\Qoobox\Quarantine\MBR_HardDisk0.mbr."

I tried using TDSSKiller but that didn't work. I used your preparation guide so now I'm hoping all you bleeping computer gods can help me out!

THANK YOU!

This is the DDS.txt file:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 20:37:13.01 on Sun 12/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.200 [GMT -8:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.net/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uDefault_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mStart Page = hxxp://att.net
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uSearchAssistant = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchURL,(Default) = hxxp://search.yahoo.com
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZon1.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZon1.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0315.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0315.0\msneshellx.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZon1.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {981FE6A8-260C-4930-960F-C3BC82746CB0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
DPF: Microsoft XML Parser for Java
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/26.33/uploader2.cab
DPF: {4A01A151-E350-4839-A2B8-03DC39D6C8E5} - hxxp://download.yahoo.com/dl/ypc/ypcxwizard2003080601.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} - hxxp://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://live.futuremark.com/global/msc3121.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} - hxxp://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by129fd.bay129.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ma354rrb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com//?oref=login
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\ma354rrb.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\ma354rrb.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: McAfee Secure URL Shortener: jid0-NIEA2hJPrNIdsVQgBgJeKabi1kY@jetpack - %profile%\extensions\jid0-NIEA2hJPrNIdsVQgBgJeKabi1kY@jetpack
FF - Ext: Dr.Web anti-virus link checker: {6614d11d-d21d-b211-ae23-815234e1ebb5} - %profile%\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-22 165584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-10-23 532224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-22 17744]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-5-20 54760]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-9-2 26872]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2007-11-15 572416]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-22 8320]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2007-9-1 18048]

=============== Created Last 30 ================

2010-12-13 04:23:33 -------- d-----w- c:\program files\Cobian Backup 8
2010-12-13 04:09:44 -------- d-----w- c:\program files\Runtime Software
2010-12-12 19:55:22 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{52fc5864-60d7-4b02-8faf-fb696e835cd1}\mpengine.dll
2010-12-06 23:04:15 98816 ----a-w- c:\windows\sed.exe
2010-12-06 23:04:15 89088 ----a-w- c:\windows\MBR.exe
2010-12-06 23:04:15 256512 ----a-w- c:\windows\PEV.exe
2010-12-06 23:04:15 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 12:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 10:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 20:43:07.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:02 PM

Posted 22 December 2010 - 04:40 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



IMPORTANT NOTE: :nono:

ComboFix should not be run without the guidance of a helper. It is a powerful tool and is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private or regular use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Regards,
Georgi :hello:

cXfZ4wS.png


#3 pdenner

pdenner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 27 December 2010 - 03:34 PM

Ok. So here's the DDS.txt file:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 9:13:10.78 on Mon 12/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.382 [GMT -8:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.net/
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uDefault_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mStart Page = hxxp://att.net
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uSearchAssistant = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uSearchURL,(Default) = hxxp://search.yahoo.com
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZon1.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZon1.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0315.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0315.0\msneshellx.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\tbZon1.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {981FE6A8-260C-4930-960F-C3BC82746CB0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
DPF: Microsoft XML Parser for Java
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/26.33/uploader2.cab
DPF: {4A01A151-E350-4839-A2B8-03DC39D6C8E5} - hxxp://download.yahoo.com/dl/ypc/ypcxwizard2003080601.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} - hxxp://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://live.futuremark.com/global/msc3121.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} - hxxp://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by129fd.bay129.hotmail.msn.com/activex/HMAtchmt.ocx
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ma354rrb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com//?oref=login
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\ma354rrb.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\ma354rrb.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: McAfee Secure URL Shortener: jid0-NIEA2hJPrNIdsVQgBgJeKabi1kY@jetpack - %profile%\extensions\jid0-NIEA2hJPrNIdsVQgBgJeKabi1kY@jetpack
FF - Ext: Dr.Web anti-virus link checker: {6614d11d-d21d-b211-ae23-815234e1ebb5} - %profile%\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-22 165584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-10-23 532224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-22 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-22 40384]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-5-20 54760]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-9-2 26872]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-9-2 493048]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-8 88176]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-22 40384]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2007-11-15 572416]
S3 dkab_device;dkab_device;c:\windows\system32\dkabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-22 8320]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-5-20 14336]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2007-9-1 18048]

=============== Created Last 30 ================

2010-12-27 16:22:23 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{0d9da026-c03f-46c6-bfdb-456d0135dc93}\mpengine.dll
2010-12-15 22:58:02 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 22:56:42 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-13 04:23:33 -------- d-----w- c:\program files\Cobian Backup 8
2010-12-13 04:09:44 -------- d-----w- c:\program files\Runtime Software
2010-12-06 23:04:15 98816 ----a-w- c:\windows\sed.exe
2010-12-06 23:04:15 89088 ----a-w- c:\windows\MBR.exe
2010-12-06 23:04:15 256512 ----a-w- c:\windows\PEV.exe
2010-12-06 23:04:15 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 9:17:10.15 ===============

Attached Files



#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:02 PM

Posted 27 December 2010 - 04:11 PM

Hi pdenner,


Step 1

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}


It is not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either avast or Microsoft Security Essentials.

Step 2
  • Download OTL to your desktop.
    right click on the link and select 'Save Link/Target As'.

    if you have problems, try this download link:
    OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check
.

.
Posted Image
  • Now copy the lines in bold below.

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT


  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

    Posted Image
    .
  • Click the Run Scan button.

    Posted Image
  • Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.


In your next reply, please submit:
Both reports from OTL.


Thanks.

