Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with White Smoke and more


  • This topic is locked This topic is locked
32 replies to this topic

#1 Liquid_Squelch

Liquid_Squelch

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 17 December 2010 - 02:41 PM

I'm usually pretty good at removing any virus attacks on my own, but I've finally met my match.
I'm running WinXp Home SP 3 on a Compaq Persario AMD 3400 w/ 2Gig of Ram.

My computer had the White Smoke "Welcome" splash on Saturday 12/11. Since then, I've been working to try and remove it from my PC.
This little program also caused my 2nd HD in the PC to bluescreen my windows startup if I would start the PC with the HD attached. I've since recovered all files on that drive to an external drive.


I used to have CA Anti-Virus (which I removed after 12/11) and replaced it with Microsoft Essentials pack.
Using Malwarebytes, I scanned my PC and it pulled off 848 infected files associated with Whitesmoke. Then, I followed up with "MSE" it pulled off a few more. I then followed up with Search&Destroy (or is it seek and destroy) and it found more trojan files.

After all of that, I started Firefox and discovered my homepage was redirected to Whitesmoke and it reinstalled.... so, rinse and repeat - then I thought the virus was gone.

I manually cleared my registry for all keys containing "Whitesmoke", but it seems like my Firefox wants to open a new tab each time for pcspeedmaximizer.

Today - I'm at my wits end (sp?). After scanning with DDS, and GMER, the Whitesmoke screen is back, and MSE is alerting me I'm infected again. FWIW, the first time I ran GMER, it caused the Blue Screen of Death. I didn't write down the hex code.

I am also getting "generic Host Process for Win32 services" Failure dialog boxes. I also found wimpixo.e on the pc as well.

In my DDS log, I can see how Whitesmoke is still attached to Firefox. It also looks like I may have a few root kits. I did not include my 2 non-OS drive on any scans.

I'm hoping some of the bleepingcomputer volunteers can help. Attached are my DDS.txt, Attach.txt, and gmer.log files.



Thanks,
Phil

Attached Files


Edited by Liquid_Squelch, 17 December 2010 - 03:36 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:01 PM

Posted 27 December 2010 - 02:24 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Liquid_Squelch

Liquid_Squelch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 27 December 2010 - 09:57 PM

*** NOTE *** I Had to ftp my answer to my Web Server (Temp Account) and post via another computer to reply to this thread ! XD

Yes, I am still having problems with this computer.

I think I still have CA Anti-Virus installed, and that needs to be removed.

Each time I start Firefox, it wants to open up another tab. Sometimes its "You've Won", and other times, it is Whitesmoke, and that reinstalls itself.

Microsoft Security Essentials can not "phone home" and update its definitions.

I can not boot my computer with my 2nd hard drive installed (Drive R). It will BSOD before the Windows Splash screen arrives.
Also removed are my DVD Drives (Drives D & E).

FYI - This computer has 6 serial cards installed and an M-Audio 1010LT soundcard.


I have shelved this PC since I opened my thread. As per the reply, I re-ran DDS.scr and GMER with out my Virus Scanner enabled (M$ Essentials).

Below are my DDS Text and GMER Log. Attached (as per instructions) is my "Attached.txt" file.
*** NOTE *** I could not attach my "Attached.txt" file so it is included at the bottom of this reply.

Thanks for the help - I thought my thread was lost for a while :)







DDS (Ver_10-12-12.02) - NTFSx86
Run by Phil at 20:51:23.80 on Mon 12/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2750.2129 [GMT -5:00]

AV: CA Anti-Virus *Enabled/Outdated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\tvnserver.exe
C:\Program Files\Belkin Bulldog Plus\UPS-Service.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Phil\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [tvncontrol] "c:\program files\tightvnc\tvnserver.exe" -controlservice -slave
mRun: [Szusayujupiliyo] rundll32.exe "c:\windows\aboyiyuk.dll",Startup
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [NetStat Live] c:\program files\analogx\netstat live\nsl.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [DeltTray] DeltTray.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [Norton SystemWorks] "c:\program files\norton systemworks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {B863453A-26C3-4e1f-A54D-A2CD196348E9} - c:\program files\icqlite\ICQLite.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: w2lie.net\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4D830200-C534-435F-8ECA-955EEBB8DB34} - hxxp://www.visualradio.de/download/sdr_ocx.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-_UNO/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146872514258
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150767498984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\lqyyugge.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.whitesmokestart.com/s/?src=FF-Address&site=Yahoo!&cfg=2-267-0-0&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: e107 Debugger: {ce54f00e-29ba-444c-ab72-f845d4c57612} - %profile%\extensions\{ce54f00e-29ba-444c-ab72-f845d4c57612}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619} - c:\documents and settings\phil\local settings\application data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 HRD RemoteSvr;Ham Radio Deluxe Remote Server;c:\program files\amateur radio\ham radio deluxe\HRDRemoteSvr.exe [2008-10-12 196608]
R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-9-8 50944]
S2 gupdate1c9bfa3ff7897bc;Google Update Service (gupdate1c9bfa3ff7897bc);c:\program files\google\update\GoogleUpdate.exe [2009-4-17 133104]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S3 EdgeSer;Edgeport Serial Port Driver for Windows 2000, XP, Vista & Server 2003;c:\windows\system32\drivers\edgeser.sys [2010-6-18 229376]
S3 Ionenum;Edgeport Filter Driver;c:\windows\system32\drivers\ionenum.sys [2010-6-18 17920]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [2007-1-12 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-12-15 11520]
S4 Icecast;Icecast Media Server;c:\program files\icecast2 win32\icecastService.exe [2006-5-5 393216]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2010-12-17 15:47:46 -------- d-----w- c:\docume~1\phil\locals~1\applic~1\Western_Digital
2010-12-16 00:15:35 -------- d-----w- c:\docume~1\phil\applic~1\Western Digital
2010-12-16 00:03:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2010-12-16 00:02:42 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-12-16 00:00:13 -------- d-----w- c:\program files\Western Digital
2010-12-15 23:58:54 -------- d-----w- c:\docume~1\phil\locals~1\applic~1\Western Digital
2010-12-14 02:16:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-14 02:16:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-13 03:05:33 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{eac37ba4-33e5-4ad9-81e1-b982538ee9a6}\mpengine.dll
2010-12-13 02:58:54 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-12 17:04:46 0 ----a-w- c:\windows\system32\lsp5C.tmp
2010-12-11 21:34:22 -------- d-----w- c:\docume~1\phil\locals~1\applic~1\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}
2010-12-11 10:20:14 -------- d-----w- c:\windows\system32\%APPDATA%