BBPP6nz.png


#5 pdenner

pdenner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 27 December 2010 - 11:38 PM

Ok great. I'll remove one of them. Which one though? Which one is a better antivirus?

Here are the OTL reports:

Extras.txt:

OTL Extras logfile created on: 12/27/2010 7:43:16 PM - Run 1
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 366.00 Mb Available Physical Memory | 36.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 38.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.73 Gb Total Space | 12.75 Gb Free Space | 18.28% Space Free | Partition Type: NTFS
Drive D: | 19.10 Gb Total Space | 13.44 Gb Free Space | 70.36% Space Free | Partition Type: FAT32
Drive E: | 4.79 Gb Total Space | 0.67 Gb Free Space | 13.93% Space Free | Partition Type: FAT32

Computer Name: MOM | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJI PHOTO FILM CO.,LTD.)
Directory [FinePixPrint] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" /p "%1" (FUJI PHOTO FILM CO.,LTD.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\DKabcoms.exe" = C:\WINDOWS\system32\DKabcoms.exe:*:Enabled:Dell Enhanced TCP/IP -- ( )
"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1BD07DF4-FB06-41BA-B896-B2DA59000C96}" = Windows Live Toolbar
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.4.2
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 22
"{2792F12C-3515-4D69-8083-B557AF35F06F}" = LightScribe 1.4.89.1
"{2B43252C-A1E3-4C47-927C-9F2C276D3515}" = S3GSetup
"{2FCE4FC5-6930-40E7-A4F1-F862207424EF}" = InterVideo WinDVD Creator 2
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{34957B51-9676-41CE-9E52-44AE91B73F1C}" = HP Software Update
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{350FB27C-CF62-4EF3-AF9D-70FF313FE221}" = iTunes
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{45B6180B-DCAB-4093-8EE8-6164457517F0}" = Photosmart 140,240,7200,7600,7700,7900 Series
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4F50DB8D-3DA5-43CE-ADBB-4B5B862048A4}" = Logitech Harmony Remote
"{5490882C-6961-11D5-BAE5-00E0188E010B}" = FUJIFILM USB Driver
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{578FA426-47C0-4A3F-98A4-01ACD26B7556}" = LEGO Star Wars II
"{606BC780-101C-41DB-808D-4539BFA0774A}" = MobileMe Control Panel
"{60758250-C8CF-47EB-8CB6-E0C3B84D8207}" = PSShortcutsP
"{621C02EA-AAFF-4026-A903-165D59529A16}" = Driver Detective
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8C6CB33A-AA86-446C-8C4D-304A7FA51033}" = Nero 8 Essentials
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9331747C-6728-419B-A664-7ACE9CB0F88A}" = MSN Toolbar
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A580547F-4FB6-433E-A595-21CAA858C556}" = Microsoft Office Live Small Business Image Uploader
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D680C913-5955-469D-9D88-C1940F7506D6}" = RAW FILE CONVERTER LE
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E0A1559B-9886-11D4-8D06-0050DA284A39}" = Scan Manager 5.2
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{E78DAA24-38F8-4D35-B732-B18ABA0424DF}" = Microsoft Office Live Image Uploader
"{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}" = ATI Catalyst Control Center
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F419D20A-7719-4639-8E30-C073A040D878}" = HP Deskjet Preloaded Printer Drivers
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AdobeESD" = Adobe Download Manager 2.2 (Remove Only)
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"All ATI Software" = ATI - Software Uninstall Utility
"ArcSoft PhotoBase" = ArcSoft PhotoBase
"ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000
"ATI Display Driver" = ATI Display Driver
"avast5" = avast! Free Antivirus
"BackWeb-137903 Uninstaller" = Updates from HP
"BroadJump Client Foundation" = BroadJump Client Foundation
"Canon ScanGear Toolbox 3.0" = Canon ScanGear Toolbox 3.0
"CANONBJ_Deinstall_CNMCP75.DLL" = Canon iP1600
"CCleaner" = CCleaner
"CobBackup8" = Cobian Backup 8
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Defraggler" = Defraggler
"Dell_HostCD" = Dell Software Uninstall
"DriverAgent.exe" = DriverAgent by TouchStone Software
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"HP Instant Support" = HP Instant Support
"HPTOOLKIT" = Toolkit View(HP)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{4F50DB8D-3DA5-43CE-ADBB-4B5B862048A4}" = Logitech Harmony Remote
"InstallShield_{578FA426-47C0-4A3F-98A4-01ACD26B7556}" = LEGO Star Wars II
"InterActual Player" = InterActual Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan
"Measurement Services Client" = Futuremark Measurement Services Client
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MSNINST" = MSN
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"MuVo Driver" = MuVo Driver
"MWASPI" = MicroStaff WINASPI
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OmniPagePro9.0DeinstKey" = OmniPage Pro 9.0
"Pocket Voice Recorder_is1" = Pocket Voice Recorder 3.4
"PS2" = PS2
"S3" = VIA/S3G Display Driver
"SAMSUNG Mobile Modem" = SAMSUNG Mobile Modem Driver Set
"VIA/S3G UniChrome Family Win2K/XP Display" = VIA/S3G Display Driver
"ViewpointMediaPlayer" = Viewpoint Media Player
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast-Ethernet Adapter
"VTDisplay" = S3 S3Display
"VTGamma2" = S3 S3Gamma2
"VTInfo2" = S3 S3Info2
"VTOverlay" = S3 S3Overlay
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm" = ZoneAlarm
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/27/2010 12:14:25 PM | Computer Name = MOM | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 12:14:25 PM | Computer Name = MOM | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will
not be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 12:14:25 PM | Computer Name = MOM | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 12:14:25 PM | Computer Name = MOM | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will
not be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 6:38:48 PM | Computer Name = MOM | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 6:38:48 PM | Computer Name = MOM | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will
not be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 6:39:29 PM | Computer Name = MOM | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 6:39:29 PM | Computer Name = MOM | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will
not be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 6:39:29 PM | Computer Name = MOM | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 12/27/2010 6:39:29 PM | Computer Name = MOM | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will
not be returned. Error code returned is in data DWORD 0.

[ System Events ]
Error - 12/16/2010 11:20:51 AM | Computer Name = MOM | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 12/17/2010 11:15:14 AM | Computer Name = MOM | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 12/17/2010 10:22:41 PM | Computer Name = MOM | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.A&threatid=2147636949

User:
NT AUTHORITY\SYSTEM Name: Trojan:DOS/Alureon.A ID: 2147636949 Severity: Severe Category:
Trojan Path: Action: %%808 Error Code: 0x800704ec Error description: Windows cannot
open this program because it has been prevented by a software restriction policy.
For more information, open Event Viewer or contact your system administrator. Status:
To see how to finish removing spyware and other potentially unwanted software,
see this support article on the Microsoft Security website. Signature Version: AV:
1.95.2015.0, AS: 1.95.2015.0 Engine Version: 1.1.6402.0

Error - 12/18/2010 1:18:05 AM | Computer Name = MOM | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 12/18/2010 11:10:17 AM | Computer Name = MOM | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 12/19/2010 2:56:43 AM | Computer Name = MOM | Source = Microsoft Antimalware | ID = 1008
Description = %%861 has encountered an error when taking action on spyware or other
potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.A&threatid=2147636949

User:
NT AUTHORITY\SYSTEM Name: Trojan:DOS/Alureon.A ID: 2147636949 Severity: Severe Category:
Trojan Path: Action: %%808 Error Code: 0x800704ec Error description: Windows cannot
open this program because it has been prevented by a software restriction policy.
For more information, open Event Viewer or contact your system administrator. Status:
To see how to finish removing spyware and other potentially unwanted software,
see this support article on the Microsoft Security website. Signature Version: AV:
1.95.2078.0, AS: 1.95.2078.0 Engine Version: 1.1.6402.0

Error - 12/19/2010 1:04:23 PM | Computer Name = MOM | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 12/20/2010 12:01:53 AM | Computer Name = MOM | Source = DCOM | ID = 10010
Description = The server {FFF2D28F-E4EE-44D9-8104-8E71556757F6} did not register
with DCOM within the required timeout.

Error - 12/27/2010 12:11:33 PM | Computer Name = MOM | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747

Error - 12/27/2010 6:35:45 PM | Computer Name = MOM | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%1747


< End of report >



OTL.txt:

1OTL logfile created on: 12/27/2010 7:43:16 PM - Run 1
OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 366.00 Mb Available Physical Memory | 36.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 38.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.73 Gb Total Space | 12.75 Gb Free Space | 18.28% Space Free | Partition Type: NTFS
Drive D: | 19.10 Gb Total Space | 13.44 Gb Free Space | 70.36% Space Free | Partition Type: FAT32
Drive E: | 4.79 Gb Total Space | 0.67 Gb Free Space | 13.93% Space Free | Partition Type: FAT32

Computer Name: MOM | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Owner\Desktop\OTL.scr (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe (Check Point Software Technologies)
PRC - C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files\LSI SoftModem\agrsmsvc.exe (LSI Corporation)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
PRC - C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft ActiveSync\rapimgr.exe (Microsoft Corporation)
PRC - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\VTTimer.exe (S3 Graphics, Inc.)
PRC - C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Owner\Desktop\OTL.scr (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (Check Point Software Technologies)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (RoxLiveShare9) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe File not found
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (AVAST Software)
SRV - (vsmon) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (IswSvc) -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe (Check Point Software Technologies)
SRV - (nosGetPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll (NOS Microsystems Ltd.)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (fsssvc) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (AgereModemAudio) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe (LSI Corporation)
SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (dkab_device) -- C:\WINDOWS\System32\DKabcoms.exe ( )