==================== Find3M ====================

2010-12-17 15:55:09 0 ----a-w- c:\windows\Hbefe.bin
2010-12-04 04:45:19 249856 ------w- c:\windows\Setup1.exe
2010-12-04 04:45:18 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-10-05 16:19:50 5233 ----a-w- c:\windows\upinevozuj.dll
2010-10-05 14:17:50 5263 ----a-w- c:\windows\izagevope.dll
2010-10-05 12:15:49 5249 ----a-w- c:\windows\esataludejemila.dll
2010-10-05 10:13:50 5237 ----a-w- c:\windows\exexawirozilizod.dll
2010-10-05 08:11:50 5243 ----a-w- c:\windows\ajepayukayejuhed.dll
2010-10-05 06:09:50 5207 ----a-w- c:\windows\amuvifohahurozec.dll
2010-10-05 04:11:44 5241 ----a-w- c:\windows\iveqaluheqicox.dll
2010-10-03 23:59:19 5237 ----a-w- c:\windows\igegebuteboyo.dll
2010-10-03 21:57:19 5271 ----a-w- c:\windows\apotamewigamewo.dll
2010-10-03 19:55:19 5287 ----a-w- c:\windows\ipukaseg.dll
2010-10-03 17:53:20 5279 ----a-w- c:\windows\ayozemizu.dll
2010-10-03 15:51:19 5253 ----a-w- c:\windows\ebisegefimifetel.dll
2010-10-03 13:49:19 5215 ----a-w- c:\windows\aqehekevasuqeru.dll
2010-10-03 11:47:20 5241 ----a-w- c:\windows\abavasax.dll
2010-10-03 09:45:19 5255 ----a-w- c:\windows\uqayecox.dll
2010-10-03 07:43:19 5237 ----a-w- c:\windows\olumirux.dll
2010-10-03 05:41:19 5219 ----a-w- c:\windows\efitepop.dll
2010-10-03 03:39:19 5217 ----a-w- c:\windows\ajewafonutul.dll
2010-10-03 01:37:19 5219 ----a-w- c:\windows\ifohehate.dll
2010-10-02 23:35:19 5207 ----a-w- c:\windows\osaqevoyoxajijoh.dll
2010-10-02 21:33:20 5291 ----a-w- c:\windows\uqebazobifuyiw.dll
2010-10-02 19:31:19 5227 ----a-w- c:\windows\osavaxitig.dll
2010-10-02 17:29:20 5231 ----a-w- c:\windows\otukiyit.dll
2010-10-02 15:27:19 5259 ----a-w- c:\windows\adiqujuzesecoq.dll
2010-10-02 13:25:19 5205 ----a-w- c:\windows\eduzuvovepurifum.dll
2010-10-02 11:23:19 5307 ----a-w- c:\windows\ohuretozuneseyom.dll
2010-10-02 09:21:19 5227 ----a-w- c:\windows\inilokuzoxufapif.dll
2010-10-02 07:19:19 5253 ----a-w- c:\windows\agucupodovuje.dll
2010-10-02 05:17:19 5229 ----a-w- c:\windows\agakehejonuquc.dll
2010-10-02 03:15:19 5265 ----a-w- c:\windows\ozodarex.dll
2010-10-02 01:13:19 5227 ----a-w- c:\windows\ojerokon.dll
2010-10-01 23:11:19 5233 ----a-w- c:\windows\ahiqemej.dll
2010-10-01 21:09:19 5237 ----a-w- c:\windows\obefadujuge.dll
2010-10-01 19:07:19 5245 ----a-w- c:\windows\uhokihib.dll
2010-10-01 17:05:19 5247 ----a-w- c:\windows\aneroyuyevevamiw.dll
2010-10-01 15:03:19 5235 ----a-w- c:\windows\ilowohisiquyic.dll
2010-10-01 13:01:19 5207 ----a-w- c:\windows\emoqocef.dll
2010-10-01 10:59:19 5245 ----a-w- c:\windows\uzofiraw.dll
2010-10-01 08:57:19 5247 ----a-w- c:\windows\afotofiwupucus.dll
2010-10-01 06:55:19 5241 ----a-w- c:\windows\ujutidal.dll
2010-10-01 04:53:19 5213 ----a-w- c:\windows\ixopadaxu.dll
2010-10-01 02:51:19 5249 ----a-w- c:\windows\enejupecejo.dll
2010-10-01 00:49:19 5215 ----a-w- c:\windows\ojibuworu.dll
2010-09-30 22:47:19 5263 ----a-w- c:\windows\iveqasoq.dll
2010-09-30 20:45:19 5239 ----a-w- c:\windows\ulaqurejadan.dll
2010-09-30 18:43:19 5211 ----a-w- c:\windows\omelafunanerul.dll
2010-09-30 16:41:19 5265 ----a-w- c:\windows\ujewipez.dll
2010-09-30 14:39:19 5263 ----a-w- c:\windows\oyagedey.dll
2010-09-30 12:37:19 5247 ----a-w- c:\windows\izosefubemobelis.dll
2010-09-30 10:35:19 5245 ----a-w- c:\windows\odomizufazemi.dll
2010-09-30 08:33:19 5235 ----a-w- c:\windows\iyesilarefozuzi.dll
2010-09-30 06:31:19 5277 ----a-w- c:\windows\afolikolakefuper.dll
2010-09-30 04:29:19 5245 ----a-w- c:\windows\imawaxozuvovep.dll
2010-09-30 02:27:19 5239 ----a-w- c:\windows\ikemojok.dll
2010-09-30 00:25:19 5243 ----a-w- c:\windows\upodowurafoxos.dll
2010-09-29 22:23:19 5243 ----a-w- c:\windows\ohixicakih.dll
2010-09-29 20:21:19 5257 ----a-w- c:\windows\ibevapon.dll
2010-09-29 18:19:19 5265 ----a-w- c:\windows\opufudocayewidu.dll
2010-09-29 16:17:18 5257 ----a-w- c:\windows\itecokuh.dll
2010-09-29 14:15:18 5223 ----a-w- c:\windows\acaxaroyuyevev.dll
2010-09-29 12:13:19 5243 ----a-w- c:\windows\arodajug.dll
2010-09-29 10:11:19 5243 ----a-w- c:\windows\alekukaseg.dll
2010-09-29 08:09:19 5261 ----a-w- c:\windows\abasuvub.dll
2010-09-29 06:07:19 5243 ----a-w- c:\windows\ohojevula.dll
2010-09-29 04:05:19 5217 ----a-w- c:\windows\akiteduzubo.dll
2010-09-29 02:03:19 5243 ----a-w- c:\windows\erucaval.dll
2008-11-15 03:41:06 19316 ----a-w- c:\program files\common files\veforexa.bin
2008-11-15 03:41:06 10096 ----a-w- c:\program files\common files\edibylucu.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L100M0 rev.BACE1G10 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AD69555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ad6f7b0]; MOV EAX, [0x8ad6f82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AD8DAB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000005e[0x8AD91E98]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AE10D98]
\Driver\atapi[0x8AD58560] -> IRP_MJ_CREATE -> 0x8AD69555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6L100M0__________________________BACE1G10#324c39345339475a202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AD6939B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 20:57:59.64 ===============


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-27 21:35:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6L100M0 rev.BACE1G10
Running: gmer.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\uxtdrpod.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Phil\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01DA000A
.text C:\WINDOWS\System32\svchost.exe[1044] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[1496] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D2000A
.text C:\WINDOWS\Explorer.EXE[1496] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\Explorer.EXE[1496] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D1000C
.text C:\WINDOWS\system32\wuauclt.exe[3040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[3040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[3040] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3644] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A4000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3644] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A5000A
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[3644] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-11 8AD6939B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AD6939B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AD6939B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8AD6939B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8AD6939B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T1L0-19 8AD6939B
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6L100M0__________________________BACE1G10#324c39345339475a202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/5/2006 7:31:27 PM
System Uptime: 12/27/2010 8:43:24 PM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Sempron™ Processor 3400+ | Socket 939 | 1989/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 28.856 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\9B35BF11D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\9B35BF11D800
Service: NIC1394

==== System Restore Points ===================

RP1: 12/12/2010 9:40:12 PM - System Checkpoint
RP2: 12/12/2010 10:02:38 PM - hit again
RP3: 12/13/2010 8:18:52 AM - CA In
RP4: 12/13/2010 8:53:03 AM - CA Out
RP5: 12/14/2010 9:39:38 PM - Crossed Fingers
RP6: 12/17/2010 11:41:46 AM - System Checkpoint