========== Driver Services (SafeList) ==========

DRV - (RimUsb) -- C:\WINDOWS\System32\Drivers\RimUsb.sys File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (ISWKL) -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys (Check Point Software Technologies)
DRV - (fasttx2k) -- C:\WINDOWS\SYSTEM32\DRIVERS\FASTTX2K.SYS (Promise Technology, Inc.)
DRV - (vsdatant) -- C:\WINDOWS\system32\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (LSI Corporation)
DRV - (motccgpfl) -- C:\WINDOWS\system32\drivers\motccgpfl.sys (Motorola)
DRV - (motccgp) -- C:\WINDOWS\system32\drivers\motccgp.sys (Motorola)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (RT80x86) -- C:\WINDOWS\system32\drivers\rt2860.sys (Ralink Technology, Corp.)
DRV - (MotoSwitchService) -- C:\WINDOWS\system32\drivers\motswch.sys (Motorola)
DRV - (sscdserd) SAMSUNG Mobile Modem Diagnostic Serial Port (WDM) -- C:\WINDOWS\system32\drivers\sscdserd.sys (MCCI Corporation)
DRV - (sscdmdm) -- C:\WINDOWS\system32\drivers\sscdmdm.sys (MCCI Corporation)
DRV - (sscdmdfl) -- C:\WINDOWS\system32\drivers\sscdmdfl.sys (MCCI Corporation)
DRV - (sscdbus) SAMSUNG USB Composite Device driver (WDM) -- C:\WINDOWS\system32\drivers\sscdbus.sys (MCCI Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (U3sHlpDr) -- C:\WINDOWS\system32\drivers\U3sHlpDr.sys ()
DRV - (USB200M) -- C:\WINDOWS\system32\drivers\USB200M2.sys (Linksys)
DRV - (WmFilter) -- C:\WINDOWS\system32\drivers\WmFilter.sys (Logitech Inc.)
DRV - (WmHidLo) -- C:\WINDOWS\system32\drivers\WmHidLo.sys (Logitech Inc.)
DRV - (WmBEnum) -- C:\WINDOWS\system32\drivers\WmBEnum.sys (Logitech Inc.)
DRV - (WmVirHid) -- C:\WINDOWS\system32\drivers\WmVirHid.sys (Logitech Inc.)
DRV - (WmXlCore) -- C:\WINDOWS\system32\drivers\WmXlCore.sys (Logitech Inc.)
DRV - (TIEHDUSB) -- C:\WINDOWS\system32\drivers\tiehdusb.sys (Texas Instruments Incorporated)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)
DRV - (Pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (Iviaspi) -- C:\WINDOWS\system32\drivers\iviaspi.sys (InterVideo, Inc.)
DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (CVirtA) -- C:\WINDOWS\system32\drivers\CVirtA.sys (Cisco Systems, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (EUSBMSD) -- C:\WINDOWS\system32\drivers\EUSBMSD.SYS (SCM Microsystems Inc.)
DRV - (SbcpHid) -- C:\WINDOWS\system32\drivers\SbcpHid.sys ()
DRV - (VIAPFD) -- C:\WINDOWS\System32\Drivers\viapfd.sys (VIA Technologies. Inc.)
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
DRV - (MASPINT) -- C:\WINDOWS\System32\drivers\MASPINT.SYS (MicroStaff Co.,Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = Reg Error: Unknown registry data type
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.net
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/ie/defaults/cs/sbcydsl/*http://www.yahoo.com/search/ie.html
IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = Reg Error: Unknown registry data type

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = Reg Error: Unknown registry data type
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = Reg Error: Unknown registry data type
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.net/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = Reg Error: Unknown registry data type
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZon1.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;localhost;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.nytimes.com//?oref=login"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.91
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: jid0-NIEA2hJPrNIdsVQgBgJeKabi1kY@jetpack:1.6
FF - prefs.js..extensions.enabledItems: {6614d11d-d21d-b211-ae23-815234e1ebb5}:1.0.21
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:4.0
FF - prefs.js..extensions.enabledItems: ietab@ip.cn:1.95.20100933
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1,localhost,*.local"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2010/11/13 08:16:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/12/16 14:18:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/13 15:33:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/10 17:08:54 | 000,000,000 | ---D | M]

[2010/11/14 09:50:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2010/12/27 19:43:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions
[2010/12/07 15:13:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/14 10:15:30 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/11/14 10:15:37 | 000,000,000 | ---D | M] (Dr.Web anti-virus link checker) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\{6614d11d-d21d-b211-ae23-815234e1ebb5}
[2010/11/14 10:15:40 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/12/27 09:08:19 | 000,000,000 | ---D | M] (Easy Youtube Video Downloader) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2010/12/27 09:08:21 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/11/14 10:05:01 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/12/07 15:12:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\ietab@ip.cn
[2010/11/14 10:15:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\extensions\jid0-NIEA2hJPrNIdsVQgBgJeKabi1kY@jetpack
[2010/12/27 09:08:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/11/14 09:59:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2009/05/27 18:34:42 | 000,028,488 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2009/05/27 18:34:42 | 000,183,696 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2009/05/27 18:35:14 | 000,099,216 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2009/05/27 18:34:40 | 000,061,840 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2009/11/19 13:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/19 13:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2010/12/06 15:58:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZon1.dll (Conduit Ltd.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0315.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0315.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\tbZon1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Toolbar) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - C:\Program Files\ZoneAlarm_Security\tbZon1.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe (Hewlett-Packard)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2010/05/21 17:35:35 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2010/05/21 17:35:35 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2010/05/21 17:35:35 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2010/05/21 17:35:35 | 000,000,000 | ---D | M]
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB (Reg Error: Key error.)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (SupportSoft SmartIssue)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (SupportSoft Script Runner Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/FacebookPhotoUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (LSSupCtl Class)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab (VerifyGMN Class)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/26.33/uploader2.cab (UploadListView Class)
O16 - DPF: {4A01A151-E350-4839-A2B8-03DC39D6C8E5} http://download.yahoo.com/dl/ypc/ypcxwizard2003080601.cab (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab (ICSScanner Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab (RegConfig Class)
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} http://longsdrugs.digitalcameradeveloping.com/upload/FujifilmUploadClient.cab (FujifilmUploader Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab (ZoneIntro Class)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://download.yahoo.com/dl/installs/yab_af.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (ActiveDataInfo Class)
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (PhotosCtrl Class)
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} http://live.futuremark.com/global/msc3121.cab (Measurement Services Client v.3.12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (AxLoaderPassword Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} http://fdl.msn.com/zone/datafiles/heartbeat.cab (Reg Error: Key error.)
O16 - DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} http://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab (Microsoft Office Live Workspace Upload Tool)
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} http://by129fd.bay129.hotmail.msn.com/activex/HMAtchmt.ocx (Hotmail Attachments Control)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/20 18:39:36 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/03/31 22:00:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.VIA -- [ NTFS ]
O32 - AutoRun File - [2004/09/03 22:38:18 | 000,000,267 | ---- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/09/03 22:35:34 | 000,000,267 | ---- | M] () - D:\AUTOEXEC.BAK -- [ FAT32 ]
O32 - AutoRun File - [2000/11/02 11:16:32 | 000,000,194 | ---- | M] () - D:\autoexec.nav -- [ FAT32 ]
O32 - AutoRun File - [2004/09/03 22:38:18 | 000,000,267 | ---- | M] () - D:\AUTOEXEC.FM -- [ FAT32 ]
O32 - AutoRun File - [2000/11/17 10:32:54 | 000,000,022 | ---- | M] () - D:\Autoexec.dos -- [ FAT32 ]
O32 - AutoRun File - [2001/05/11 22:46:04 | 000,000,221 | ---- | M] () - D:\AUTOEXEC.001 -- [ FAT32 ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - E:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: LanmanWorkstation - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: PS2 - hkey= - key= - File not found
MsConfig - StartUpReg: Recguard - hkey= - key= - C:\WINDOWS\SMINST\Recguard.exe ()
MsConfig - StartUpReg: REGSHAVE - hkey= - key= - C:\Program Files\REGSHAVE\REGSHAVE.EXE (FUJI PHOTO FILM CO., LTD.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: UpdateManager - hkey= - key= - c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
MsConfig - State: "system.ini" - 1
MsConfig - State: "win.ini" - 1
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69819404975603712)

========== Files/Folders - Created Within 30 Days ==========

[2010/12/27 19:42:02 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2010/12/27 13:22:39 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2010/12/27 13:22:37 | 000,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2010/12/27 09:15:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\gmer
[2010/12/15 14:58:02 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/15 14:56:42 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[2010/12/12 20:23:33 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 8
[2010/12/12 20:09:44 | 000,000,000 | ---D | C] -- C:\Program Files\Runtime Software
[2010/12/06 16:20:53 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/12/06 15:04:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/12/06 15:04:15 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/12/06 15:04:15 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/12/06 15:04:15 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/12/06 15:03:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/12/06 14:51:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/12/04 10:41:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ZoneAlarm_Security
[2007/12/30 11:53:29 | 000,360,448 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll
[2007/12/30 11:52:29 | 000,675,840 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabpmui.dll
[2007/12/30 11:52:28 | 001,204,224 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabserv.dll
[2007/12/30 11:52:28 | 000,987,136 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabusb1.dll
[2007/12/30 11:52:26 | 000,532,480 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabpar1.dll
[2007/12/30 11:52:26 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabprox.dll
[2007/12/30 11:52:26 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabpplc.dll
[2007/12/30 11:52:25 | 000,561,152 | ---- | C] ( ) -- C:\WINDOWS\System32\DKablmpm.dll
[2007/12/30 11:52:25 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabinpa.dll
[2007/12/30 11:52:24 | 001,056,768 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabip1.dll
[2007/12/30 11:52:24 | 000,507,904 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabhcp.dll
[2007/12/30 11:52:23 | 000,614,400 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabcomc.dll
[2007/12/30 11:52:23 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\DKabcomm.dll
[2006/02/20 20:20:05 | 000,090,112 | R--- | C] ( ) -- C:\WINDOWS\System32\SCCD3X02.DLL
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/27 19:42:16 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.scr
[2010/12/27 14:39:53 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/12/27 14:37:09 | 000,000,249 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2010/12/27 14:35:58 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/27 14:33:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/19 14:52:00 | 000,004,435 | ---- | M] () -- C:\WINDOWS\System32\LexFiles.usr
[2010/12/19 12:48:26 | 000,002,489 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Excel (5).lnk
[2010/12/18 20:52:54 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/12/18 20:46:01 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2010/12/18 10:41:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/12/15 21:20:09 | 000,001,357 | ---- | M] () -- C:\WINDOWS\pstudio.ini
[2010/12/15 19:27:28 | 000,278,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/15 17:53:13 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/13 01:06:31 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\C 2010-12-12 23;41;21.zip
[2010/12/12 23:41:17 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\C 2010-12-12 22;16;08.zip
[2010/12/12 22:16:05 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\C 2010-12-12 20;40;45.zip
[2010/12/12 21:41:19 | 000,001,591 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Defraggler.lnk
[2010/12/12 20:35:58 | 000,624,128 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/12/12 20:34:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/12/12 20:34:23 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe
[2010/12/12 20:17:48 | 000,015,341 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Taxi Driver.docx
[2010/12/06 15:58:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/12/04 19:55:28 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/12/04 17:12:15 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\The Koran.doc
[2010/12/04 12:30:31 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\The Koran.doc
[2010/12/03 07:50:36 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\7g.xls
[2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/15 17:46:15 | 000,001,393 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/12/12 23:48:48 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\C 2010-12-12 23;41;21.zip
[2010/12/12 22:23:41 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\C 2010-12-12 22;16;08.zip
[2010/12/12 21:41:19 | 000,001,591 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Defraggler.lnk
[2010/12/12 20:46:20 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\C 2010-12-12 20;40;45.zip
[2010/12/12 20:35:28 | 000,624,128 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/12/12 20:34:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable
[2010/12/12 20:34:20 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Defogger.exe
[2010/12/12 19:11:00 | 000,015,341 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Taxi Driver.docx
[2010/12/06 15:04:15 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/06 15:04:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/06 15:04:15 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/06 15:04:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/06 15:04:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/04 17:12:13 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\The Koran.doc
[2010/12/04 09:05:24 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\The Koran.doc
[2010/12/03 07:26:00 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\7g.xls
[2009/09/19 18:59:11 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc
[2008/09/20 18:17:04 | 000,000,250 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2008/09/06 18:01:26 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/08/23 12:59:22 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/08/21 13:36:46 | 000,000,185 | ---- | C] () -- C:\WINDOWS\System32\msblcd32.dll
[2007/12/30 15:06:38 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/12/30 11:53:15 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\softcoin.dll
[2007/12/30 11:53:15 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\gencoin.dll
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/03/13 16:51:37 | 000,002,189 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/09/18 18:45:23 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS75.DLL
[2006/09/16 15:48:55 | 000,081,262 | ---- | C] () -- C:\WINDOWS\SGTBox.INI
[2006/04/10 17:13:39 | 000,000,572 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2006/04/10 17:12:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OP70.INI
[2006/04/10 17:11:44 | 000,000,021 | ---- | C] () -- C:\WINDOWS\phbase.ini
[2006/04/10 17:11:15 | 000,001,357 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2006/04/10 17:11:15 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2006/04/10 17:11:14 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2006/04/05 15:46:05 | 000,007,551 | ---- | C] () -- C:\WINDOWS\System32\drivers\U3sHlpDr.sys
[2006/03/15 09:49:06 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\dm.ini
[2006/03/15 09:49:05 | 000,000,686 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
[2006/02/20 20:20:04 | 000,131,072 | R--- | C] () -- C:\WINDOWS\System32\SCCD3X01.DLL
[2006/02/18 13:22:50 | 000,000,291 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/02/04 16:47:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Game.INI