==== Installed Programs ======================


1-Wire Drivers Version 4.02
245MetaGenerator
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
AIM 6.0
AnalogX NetStat Live
Apple Software Update
APRS Emergency Ver. 1.11
ARC XT for Uniden XT series
ARC15PRO for Uniden BCT-15
ARC160 for Radioshack PRO-160 and PRO-162
ARC246 for Uniden BC246T
ARC250 PRO
ARC300 for GRE and Radioshack 300/400/163/164/97/2055
ARC330 for Uniden BR330T
ARC396 for Uniden BCD396T
ARC433 for Radioshack PRO433/PRO528/PRO2051
ARC500 for GRE PSR500 and PSR600
ARC780 for Uniden BC780XLT
ARC8 software for Uniden BCT8
ARC898T
ARC96 for Radioshack PRO-96 and PRO-2096
ARC996PRO for Uniden BCD996T
ATI - Software Uninstall Utility
ATI Display Driver
Audacity 1.2.6
Audio Tag Editor
BC_VUP
BCD396T_ESN_Loader_V1_20_13
BCD396T_UASD
Belkin Bulldog Plus
Brother Internet Print 1.64
Brother MFL-Pro Suite
Brother Peer to Peer Print (NetBIOS) 1.16
CA Pest Patrol Realtime Protection
Compatibility Pack for the 2007 Office system
Crystal Reports Basic Runtime for Visual Studio 2008
Delta
DTMF Decoder
EchoAnswer Version 1.1.144
EchoLink
EchoLink Auto Connect 1.31
FileZilla (remove only)
FileZilla Client 3.2.4
FileZilla Server (remove only)
FT-60 Commander v1.0.0
FTBVX3
FTBVX8
FTBVX8G
FTDI USB Serial Converter Drivers
G4FON Koch Method Morse Trainer
Gallery Remote
GIMP 2.6.10
Google Chrome
Google Earth
Google Update Helper
Google Updater
GuildFTPd FTP Deamon
Ham Radio Deluxe
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Multimedia Keyboard Software
IC-PCR100
Icecast 2.3.2
Icom CS-R5
Icom RS-91
ICOM USB-to-Serial
Icon Sucker 2 Standard Edition
ICQ 5.1
iTunes
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 17
Java™ 6 Update 7
jlGui 3.0
Just Learn Morse Code
KPG-49D
KPG-70D
LizardTech DjVu Control
Logitech Desktop Messenger
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MCP-2A (Remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft IntelliPoint 6.01
Microsoft IntelliType Pro 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Security Essentials
Microsoft Speech SDK 5.1
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files (English)
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MMSSTV - Version 1.11G
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (2.0.0.24)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
N3FJP's WX Warning Program
Nero 8
neroxml
NetMos Multi-IO Controller
No-IP.com DUC (remove only)
Notepad++
OneWireViewer Application
OpenOffice.org 2.0
Orbitron - Satellite Tracking System
PA7RHM UI-View32 Map Server 1.010
Paclink MP
Panda ActiveScan 2.0
PCR Server
PCR Server (C:\Program Files\PCR Server\)
PCR Server (C:\Program Files\PCR Server\) #3
PCR Server (C:\Program Files\PCR Server\) #4
PCR Server (C:\Program Files\PCR Server\) #5
PCR1000BUR
PCRPro
PCSAT Telemetry Decoder
ProScan Client
ProScan Client 1.8
PS2
PX6IN1
QuickTime
Radio Toolbox
RadioCommander
RealPlayer
Realtek AC'97 Audio
Scancat-Lite-Plus-Demo 1.2.9
Scancat-Lite-Plus 1.4.1
ScanControl
Scanner Recorder
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Shortwave Log
SimpleCast (remove only)
Spybot - Search & Destroy
Sql Server Customer Experience Improvement Program
Stand-Alone 4ch DVR
Talkgroup Monitor
TeamSpeak 2 RC2
TightVNC 2.0.2
Trillian
TweetDeck
UI-Instant Messenger
UI-PHG-DFS
UI-View32
UltraEdit-32
UniTrunker
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VCRedistSetup
Vidmex 1.3
Viewpoint Media Player
Virtual Audio Cable 4.9
VX-7 Commander v1.3.4
W95SSTV
WD SmartWare
WebFldrs XP
WebView
Whitesmoke Translator
Winamp
Windows Driver Package - FTDI FTDI VCP Driver Package (12/12/2005 1.00.2176)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Movie Maker 2.0
Windows PowerShell™ 1.0
Windows Resource Kit Tools
Windows XP Service Pack 3
WinMerge 2.6.12.0
WinPcap 4.0.2
WinRAR archiver
WinSCP 4.1.9
WinZip
Wireshark 0.99.7
WXSpots Log
XML Paper Specification Shared Components Pack 1.0
YAMAHA DS-XG WDM

==== Event Viewer Messages From Past Week ========

12/27/2010 8:56:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/27/2010 8:56:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/27/2010 8:56:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/27/2010 8:56:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/27/2010 8:56:47 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
12/27/2010 8:51:31 PM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
12/26/2010 11:29:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep DS1410D Fips MpFilter Processor
12/25/2010 12:51:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/25/2010 12:46:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
12/25/2010 12:46:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the WD SmartWare Background Service service to connect.
12/25/2010 12:46:21 PM, error: System Error [1003] - Error code 1000008e, parameter1 c000009a, parameter2 804eb1d2, parameter3 a73887c8, parameter4 00000000.
12/25/2010 1:01:25 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/25/2010 1:01:25 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/25/2010 1:01:25 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/25/2010 1:01:25 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/25/2010 1:01:22 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
12/25/2010 1:01:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/22/2010 9:12:51 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/22/2010 9:12:51 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/22/2010 9:12:51 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/22/2010 9:12:51 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=1.1.6402.0&avdelta=1.95.1651.0&asdelta=1.95.1651.0&prod=BCF43643-A118-4432-AEDE-D861FCBCFCDE Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
12/22/2010 9:12:34 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.95.1651.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6402.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode

==== End Of File ===========================

Edited by Liquid_Squelch, 27 December 2010 - 10:12 PM.


#4 Liquid_Squelch

Liquid_Squelch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 27 December 2010 - 10:06 PM

(reply not needed)

Edited by Liquid_Squelch, 27 December 2010 - 10:11 PM.


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:01 PM

Posted 01 January 2011 - 02:36 PM

Hello

My name is gringo and I will be Helping you from this point forward

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes unless I tell you so.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Here is the first thing I would like you to do.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Liquid_Squelch

Liquid_Squelch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 02 January 2011 - 07:09 PM

Gringo,
Thank you for the help.

When I started to run Combo Fix, it stated that CA Antivirus was running. I've uninstalled CA Antivirus, but it must still be deeply rooting into my machine. I may need some help removing that.

Also - I'm seeing TDL3 Rootkit alert on Combofix, as well as what looks to be a proxy running off of 127.0.0.1:5555, which I know is my local pc's loop connection. Finally, I had two crash alerts pop-up when I was running combofix. One was for Win32, and the other was for qYau. Both were _____ Encountered an error dialog boxes.

Again - thank you for the help.
Below are my combo fix logs:

ComboFix 11-01-02.02 - Phil 01/02/2011 18:29:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2750.2189 [GMT -5:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
AV: CA Anti-Virus *Enabled/Outdated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Phil\Local Settings\Temporary Internet Files\cookies.sqlite
c:\windows\bimudubyk.exe
c:\windows\ekabewerecome.dll
c:\windows\etimu._sy
c:\windows\idazinufeworitul.dll
c:\windows\iyesilarefozuzi.dll
c:\windows\ojibuworu.dll
c:\windows\ozodarex.dll
c:\windows\ST6UNST.000
c:\windows\system32\Temp
c:\windows\uqobuzitowayew.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-02 to 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-02 23:12 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-02 23:11 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B1A53352-3A06-4DAA-ACEC-3433451C6C7D}\mpengine.dll
2010-12-17 15:47 . 2010-12-17 15:47 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Western_Digital
2010-12-16 00:15 . 2010-12-16 00:15 -------- d-----w- c:\documents and settings\Phil\Application Data\Western Digital
2010-12-16 00:03 . 2010-12-16 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-12-16 00:03 . 2010-12-16 00:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-12-16 00:02 . 2009-02-13 16:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-12-16 00:00 . 2010-12-16 00:00 -------- d-----w- c:\program files\Western Digital
2010-12-15 23:58 . 2010-12-15 23:58 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Western Digital
2010-12-15 02:18 . 2010-12-15 02:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-12-14 02:16 . 2010-12-14 23:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-14 02:16 . 2010-12-14 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-13 08:12 . 2010-12-13 08:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Thunderbird
2010-12-13 08:12 . 2010-12-13 08:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\Thunderbird
2010-12-13 02:58 . 2010-12-13 03:00 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-13 02:52 . 2010-12-13 02:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup
2010-12-12 17:04 . 2010-12-12 17:04 0 ----a-w- c:\windows\system32\lsp5C.tmp
2010-12-11 21:34 . 2010-12-11 21:34 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}
2010-12-11 19:37 . 2010-12-11 19:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-11 10:20 . 2010-12-11 10:20 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-04 04:45 . 2009-09-29 02:38 249856 ------w- c:\windows\Setup1.exe
2010-12-04 04:45 . 2006-05-14 13:26 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-11-29 22:42 . 2008-11-15 04:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2008-11-15 04:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-11-15 03:41 . 2008-11-15 03:41 19316 ----a-w- c:\program files\Common Files\veforexa.bin
2008-11-15 03:41 . 2008-11-15 03:41 10096 ----a-w- c:\program files\Common Files\edibylucu.dll
2007-05-22 23:14 . 2007-04-29 17:07 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17 . 2007-04-29 17:07 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2010-07-08 815704]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"NetStat Live"="c:\program files\AnalogX\NetStat Live\nsl.exe" [2008-10-26 126980]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"DeltTray"="DeltTray.exe" [2004-08-27 56320]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-7 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [N/A]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-8-22 819200]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UI-View32.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UI-View32.lnk
backup=c:\windows\pss\UI-View32.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^NCPD.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\NCPD.lnk
backup=c:\windows\pss\NCPD.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^No-IP DUC.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\No-IP DUC.lnk
backup=c:\windows\pss\No-IP DUC.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\1&1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\1&1\1&1 EasyLogin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe]
1&1 EasyLogin HIDE [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1146936353\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-02-16 14:54 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-17 21:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UPS-Status]
2006-11-15 16:22 69632 ----a-w- c:\program files\Belkin Bulldog Plus\UPS-Status.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"CAISafe"=2 (0x2)
"Icecast"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146936353\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146936353\\ee\\aim6.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 1\\SimpleCast.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 3\\SimpleCast.exe"=
"c:\\Proxy\\serproxy.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 2\\SimpleCast.exe"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ICQLite\\ICQLite.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Icecast2 Win32\\Icecast2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Icecast2 Win32\\Icetrunk\\Icecast2win.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\WinSCP3\\WinSCP.exe"=
"c:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"c:\\Program Files\\APRS\\UI-View32\\UI-WebServer\\uiwebsrv.exe"=
"c:\\Paclink MP\\Bin\\Paclink MP.exe"=
"c:\\Program Files\\APRS\\UI-View32\\Uiview32.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 4\\SimpleCast.exe"=
"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HamRadioDeluxe.exe"=
"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HRDLogbook.exe"=
"c:\\Program Files\\APRS\\UI-View32\\PA7RHM\\Map Server\\InitPA7RHMsvr.exe"=
"c:\\Program Files\\BuTel\\ARCXT\\arcxt.exe"=
"c:\\Program Files\\BuTel\\ARC15PRO\\ARC15P.exe"=
"c:\\Program Files\\TightVNC\\tvnserver.exe"=
"c:\\Program Files\\TightVNC\\vncviewer.exe"=
"c:\\Program Files\\PCR Server\\PcrServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5198:UDP"= 5198:UDP:Echolink UDP 5198
"5199:UDP"= 5199:UDP:ECHOLINK UDP 5199