[2006/01/28 15:43:34 | 000,000,060 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/11/27 14:12:27 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
[2005/11/27 14:12:26 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
[2005/10/08 16:18:27 | 000,006,904 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ypinfo.bin
[2005/09/29 18:45:17 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2005/09/26 16:18:04 | 000,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2005/08/03 15:52:34 | 000,000,075 | ---- | C] () -- C:\WINDOWS\ka.ini
[2005/06/11 22:42:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2005/04/23 09:37:04 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/04/23 09:37:04 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/04/23 09:37:03 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/04/23 09:37:03 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/04/23 09:37:03 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/04/23 09:37:03 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/02/09 23:29:13 | 000,010,240 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/12/11 16:03:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2004/12/11 15:54:11 | 000,000,229 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2004/10/31 16:24:05 | 000,000,347 | ---- | C] () -- C:\WINDOWS\photoprn.ini
[2004/09/23 14:36:24 | 000,002,394 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2004/09/17 16:37:42 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/27 09:34:50 | 000,143,384 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2004/04/02 15:33:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/02 15:33:14 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 15:18:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/01 13:32:44 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2004/04/01 13:32:21 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/04/01 13:32:21 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/04/01 13:31:04 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/01 13:29:07 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/01 13:14:02 | 000,028,734 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/01 13:13:21 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/04/01 00:57:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/01 00:50:38 | 000,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/01 00:01:30 | 000,005,095 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2004/03/31 23:23:23 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/03/31 23:14:18 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/03/31 23:14:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/03/31 23:12:07 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/03/31 22:03:26 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/03/31 20:50:07 | 000,000,549 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/03/31 13:54:04 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001/11/19 18:05:18 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2001/08/23 11:00:00 | 000,022,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\SbcpHid.sys
[1999/01/22 18:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/10/22 16:58:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2006/12/14 07:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA
[2006/09/18 18:45:11 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2005/09/20 20:56:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Effexis Software
[2008/09/12 16:59:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/09/02 20:37:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/14 10:49:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/07/17 12:36:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/12 11:05:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/06 12:22:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2005/11/23 08:59:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Aim
[2010/12/15 21:19:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Canon
[2010/10/23 13:51:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CheckPoint
[2005/09/20 20:56:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Effexis Software
[2009/06/04 17:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FileZilla
[2005/02/05 20:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FotoWire
[2005/12/17 09:01:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\FUJIFILM
[2008/05/11 11:47:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GlarySoft
[2010/10/13 18:38:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\HorizonWimba
[2007/11/11 14:02:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Inspiration Software
[2005/04/23 08:40:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterMute
[2005/06/30 20:14:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2004/10/17 11:54:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2009/09/04 20:54:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MP3toiPodAudioBookConverter
[2007/11/07 21:42:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MyPublisher
[2005/11/24 10:08:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
[2004/12/30 21:34:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Opera
[2010/03/27 08:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Research In Motion
[2004/04/01 13:49:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2005/04/23 10:40:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\spweng
[2004/09/29 21:21:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Stilesoft
[2005/02/03 18:20:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
[2008/05/10 14:43:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Uniblue
[2007/02/24 19:11:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2009/06/01 17:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\webex
[2005/09/18 12:54:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Webshots
[2008/06/01 16:09:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\WinBatch
[2010/05/20 19:42:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Desktop Search
[2010/05/21 07:14:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Search
[2010/06/11 06:44:45 | 000,000,290 | ---- | M] () -- C:\WINDOWS\Tasks\Defraggler Volume C Task.job
[2010/12/27 14:39:53 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2005/04/23 11:39:39 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/12/27 15:45:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2005/04/23 11:39:39 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/12/27 15:45:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 22:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 11:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2005/04/23 11:39:39 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/12/27 15:45:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2002/08/29 04:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys
[2005/04/23 11:39:39 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/12/27 15:45:53 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2002/08/29 04:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtUninstallQ331958$\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 21:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 21:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0025\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/03 23:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 10:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 10:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/03 23:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/03 23:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[7 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< End of report >

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:02 PM

Posted 28 December 2010 - 05:17 AM

Hi pdenner,

Which one though? Which one is a better antivirus?

They are both good and will do a good job.
It doesn't matter which you remove.... it's just that they don't play together.
I personally use Microsoft Security Essentials, but that's just my choice at the moment.