R2 HRD RemoteSvr;Ham Radio Deluxe Remote Server;c:\program files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exe [10/12/2008 6:24 PM 196608]
R2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe [7/8/2010 8:28 AM 815704]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/8/2008 8:50 PM 50944]
S2 gupdate1c9bfa3ff7897bc;Google Update Service (gupdate1c9bfa3ff7897bc);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 4:32 PM 133104]
S3 EdgeSer;Edgeport Serial Port Driver for Windows 2000, XP, Vista & Server 2003;c:\windows\system32\drivers\edgeser.sys [6/18/2010 10:46 PM 229376]
S3 Ionenum;Edgeport Filter Driver;c:\windows\system32\drivers\ionenum.sys [6/18/2010 10:46 PM 17920]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [1/12/2007 11:09 PM 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/15/2010 7:02 PM 11520]
S4 Icecast;Icecast Media Server;c:\program files\Icecast2 Win32\icecastService.exe [5/5/2006 10:54 PM 393216]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-09-14 c:\windows\Tasks\9-11_Stream.job
- c:\documents and settings\Phil\Desktop\9-11\FDNY Audio\Recoded\9-11_Stream.m3u [2008-09-10 00:36]

2009-12-17 c:\windows\Tasks\ARESMTG_obj_create.job
- c:\program files\APRS\ARESMTG_obj_create.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARESMTG_obj_del.job
- c:\program files\APRS\ARESMTG_obj_del.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARESMTG_obj_del_special.job
- c:\program files\APRS\ARESMTG_obj_del.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARES_obj_create.job
- c:\program files\APRS\ARES_obj_create.vbs [2009-01-12 06:36]

2010-02-21 c:\windows\Tasks\ARES_obj_del.job
- c:\program files\APRS\ARES_obj_del.vbs [2009-01-12 06:36]

2010-12-09 c:\windows\Tasks\FDRANTRADIO.job
- c:\documents and settings\Phil\Desktop\fdrantradio\FDRANTRADIO.m3u [2010-09-22 18:23]

2010-11-09 c:\windows\Tasks\Forced Reboot.job
- c:\documents and settings\Phil\Desktop\Forced Reboot.lnk [2006-07-27 03:59]

2011-01-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-17 21:31]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-17 21:32]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-17 21:32]

2009-12-27 c:\windows\Tasks\HELPCHRTY_obj_del.job
- c:\program files\APRS\HELPCHRTY_obj_del.vbs [2009-12-23 05:37]

2010-06-19 c:\windows\Tasks\monitor.job
- c:\monitor\Com 4\monitor.exe [2009-05-19 01:56]

2011-01-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

2010-06-19 c:\windows\Tasks\ncfd-west.job
- c:\streamripper\ncfd-west.bat [2007-05-05 00:51]

2010-06-19 c:\windows\Tasks\ncfd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\ncfd_archive.lnk [2010-05-27 03:13]

2010-05-28 c:\windows\Tasks\ncpd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\ncpd_archive.lnk [2010-05-27 03:23]

2011-01-02 c:\windows\Tasks\NEWYEAR_obj_create.job
- c:\program files\APRS\NEWYEAR_obj_create.vbs [2009-12-23 05:51]

2011-01-02 c:\windows\Tasks\NEWYEAR_obj_del.job
- c:\program files\APRS\NEWYEAR_obj_del.vbs [2009-12-23 05:53]

2010-12-28 c:\windows\Tasks\SANTA-1_obj_create.job
- c:\program files\APRS\SANTA-1_obj_create.vbs [2009-12-23 05:44]

2011-01-02 c:\windows\Tasks\SANTA-1_obj_del.job
- c:\program files\APRS\SANTA-1_obj_del.vbs [2009-12-23 05:38]

2010-12-11 c:\windows\Tasks\scfd-east.job
- c:\streamripper\scfd-east.bat [2008-03-30 02:24]

2010-06-19 c:\windows\Tasks\scfd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\scfd_archive.lnk [2010-05-27 03:28]

2010-06-19 c:\windows\Tasks\SimpleCast Special.job
- c:\documents and settings\Phil\Desktop\Live Feeds\SimpleCast Special.lnk [2009-02-17 04:48]

2010-02-21 c:\windows\Tasks\SKYWARN_obj_create.job
- c:\program files\APRS\SKYWARN_obj_create.vbs [2009-01-18 20:04]

2010-02-21 c:\windows\Tasks\SKYWARN_obj_del.job
- c:\program files\APRS\SKYWARN_obj_del.vbs [2009-01-18 20:04]

2010-12-11 c:\windows\Tasks\special_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\special_archive.lnk [2010-05-27 03:23]

2011-01-02 c:\windows\Tasks\w2lie-sql_tables.job
- c:\program files\WinSCP3\w2lie-sql_tables.bat [2009-09-21 05:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: w2lie.net\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4D830200-C534-435F-8ECA-955EEBB8DB34} - hxxp://www.visualradio.de/download/sdr_ocx.cab
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\lqyyugge.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.whitesmokestart.com/s/?src=FF-Address&site=Yahoo!&cfg=2-267-0-0&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: e107 Debugger: {ce54f00e-29ba-444c-ab72-f845d4c57612} - %profile%\extensions\{ce54f00e-29ba-444c-ab72-f845d4c57612}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619} - c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Norton SystemWorks - c:\program files\Norton SystemWorks\cfgwiz.exe
MSConfigStartUp-CAVRID - c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
MSConfigStartUp-Otisiyovuzika - c:\windows\w3dlet.dll
MSConfigStartUp-QOELOADER - c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
MSConfigStartUp-VetStart - c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-02 18:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Maxtor_6L100M0 rev.BACE1G10 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AD69555]<<
c:\docume~1\Phil\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ad6f7b0]; MOV EAX, [0x8ad6f82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8ADC7AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000005f[0x8AD9C160]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8AE0ED98]
\Driver\atapi[0x8AD25820] -> IRP_MJ_CREATE -> 0x8AD69555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6L100M0__________________________BACE1G10#324c39345339475a202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AD6939B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(656)
c:\windows\system32\WININET.dll
.
Completion time: 2011-01-02 19:03:07
ComboFix-quarantined-files.txt 2011-01-03 00:03

Pre-Run: 30,719,877,120 bytes free
Post-Run: 30,913,765,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 05A0FEC56C3776F0D6B8E00BF9FA2180

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:01 PM

Posted 02 January 2011 - 07:32 PM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Liquid_Squelch

Liquid_Squelch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 02 January 2011 - 09:30 PM

Gringo,
Thanks again for the help. After running TDSSKiller, I am still seeing the "Whitesmoke Translator Pop-up Box on my desktop"

TDSSKiller did find one Rootkit and I clicked "Continue" when Cure was the option.