Step 1
Remove either Avast or Microsoft Security Essentials.

Remove Java™ SE Runtime Environment 6 Update 1
as this is an old version of Java.

Do Not remove Java™ 6 Update 22

reboot the system.

Step 2
Double click on OTL.exe to run it.
Copy the lines in bold below. (make sure that :Otl is on the first line )

:Otl
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = Reg Error: Unknown registry data type
IE - HKLM\Software\Microsoft\Internet Explorer\SearchURL\w, = Reg Error: Unknown registry data type
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = Reg Error: Unknown registry data type
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = Reg Error: Unknown registry data type
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = Reg Error: Unknown registry data type
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB (Reg Error: Key error.)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (SupportSoft SmartIssue)
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (SupportSoft Script Runner Class)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (LSSupCtl Class)
O16 - DPF: {4A01A151-E350-4839-A2B8-03DC39D6C8E5} http://download.yahoo.com/dl/ypc/ypcxwizard2003080601.cab (Reg Error: Key error.)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://download.yahoo.com/dl/installs/yab_af.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} http://fdl.msn.com/zone/datafiles/heartbeat.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]


  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

    Posted Image
  • Click the red Run Fix button.

    Posted Image
  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Step 3
I see you have MBAM installed:

Please update MBAM and run another scan:
Start MBAM
Click on the Update tab

Posted Image

Click Check for Updates

Posted Image

If it says that MBAM needs to close to update it... let it close and then restart.
Then click the Scan button.

Don't forget:

  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


In your next reply, please submit:
Otl fix report
MBAM scan report.


Thanks.

Edited by Starbuck, 28 December 2010 - 05:24 AM.

BBPP6nz.png


#7 pdenner

pdenner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 29 December 2010 - 12:44 AM

Ok great thanks.

Here's the OTL log:

All processes killed
========== OTL ==========
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\SearchMigratedDefaultURL| /E : value set successfully!
HKLM\Software\Microsoft\Internet Explorer\SearchURL\w\\| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Search_URL| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\SearchMigratedDefaultURL| /E : value set successfully!
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\\SearchAssistant| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\ not found.
Starting removal of ActiveX control {0000000A-0000-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\WMAVAX.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0000000A-0000-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0000000A-0000-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000000A-0000-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {01010E00-5E80-11D8-9E86-0007E96C65AE}
C:\WINDOWS\Downloaded Program Files\tgctlsi.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{01010E00-5E80-11D8-9E86-0007E96C65AE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01010E00-5E80-11D8-9E86-0007E96C65AE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{01010E00-5E80-11D8-9E86-0007E96C65AE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01010E00-5E80-11D8-9E86-0007E96C65AE}\ not found.
Starting removal of ActiveX control {01012101-5E80-11D8-9E86-0007E96C65AE}
C:\WINDOWS\Downloaded Program Files\tgctlsr.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{01012101-5E80-11D8-9E86-0007E96C65AE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01012101-5E80-11D8-9E86-0007E96C65AE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{01012101-5E80-11D8-9E86-0007E96C65AE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01012101-5E80-11D8-9E86-0007E96C65AE}\ not found.
Starting removal of ActiveX control {1F2F4C9E-6F09-47BC-970D-3C54734667FE}
C:\WINDOWS\Downloaded Program Files\LSSupCtl.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ not found.
Starting removal of ActiveX control {4A01A151-E350-4839-A2B8-03DC39D6C8E5}
C:\WINDOWS\Downloaded Program Files\YPCXWizard.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4A01A151-E350-4839-A2B8-03DC39D6C8E5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A01A151-E350-4839-A2B8-03DC39D6C8E5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4A01A151-E350-4839-A2B8-03DC39D6C8E5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A01A151-E350-4839-A2B8-03DC39D6C8E5}\ not found.
Starting removal of ActiveX control {B9191F79-5613-4C76-AA2A-398534BB8999}
C:\Program Files\Yahoo!\Common\yab_af.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{B9191F79-5613-4C76-AA2A-398534BB8999}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B9191F79-5613-4C76-AA2A-398534BB8999}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9191F79-5613-4C76-AA2A-398534BB8999}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B9191F79-5613-4C76-AA2A-398534BB8999}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553550000}
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\swflash.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553550000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553550000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553550000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553550000}\ not found.
Starting removal of ActiveX control {E5D419D6-A846-4514-9FAD-97E826C84822}
C:\WINDOWS\Downloaded Program Files\heartbeat.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E5D419D6-A846-4514-9FAD-97E826C84822}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5D419D6-A846-4514-9FAD-97E826C84822}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E5D419D6-A846-4514-9FAD-97E826C84822}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5D419D6-A846-4514-9FAD-97E826C84822}\ not found.
Starting removal of ActiveX control Microsoft XML Parser for Java Reg Error: Value error.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java Reg Error: Value error.\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\Desktop\Antivirus\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\Desktop\Antivirus\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 527 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56502 bytes

User: LocalService
->Temp folder emptied: 990152 bytes
->Temporary Internet Files folder emptied: 9257094 bytes
->Flash cache emptied: 138033 bytes

User: NetworkService
->Temp folder emptied: 1102040 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 101167 bytes

User: Owner
->Temp folder emptied: 1176982478 bytes
->Temporary Internet Files folder emptied: 5774549 bytes
->Java cache emptied: 55795292 bytes
->FireFox cache emptied: 100797124 bytes
->Flash cache emptied: 285927 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 58625 bytes
%systemroot%\System32 .tmp files removed: 4611985 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5787962 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 228649 bytes
RecycleBin emptied: 7659610 bytes

Total Files Cleaned = 1,306.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.18.0 log created on 12282010_163526

Files\Folders moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE26D.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ma354rrb.default\XUL.mfl moved successfully.
File\Folder C:\WINDOWS\temp\ZLT0117a.TMP not found!

Registry entries deleted on Reboot...

And here's the MBAM log (It's weird that it didnt find anything though. Isnt it?):

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5410

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/28/2010 7:35:41 PM
mbam-log-2010-12-28 (19-35-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 293166
Time elapsed: 1 hour(s), 47 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:02 PM

Posted 29 December 2010 - 03:44 AM

Hi pdenner,

And here's the MBAM log (It's weird that it didnt find anything though. Isnt it?):

Actually, there may have been nothing to find.
In your earlier post you said:

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:C:\Qoobox\Quarantine\MBR_HardDisk0.mbr."

This is a combofix quarantine folder ( so anything in there is safe) it should have been cleaned off when the m/c was found to be clean.
I see a few programs that were used are still on the system. ( don't worry though, we'll take care of that at the end).
The trojans may also have been false positives because of the 2 AV's running and conflicting.

let's run another check to make sure though.

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Click Posted Image, and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the Posted Image button.
  • Click Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Thanks.

BBPP6nz.png


#9 pdenner

pdenner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 29 December 2010 - 08:24 PM

Ooohh I get it now.

Here's what the ESET scan found:

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.AJL trojan
C:\Qoobox\Quarantine\C\WINDOWS\$NtServicePackUninstall$\drahelo.bak1.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\$NtServicePackUninstall$\drahelo.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\AppPatch\drahelo.bak1.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\AppPatch\drahelo.ini.vir Win32/Adware.Virtumonde.NEO application
C:\WINDOWS\ServicePackFiles\tuncbdo.tmp Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\SYSTEM32\ksidipat.ini Win32/Adware.Virtumonde.NEO application
D:\WINDOWS\AppPatch\yalpcbdo.ini Win32/Adware.Virtumonde.NEO application

#10 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:02 PM

Posted 30 December 2010 - 04:29 AM

Hi pdenner,

Is your 'D' drive used as a backup facility?

How's the system behaving now?
Any problems still?

BBPP6nz.png


#11 pdenner

pdenner
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 02 January 2011 - 12:33 PM

I think so. The D drive is just another hard drive we hooked up for more space.

Well, it's working fine. MSE still finds the virus, saying "Microsoft Security Essentials encountered the following error: Error code 0x800704ec. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator." And it says it's here; "file:C:\Qoobox\Quarantine\MBR_HardDisk0.mbr" so since thats the same place, and if thats a Combofix quarantine, which makes it safe, then yeah, its all working fine. I'm still somewhat worried about having a trojan on my computer though, even if it is quarantined, but if its perfectly safe, then I'm fine with just letting it go.

#12 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:01:02 PM

Posted 02 January 2011 - 03:24 PM

Hi pdenner

I'm still somewhat worried about having a trojan on my computer though, even if it is quarantined, but if its perfectly safe, then I'm fine with just letting it go.

Yes, it's perfectly safe .... but as everything is running fine let's cleanup and remove the folder.

Step 1
  • Please double-click OTL.exe to run it.
  • You should see a CleanUp! button, press that button,

    Posted Image
  • This will remove any programs we have asked you to download along with there associated folders.. plus itself.

Note:
MBAM will not be removed


Step 2
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Select the drive for cleaning then click OK (usually 'C' drive)
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


To find out how you may have been infected....read this topic:
So how did i get infected?

Not all of the following information will be applicable to you, but it's still best to read it all.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software

    Note*:
    Upon installation MS Security Essentials will check that your OS is a legal copy.

    Only install one AntiVirus program
  • Update your AntiVirus Software regularly
  • Use a 3rd party Firewall
    NOTE: If choosing Zone Alarm be aware that the free version also installs ZoneAlarm Spy Blocker. It is recommended however that you UNcheck this option.

    Only install one software Firewall

    Some 3rd party Firewalls will turn off the windows firewall when they are installed.
    It's always best to check that the Windows Firewall is turned off:

    How to turn off Windows Firewall:
    Start ... Control Panel ...click on 'Classic View'.
    now select Windows Firewall.
    When the Windows Firewall box opens, put a tick against .. Off (not recommended) and then click Ok
  • Scan regularly with a 'Stand Alone' Anti-Malware scanner:
    Installing another scanner that you can run once or twice a week is always beneficial.
    Something like:
    Malwarebytes Anti-Malware
    SUPERAntiSypware
    Remember to update these programs each time before running.
    You can install more than one of these if you only run them as stand alone programs.
  • Use an alternative browser:
    Some excellent alternatives to MS Internet Explorer are:

    Firefox
    For added security, add the NoScript extension to this browser:
    Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
    also consider adding:
    WOT - Safe Browsing Tool

    Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.
    Btw: you don't have to make a contribution.

    Opera

    They offer better security, more stability, and better speed.
  • Keep a backup of your registry
    Keeping a regular backup of your registry will help when something goes wrong.
    Use a program like:
    Erunt

    A full tutorial on how to set up and use Erunt can be found here:
    Erunt tutorial
  • Keep your system clean of temp files etc, using a 'Cleaner':

    Cleaners are programs that will help to clean out your:
    Windows temp files
    Current user temp files
    Cookies
    Temporary Internet flies
    Browser history
    Recycle bin
    Etc.......
    In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
    Programs like:
    CCleaner
    TFC by OldTimer
    ATF Cleaner
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:
    Using and installing SpywareBlaster
  • Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Safe surfing. Posted Image

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users