Thanks again


2011/01/02 21:18:39.0218 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/02 21:18:39.0218 ================================================================================
2011/01/02 21:18:39.0218 SystemInfo:
2011/01/02 21:18:39.0218
2011/01/02 21:18:39.0218 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/02 21:18:39.0218 Product type: Workstation
2011/01/02 21:18:39.0218 ComputerName: RADIO
2011/01/02 21:18:39.0218 UserName: Phil
2011/01/02 21:18:39.0218 Windows directory: C:\WINDOWS
2011/01/02 21:18:39.0218 System windows directory: C:\WINDOWS
2011/01/02 21:18:39.0218 Processor architecture: Intel x86
2011/01/02 21:18:39.0218 Number of processors: 1
2011/01/02 21:18:39.0218 Page size: 0x1000
2011/01/02 21:18:39.0218 Boot type: Normal boot
2011/01/02 21:18:39.0218 ================================================================================
2011/01/02 21:18:40.0062 Initialize success
2011/01/02 21:18:47.0781 ================================================================================
2011/01/02 21:18:47.0781 Scan started
2011/01/02 21:18:47.0781 Mode: Manual;
2011/01/02 21:18:47.0781 ================================================================================
2011/01/02 21:18:49.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/02 21:18:49.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/02 21:18:49.0484 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/02 21:18:49.0640 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/02 21:18:50.0140 ALCXWDM (7f26d024355cbadb60838f53dfb171ec) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/01/02 21:18:50.0562 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/02 21:18:50.0921 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/02 21:18:51.0031 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/02 21:18:51.0296 ati2mtag (7a6cf9f411a9c5bd5c442a1cd46af401) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/02 21:18:51.0515 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/02 21:18:51.0656 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/02 21:18:52.0125 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/02 21:18:52.0265 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/02 21:18:52.0671 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/02 21:18:52.0750 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/02 21:18:52.0843 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/02 21:18:53.0125 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/02 21:18:53.0609 DELTA (fff42aca78b2e6369f98c8c672375e0a) C:\WINDOWS\system32\DRIVERS\delta.sys
2011/01/02 21:18:53.0765 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/02 21:18:53.0937 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/02 21:18:54.0125 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/02 21:18:54.0281 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/02 21:18:54.0500 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/02 21:18:54.0671 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/02 21:18:54.0953 ds1 (fca0f5e7bb2e8d88392198f47d8c7df2) C:\WINDOWS\system32\drivers\Ds1.sys
2011/01/02 21:18:55.0171 DS1410D (01dd1db0156d0ca545eb779fbfaec6fa) C:\WINDOWS\system32\drivers\DS1410D.sys
2011/01/02 21:18:55.0296 EdgeSer (6ca0b8520a73bfec68088f10cccaec7c) C:\WINDOWS\system32\DRIVERS\edgeser.sys
2011/01/02 21:18:55.0500 es1371 (24e564f710d887ecc75cfe59882ecc5d) C:\WINDOWS\system32\drivers\es1371mp.sys
2011/01/02 21:18:55.0593 EuMusDesignVirtualAudioCableWdm (b27707bce98cb02eac9be5967096e75a) C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys
2011/01/02 21:18:55.0750 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/02 21:18:55.0937 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/02 21:18:56.0031 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/02 21:18:56.0171 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/02 21:18:56.0265 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/02 21:18:56.0515 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/02 21:18:56.0640 FTDIBUS (b7aa8283ec551d3a3b924e520e0621a7) C:\WINDOWS\system32\drivers\ftdibus.sys
2011/01/02 21:18:56.0718 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/02 21:18:56.0812 FTSER2K (596d31583ce332b5514520d74837f434) C:\WINDOWS\system32\drivers\ftser2k.sys
2011/01/02 21:18:56.0921 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/01/02 21:18:57.0125 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/02 21:18:57.0234 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2011/01/02 21:18:57.0609 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/02 21:18:57.0859 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/02 21:18:58.0234 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/02 21:18:58.0718 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/02 21:18:58.0984 Ionenum (9135f94184dd4add6b6b421087fd37f4) C:\WINDOWS\system32\DRIVERS\ionenum.sys
2011/01/02 21:18:59.0140 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/02 21:18:59.0265 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/02 21:18:59.0828 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/02 21:19:00.0000 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/02 21:19:00.0109 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/02 21:19:00.0312 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/02 21:19:00.0609 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/02 21:19:01.0062 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/02 21:19:01.0265 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/02 21:19:01.0625 KLSIENET (24bb6ca00ed8c91dae2fd13e5f6eec39) C:\WINDOWS\system32\DRIVERS\usb101et.sys
2011/01/02 21:19:01.0765 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/02 21:19:01.0953 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/02 21:19:02.0218 LVUSBSta (a730fc8671a60666d6e877c544dd7cd4) C:\WINDOWS\system32\drivers\lvusbsta.sys
2011/01/02 21:19:02.0593 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
2011/01/02 21:19:02.0687 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/02 21:19:02.0859 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/02 21:19:02.0984 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/02 21:19:03.0203 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/02 21:19:03.0781 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/02 21:19:03.0875 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/01/02 21:19:04.0046 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/02 21:19:04.0203 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/02 21:19:04.0656 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/02 21:19:04.0828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/02 21:19:04.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/02 21:19:05.0093 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/02 21:19:05.0234 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/02 21:19:05.0656 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/02 21:19:05.0828 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/02 21:19:05.0953 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/02 21:19:06.0562 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/02 21:19:06.0687 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/02 21:19:06.0843 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/02 21:19:06.0921 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/02 21:19:07.0015 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/02 21:19:07.0078 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/02 21:19:07.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/02 21:19:07.0640 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/02 21:19:07.0796 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/02 21:19:08.0000 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/01/02 21:19:08.0140 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
2011/01/02 21:19:08.0312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/02 21:19:08.0921 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/02 21:19:09.0062 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/02 21:19:09.0218 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/02 21:19:09.0312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/02 21:19:09.0812 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/02 21:19:09.0906 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/02 21:19:10.0078 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/02 21:19:10.0156 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/02 21:19:10.0265 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/02 21:19:11.0203 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/02 21:19:11.0421 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/02 21:19:12.0109 pepifilter (2a3efd6c3f116675d149da5e36a010a4) C:\WINDOWS\system32\DRIVERS\lv302af.sys
2011/01/02 21:19:12.0656 PID_08A0 (cebefeae6156f4fee41f56be89ea9c96) C:\WINDOWS\system32\DRIVERS\LV302AV.SYS
2011/01/02 21:19:12.0890 PID_0928 (5bd2c6d982481d548107c602e7ccfbbc) C:\WINDOWS\system32\DRIVERS\LV561AV.SYS
2011/01/02 21:19:13.0031 Point32 (5c71f7cdd1b4ba5f00b87ca05e414aea) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/01/02 21:19:13.0187 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/02 21:19:13.0328 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/02 21:19:13.0625 Ps2 (0e2eb30605ca6ed2509d59af6a7362b4) C:\WINDOWS\system32\DRIVERS\PS2.sys
2011/01/02 21:19:13.0812 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/02 21:19:14.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/02 21:19:14.0156 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/02 21:19:14.0875 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/02 21:19:15.0031 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/02 21:19:15.0156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/02 21:19:15.0281 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/02 21:19:15.0656 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/02 21:19:15.0812 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/02 21:19:15.0984 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/02 21:19:16.0187 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/02 21:19:16.0515 RsFx0102 (fedd2710b75be3ecf078adace790c423) C:\WINDOWS\system32\DRIVERS\RsFx0102.sys
2011/01/02 21:19:16.0671 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2011/01/02 21:19:16.0875 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/01/02 21:19:17.0109 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/02 21:19:17.0265 Ser2pl (a58d35276409f75ba40139934ca4803c) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2011/01/02 21:19:17.0796 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/02 21:19:17.0906 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/02 21:19:18.0156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/02 21:19:18.0687 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/02 21:19:18.0906 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/02 21:19:19.0046 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/02 21:19:19.0218 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/02 21:19:19.0546 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/01/02 21:19:19.0671 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/02 21:19:19.0828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/02 21:19:19.0984 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/02 21:19:20.0593 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/02 21:19:20.0796 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/02 21:19:20.0921 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/02 21:19:21.0078 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/02 21:19:21.0218 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/02 21:19:21.0734 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/02 21:19:21.0953 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/02 21:19:22.0234 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/02 21:19:22.0546 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/02 21:19:22.0750 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/02 21:19:22.0890 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/02 21:19:22.0968 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/02 21:19:23.0093 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/02 21:19:23.0500 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/02 21:19:23.0718 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/02 21:19:23.0921 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/02 21:19:24.0046 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
2011/01/02 21:19:24.0515 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/02 21:19:24.0781 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/02 21:19:24.0890 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/02 21:19:25.0046 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/02 21:19:25.0046 ================================================================================
2011/01/02 21:19:25.0046 Scan finished
2011/01/02 21:19:25.0046 ================================================================================
2011/01/02 21:19:25.0078 Detected object count: 1
2011/01/02 21:20:10.0328 \HardDisk0 - will be cured after reboot
2011/01/02 21:20:10.0328 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/02 21:20:19.0593 Deinitialize success

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:01 PM

Posted 02 January 2011 - 09:56 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Folder::
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup
c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}
c:\program files\WhiteSmoke Translator

File::
c:\program files\Common Files\veforexa.bin
c:\program files\Common Files\edibylucu.dll

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>

FireFox::
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\lqyyugge.default\
FF - prefs.js: keyword.URL - hxxp://www.whitesmokestart.com/s/?src=FF-Address&site=Yahoo!&cfg=2-267-0-0&q=
FF - Ext: XULRunner: {B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619} - c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Liquid_Squelch

Liquid_Squelch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 02 January 2011 - 10:39 PM

Ok Gringo -

I don't want to say anything too early - but things are looking a little faster now.

I have a 2nd drive in this PC that I had to pull off because it would BSOD on me when it was hooked up. When you feel my PC is cleaned "to the max" i would like to put that other drive back into service. I don't do anything until you say it is ok to do so.

I also have to figure out how to completely remove Computer Associates Anti Virus from this PC. I no longer use it.



Here are the latest logs from ComboFix:

ComboFix 11-01-02.02 - Phil 01/02/2011 22:17:39.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2750.2222 [GMT -5:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phil\Desktop\CFScript.txt.txt
AV: CA Anti-Virus *Enabled/Outdated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\program files\Common Files\edibylucu.dll"
"c:\program files\Common Files\veforexa.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\0x0409.ini
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\config.txt
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\data1.cab
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\data1.hdr
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\data2.cab
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\ISSetup.dll
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\layout.bin
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.exe
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.ini
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.inx
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.iss
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.log
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.ocx
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\exeArgs.xml
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\setupCfg.xml
c:\documents and settings\Phil\Application Data\whitesmoketoolbar
c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}
c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}\chrome.manifest
c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}\chrome\content\_cfg.js
c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}\chrome\content\overlay.xul
c:\documents and settings\Phil\Local Settings\Application Data\{B6CBFFC2-0279-44C2-A31E-A2DDEFEAE619}\install.rdf
c:\documents and settings\Phil\Local Settings\Temporary Internet Files\cookies.sqlite
c:\program files\Common Files\edibylucu.dll
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\veforexa.bin
c:\program files\Logitech\Video\ManifestEngine.exe
c:\program files\WhiteSmoke Translator
c:\program files\WhiteSmoke Translator\buy.ico
c:\program files\WhiteSmoke Translator\ComVistaElevator.dll
c:\program files\WhiteSmoke Translator\Dictionary48x48.ico
c:\program files\WhiteSmoke Translator\html\english\common\iepngfix\blank.gif
c:\program files\WhiteSmoke Translator\html\english\common\iepngfix\checkerboard.gif
c:\program files\WhiteSmoke Translator\html\english\common\iepngfix\helix.gif
c:\program files\WhiteSmoke Translator\html\english\common\iepngfix\iepngfix.htc
c:\program files\WhiteSmoke Translator\html\english\common\iepngfix\iepngfix.html
c:\program files\WhiteSmoke Translator\html\english\common\iepngfix\opacity.png
c:\program files\WhiteSmoke Translator\html\english\common\js\common.js
c:\program files\WhiteSmoke Translator\html\english\common\js\pngfix.js
c:\program files\WhiteSmoke Translator\html\english\common\js\prototype.js
c:\program files\WhiteSmoke Translator\html\english\common\js\xmlhttp.js
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\ajax-loader.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\bottom_bg.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\bottom_left_corner.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\corner_bottom_left.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\corner_bottom_right.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\corner_top_left.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\corner_top_right.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\down_arrow.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\empty.jpg
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\input_bg.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\left_input.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\loading_dictionary.swf
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\resize.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\right_input.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Background\search_strip_bg3.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\dictionary_disabled.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\dictionary_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\dictionary_press.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\dictionary_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\down_arrow.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\go_disabled.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\go_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\go_press.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\go_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\idioms_disabled.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\idioms_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\idioms_press.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\idioms_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\thesaurus_disabled.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\thesaurus_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\thesaurus_press.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\thesaurus_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\translate_normal.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\translate_pressed.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\translate_rollover.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\translation_disabled.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\translation_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\translation_press.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\Buttons\translation_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_close_down.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_close_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_close_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_max_down.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_max_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_max_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_min_down.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_min_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_bar_min_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_dictionary_off.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_dictionary_press.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_dictionary_roll_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_strip.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_strip_right_corner.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_strip_right_corner.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_translation_off.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_translation_press.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\caption_translation_roll_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\captionbar\logo.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\popup\screen_bg.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\popup\screen_bg_bottom.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\popup\screen_bg_top.png
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\popup\screen_captionbar_press.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\popup\screen_captionbar_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\img\spacer.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\index.html
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\js\common.js
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\js\Contextmenu.js
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\js\dictInterface.js
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\js\jquery.combobox.js
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\js\jquery.js
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\js\prototype.js
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\js\xmlhttp.js
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\style\combobox.css
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\style\Contextmenu.css
c:\program files\WhiteSmoke Translator\html\english\dictClientDic\style\dictionary.css
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\body_bg.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\captionbar\caption_bar_close_down.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\captionbar\caption_bar_close_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\captionbar\caption_bar_close_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\captionbar\caption_strip.png
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\captionbar\logo.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\congra.png
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\continue_button_click.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\continue_button_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\continue_button_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\intro.jpg
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\img\welcome.png
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\index.html
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\js\regInterface.js
c:\program files\WhiteSmoke Translator\html\english\dictClientRegistration\style\registration.css
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\Background\attic\use_ws_bgNEW.PNG
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\Background\translator-welcome-final.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\Background\translator-welcome-final.jpg
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\Background\translator-welcome-final.png
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\Background\use_ws_bgNEW.jpg
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\Background\use_ws_bgNEW.PNG
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\buy_button.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\caption_bar_close_down.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\caption_bar_close_over.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\caption_bar_close_up.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\captionbar\arrow_white.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\captionbar\caption_strip.png
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\captionbar\left_bot_chunk.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\captionbar\right_bot_chunk.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\captionbar\white_x_button.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\close_button.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\close_button_down.gif
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\img\expired_bg.png
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\js\iframeInterface.js
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\style\welcome.css
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\welcome_all.html
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\content\welcome_expired.html
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\index.html
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\js\welcomeInterface.js
c:\program files\WhiteSmoke Translator\html\english\dictClientWelcome\style\welcomescreen.css
c:\program files\WhiteSmoke Translator\license_agreement_translator.txt
c:\program files\WhiteSmoke Translator\Microsoft.VC80.CRT.manifest
c:\program files\WhiteSmoke Translator\msvcm80.dll
c:\program files\WhiteSmoke Translator\msvcp80.dll
c:\program files\WhiteSmoke Translator\msvcr80.dll
c:\program files\WhiteSmoke Translator\osmax.ocx
c:\program files\WhiteSmoke Translator\secman.dll
c:\program files\WhiteSmoke Translator\settings.ini
c:\program files\WhiteSmoke Translator\TCCons.dll
c:\program files\WhiteSmoke Translator\WCapture.dll
c:\program files\WhiteSmoke Translator\WCaptureX.dll
c:\program files\WhiteSmoke Translator\WCustom.dll
c:\program files\WhiteSmoke Translator\WhiteSmokeDictRegistration.exe
c:\program files\WhiteSmoke Translator\WHook.dll
c:\program files\WhiteSmoke Translator\WMonitorX.dll
c:\program files\WhiteSmoke Translator\WSDictHookDll.dll
c:\program files\WhiteSmoke Translator\WSLogger.exe
c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe
c:\program files\whitesmoketoolbar
c:\program files\whitesmoketoolbar\chrome\content\lib\about.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxpanel.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxpanelwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxprefwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\emailnotifierproviders.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\external.js
c:\program files\whitesmoketoolbar\chrome\content\lib\neterror.xhtml
c:\program files\whitesmoketoolbar\chrome\content\lib\rsspreview.html
c:\program files\whitesmoketoolbar\chrome\content\lib\rsswin.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\rsswin.xsl
c:\program files\whitesmoketoolbar\chrome\content\lib\vmncode.js
c:\program files\whitesmoketoolbar\chrome\content\lib\wmpstreamer.html
c:\program files\whitesmoketoolbar\chrome\content\modules\datastore.jsm
c:\program files\whitesmoketoolbar\chrome\content\neterror.xhtml
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\btn_search.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\bullet.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\field_bg.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\powered_by_yahoo.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\newtab.html
c:\program files\whitesmoketoolbar\chrome\content\preferences.xml
c:\program files\whitesmoketoolbar\chrome\content\toolbar.htm
c:\program files\whitesmoketoolbar\chrome\content\toolbar.xul
c:\program files\whitesmoketoolbar\chrome\content\vmncode.js
c:\program files\whitesmoketoolbar\chrome\content\vmnrsswin.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\css\twitter.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-login-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-login.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-submit.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\loginbg.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\refresh-over.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\refresh.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\throbber.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\twitter-logo48.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\twitter_top.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\jquery.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\scripts.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrow-grey.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-left.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-right.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\powered-by-youtube.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\throbber.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\vid-bg.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\youtube.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\index.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery-1.3.2.min.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery.autocomplete.min.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\data\dynamicElements\vmntoolbar.xsl
c:\program files\whitesmoketoolbar\chrome\data\rss\rss.xml
c:\program files\whitesmoketoolbar\chrome\data\search\engines.xml
c:\program files\whitesmoketoolbar\chrome\data\search\search.xsl
c:\program files\whitesmoketoolbar\chrome\data\weather\icons.xml
c:\program files\whitesmoketoolbar\chrome\skin\634017460871087500_png
c:\program files\whitesmoketoolbar\chrome\skin\about.gif
c:\program files\whitesmoketoolbar\chrome\skin\babylon_logo.png
c:\program files\whitesmoketoolbar\chrome\skin\bing_16x16.png
c:\program files\whitesmoketoolbar\chrome\skin\bing_searchicon_20x22_spaced_hover_png
c:\program files\whitesmoketoolbar\chrome\skin\bing_searchicon_20x22_spaced_png
c:\program files\whitesmoketoolbar\chrome\skin\blank_png
c:\program files\whitesmoketoolbar\chrome\skin\bluelite.gif
c:\program files\whitesmoketoolbar\chrome\skin\bluesky.gif
c:\program files\whitesmoketoolbar\chrome\skin\btn-search-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-search.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-settings-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-settings.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-widgets-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\btn_settings.png
c:\program files\whitesmoketoolbar\chrome\skin\ca.png
c:\program files\whitesmoketoolbar\chrome\skin\checkMyText_png
c:\program files\whitesmoketoolbar\chrome\skin\checkMyText_png_png
c:\program files\whitesmoketoolbar\chrome\skin\dictionary.png
c:\program files\whitesmoketoolbar\chrome\skin\Dictionary_png
c:\program files\whitesmoketoolbar\chrome\skin\Dictionary_png_png
c:\program files\whitesmoketoolbar\chrome\skin\divider.png
c:\program files\whitesmoketoolbar\chrome\skin\downloadcom.png
c:\program files\whitesmoketoolbar\chrome\skin\dtxlogo.png
c:\program files\whitesmoketoolbar\chrome\skin\DTXWizard\skin\icon_library\Basics\folder.png
c:\program files\whitesmoketoolbar\chrome\skin\email.png
c:\program files\whitesmoketoolbar\chrome\skin\email_on.png
c:\program files\whitesmoketoolbar\chrome\skin\eteacher_png
c:\program files\whitesmoketoolbar\chrome\skin\facebook.png
c:\program files\whitesmoketoolbar\chrome\skin\feed_icon_png
c:\program files\whitesmoketoolbar\chrome\skin\feed_icon2_png
c:\program files\whitesmoketoolbar\chrome\skin\france_png
c:\program files\whitesmoketoolbar\chrome\skin\games.png
c:\program files\whitesmoketoolbar\chrome\skin\games_png
c:\program files\whitesmoketoolbar\chrome\skin\gamesIcon_png
c:\program files\whitesmoketoolbar\chrome\skin\graphred0.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred0_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred1.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred1_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred2.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred2_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred3.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred3_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred4.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred4_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphredna.png
c:\program files\whitesmoketoolbar\chrome\skin\grey.gif
c:\program files\whitesmoketoolbar\chrome\skin\ico-shield.png
c:\program files\whitesmoketoolbar\chrome\skin\images.png
c:\program files\whitesmoketoolbar\chrome\skin\italy_png
c:\program files\whitesmoketoolbar\chrome\skin\lib\add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\aol.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-dn.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-right-disabled.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-right.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-up.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-divider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-end.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-mdl_ff.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-start.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-divider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-end.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-mdl_ff.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-start.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\blank.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn-widgets-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn_slider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnback-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnback-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnleft-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnleft-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnright-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnright-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\button-splitter-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\button-splitter-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\checkmark.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\chevron.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\collapse.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\comcast.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\dtx.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\edit-back-hot.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\edit-back.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\expand.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\found.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\gmail.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_cyan.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_lime.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_magenta.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_yellow.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\hotmail.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\ico-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\imap.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\lastsearch-thumb-back.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\loadingMid.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\lock.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\logo-separator.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\mailcom.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_bg-basic.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_separator_bar.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_separator_white.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitem-splitter.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemback-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemback-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemleft-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemleft-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemright-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemright-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\modify.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\move.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\movetarget.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\panels.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupAbout.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupGames.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupRSS.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupWidgets.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\default.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\main.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\footer.htm
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gamecategory.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gameData.js
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gameList.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\games.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gametype.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-dn.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-sml-drop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-sml.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-up.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrowr-bluew5.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-aboutbox.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-btnover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-pnl520x390.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-back.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-drag.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-moredetails.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-next-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-next.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-previous-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-previous.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bullet-orange.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\gamethumb-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\gamethumb2-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-calendar.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-download.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-joystick24.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-news24.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-tags.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-Add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-download.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-Info.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-shop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\menul-bgon.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\menul-bgover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\panel-botm-noscroll.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-bg-206.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-bg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-topwin.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-disable.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-disable.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\searchbox-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\star_x_grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\star_x_orange.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\TRUSTe_about.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-detailed-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-detailed-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-thumb-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-thumb-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets-square-16px.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets-square-24px.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\initHTML.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupGames.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupHTML.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupRSS.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupWidgets.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\scroll.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\pop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\css\manager.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\css\slider.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\bg-pnl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\collapsed_button.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\expanded_button.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-radio.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\music-note.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-pause-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-pause.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-play-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-bg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-buffer.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-busy.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-on.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-warning.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-design-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-design.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-0.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-1.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-2.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-3.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-mute.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\scrollbar-handle.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\scrollbar-track.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\slider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\slideron.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\track.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\managerpanel.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\volumeslider.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\reload.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\remove.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rename.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\resize-box.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\rss.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rsschannelback.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\RSSLogo.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rsstabdivider.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\scroll-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\scroll-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\search-go.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\search.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\text-ellipsis.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\throbber.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\toolbarsplitter.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\transparent_1px.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_02.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_03.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_04.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_06.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_07.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_08.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_09.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_10.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_11.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_12.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_13.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_14.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_15.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_16.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_18.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_19.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_20.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_21.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\close-hot.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\close-normal.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\loadingMid.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\proxy.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\template.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\template.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\templateFF.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\throbber.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\cond999.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\icons.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na-s.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na-t.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\weather.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\arrowr-bluew5.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue-whitebg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\box-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\box-uncheck.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-delete.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid-s.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\options-weather.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\over-blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\over-orange.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug2.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-checked.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-unchecked.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\searchbox-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\weather-contour.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\yahoo.png
c:\program files\whitesmoketoolbar\chrome\skin\lichen.gif
c:\program files\whitesmoketoolbar\chrome\skin\logo-about.png
c:\program files\whitesmoketoolbar\chrome\skin\logo-over.png
c:\program files\whitesmoketoolbar\chrome\skin\logo-separator.png
c:\program files\whitesmoketoolbar\chrome\skin\logo.png
c:\program files\whitesmoketoolbar\chrome\skin\mail.png
c:\program files\whitesmoketoolbar\chrome\skin\menuseparatorback.gif
c:\program files\whitesmoketoolbar\chrome\skin\modify-save.png
c:\program files\whitesmoketoolbar\chrome\skin\modify.png
c:\program files\whitesmoketoolbar\chrome\skin\modifyhot.png
c:\program files\whitesmoketoolbar\chrome\skin\music.png
c:\program files\whitesmoketoolbar\chrome\skin\namespacetoolbar.css
c:\program files\whitesmoketoolbar\chrome\skin\networkIcons_png
c:\program files\whitesmoketoolbar\chrome\skin\news.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-main.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-search.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-weather.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\orange.gif
c:\program files\whitesmoketoolbar\chrome\skin\pixsy.png
c:\program files\whitesmoketoolbar\chrome\skin\protect-id.png
c:\program files\whitesmoketoolbar\chrome\skin\relatedlinks.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-collapse.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-delete.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-expand.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-feed.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder-remove.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder-rename.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-found.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-reload.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-subscribe.png
c:\program files\whitesmoketoolbar\chrome\skin\rss.png
c:\program files\whitesmoketoolbar\chrome\skin\rss_feed_icon_png
c:\program files\whitesmoketoolbar\chrome\skin\rssback.gif
c:\program files\whitesmoketoolbar\chrome\skin\rsstopback.gif
c:\program files\whitesmoketoolbar\chrome\skin\search-over.png
c:\program files\whitesmoketoolbar\chrome\skin\search.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-left.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-middle.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-right.png
c:\program files\whitesmoketoolbar\chrome\skin\settings.png
c:\program files\whitesmoketoolbar\chrome\skin\shopping.png
c:\program files\whitesmoketoolbar\chrome\skin\siteinfo.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-bluelite.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-bluesky.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-lichen.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-orange.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-yellow.png
c:\program files\whitesmoketoolbar\chrome\skin\skin.xml
c:\program files\whitesmoketoolbar\chrome\skin\spain_png
c:\program files\whitesmoketoolbar\chrome\skin\technorati.png
c:\program files\whitesmoketoolbar\chrome\skin\throbber.gif
c:\program files\whitesmoketoolbar\chrome\skin\toolbarsplitter.png
c:\program files\whitesmoketoolbar\chrome\skin\translate.png
c:\program files\whitesmoketoolbar\chrome\skin\Translate_png
c:\program files\whitesmoketoolbar\chrome\skin\Translate_png_png
c:\program files\whitesmoketoolbar\chrome\skin\TRUSTe_about.png
c:\program files\whitesmoketoolbar\chrome\skin\TV_icon3_png
c:\program files\whitesmoketoolbar\chrome\skin\tvicon_png
c:\program files\whitesmoketoolbar\chrome\skin\tvIcons_png
c:\program files\whitesmoketoolbar\chrome\skin\usa_png
c:\program files\whitesmoketoolbar\chrome\skin\vmn.css
c:\program files\whitesmoketoolbar\chrome\skin\vmn.png
c:\program files\whitesmoketoolbar\chrome\skin\web.png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png2_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png3_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png4_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png5_png
c:\program files\whitesmoketoolbar\chrome\skin\wikipedia.png
c:\program files\whitesmoketoolbar\chrome\skin\yahoosearch.png
c:\program files\whitesmoketoolbar\chrome\skin\yellow.gif
c:\program files\whitesmoketoolbar\chrome\skin\youtube.png
c:\program files\whitesmoketoolbar\chrome\skin\zoom.png
c:\program files\whitesmoketoolbar\components\windowmediator.js
c:\program files\whitesmoketoolbar\manifest.xml
c:\program files\whitesmoketoolbar\toolbar.xml
c:\program files\whitesmoketoolbar\uninstall.exe
c:\program files\whitesmoketoolbar\whitesmoketoolbar.dll
c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-02 23:12 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-02 23:11 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B1A53352-3A06-4DAA-ACEC-3433451C6C7D}\mpengine.dll
2010-12-17 15:47 . 2010-12-17 15:47 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Western_Digital
2010-12-16 00:15 . 2010-12-16 00:15 -------- d-----w- c:\documents and settings\Phil\Application Data\Western Digital
2010-12-16 00:03 . 2010-12-16 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-12-16 00:03 . 2010-12-16 00:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-12-16 00:02 . 2009-02-13 16:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-12-16 00:00 . 2010-12-16 00:00 -------- d-----w- c:\program files\Western Digital
2010-12-15 23:58 . 2010-12-15 23:58 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Western Digital
2010-12-15 02:18 . 2010-12-15 02:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-12-14 02:16 . 2010-12-14 23:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-14 02:16 . 2010-12-14 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-13 08:12 . 2010-12-13 08:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Thunderbird
2010-12-13 08:12 . 2010-12-13 08:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\Thunderbird
2010-12-13 02:58 . 2011-01-03 00:18 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-12 17:04 . 2010-12-12 17:04 0 ----a-w- c:\windows\system32\lsp5C.tmp
2010-12-11 19:37 . 2010-12-11 19:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-11 10:20 . 2010-12-11 10:20 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-03 00:18 . 2008-01-27 06:01 37380 ----a-w- c:\windows\system32\DeltTray.exe
2010-12-04 04:45 . 2009-09-29 02:38 249856 ------w- c:\windows\Setup1.exe
2010-12-04 04:45 . 2006-05-14 13:26 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-11-29 22:42 . 2008-11-15 04:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2008-11-15 04:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-05-22 23:14 . 2007-04-29 17:07 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17 . 2007-04-29 17:07 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.
<pre>
c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
c:\program files\AnalogX\NetStat Live\nsl .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Common Files\Nero\Lib\NeroCheck .exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr .exe
c:\program files\Logitech\Video\ISStart .exe
c:\program files\Logitech\Video\LogiTray .exe
c:\program files\Logitech\Video\ManifestEngine .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\Microsoft IntelliType Pro\itype .exe
c:\program files\Microsoft Security Essentials\msseces .exe
c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\TightVNC\tvnserver .exe
c:\windows\system32\DeltTray .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2011-01-02_23.54.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-03 02:22 . 2011-01-03 02:22 16384 c:\windows\Temp\Perflib_Perfdata_4c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [N/A]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2011-01-03 37380]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"NetStat Live"="c:\program files\AnalogX\NetStat Live\nsl.exe" [2011-01-03 37380]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2011-01-03 37380]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2011-01-03 37380]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2011-01-03 37380]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2011-01-03 37380]
"KBD"="c:\hp\KBD\KBD.EXE" [2011-01-03 37380]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-01-03 37380]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-03 37380]
"DeltTray"="DeltTray.exe" [2011-01-03 37380]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2011-01-03 37380]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2011-01-03 37380]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-7 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [N/A]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-8-22 819200]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UI-View32.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UI-View32.lnk
backup=c:\windows\pss\UI-View32.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^NCPD.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\NCPD.lnk
backup=c:\windows\pss\NCPD.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^No-IP DUC.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\No-IP DUC.lnk
backup=c:\windows\pss\No-IP DUC.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1146936353\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-01-03 00:18 37380 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-17 21:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UPS-Status]
2006-11-15 16:22 69632 ----a-w- c:\program files\Belkin Bulldog Plus\UPS-Status.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"CAISafe"=2 (0x2)
"Icecast"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146936353\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146936353\\ee\\aim6.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 1\\SimpleCast.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 3\\SimpleCast.exe"=
"c:\\Proxy\\serproxy.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 2\\SimpleCast.exe"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ICQLite\\ICQLite.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Icecast2 Win32\\Icecast2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Icecast2 Win32\\Icetrunk\\Icecast2win.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\WinSCP3\\WinSCP.exe"=
"c:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"c:\\Program Files\\APRS\\UI-View32\\UI-WebServer\\uiwebsrv.exe"=
"c:\\Paclink MP\\Bin\\Paclink MP.exe"=
"c:\\Program Files\\APRS\\UI-View32\\Uiview32.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 4\\SimpleCast.exe"=
"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HamRadioDeluxe.exe"=
"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HRDLogbook.exe"=
"c:\\Program Files\\APRS\\UI-View32\\PA7RHM\\Map Server\\InitPA7RHMsvr.exe"=
"c:\\Program Files\\BuTel\\ARCXT\\arcxt.exe"=
"c:\\Program Files\\BuTel\\ARC15PRO\\ARC15P.exe"=
"c:\\Program Files\\TightVNC\\tvnserver.exe"=
"c:\\Program Files\\TightVNC\\vncviewer.exe"=
"c:\\Program Files\\PCR Server\\PcrServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5198:UDP"= 5198:UDP:Echolink UDP 5198
"5199:UDP"= 5199:UDP:ECHOLINK UDP 5199

R2 HRD RemoteSvr;Ham Radio Deluxe Remote Server;c:\program files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exe [10/12/2008 6:24 PM 196608]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/8/2008 8:50 PM 50944]
S2 gupdate1c9bfa3ff7897bc;Google Update Service (gupdate1c9bfa3ff7897bc);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 4:32 PM 133104]
S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe [7/8/2010 8:28 AM 37380]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
S3 EdgeSer;Edgeport Serial Port Driver for Windows 2000, XP, Vista & Server 2003;c:\windows\system32\drivers\edgeser.sys [6/18/2010 10:46 PM 229376]
S3 Ionenum;Edgeport Filter Driver;c:\windows\system32\drivers\ionenum.sys [6/18/2010 10:46 PM 17920]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [1/12/2007 11:09 PM 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/15/2010 7:02 PM 11520]
S4 Icecast;Icecast Media Server;c:\program files\Icecast2 Win32\icecastService.exe [5/5/2006 10:54 PM 393216]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-09-14 c:\windows\Tasks\9-11_Stream.job
- c:\documents and settings\Phil\Desktop\9-11\FDNY Audio\Recoded\9-11_Stream.m3u [2008-09-10 00:36]

2009-12-17 c:\windows\Tasks\ARESMTG_obj_create.job
- c:\program files\APRS\ARESMTG_obj_create.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARESMTG_obj_del.job
- c:\program files\APRS\ARESMTG_obj_del.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARESMTG_obj_del_special.job
- c:\program files\APRS\ARESMTG_obj_del.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARES_obj_create.job
- c:\program files\APRS\ARES_obj_create.vbs [2009-01-12 06:36]

2010-02-21 c:\windows\Tasks\ARES_obj_del.job
- c:\program files\APRS\ARES_obj_del.vbs [2009-01-12 06:36]

2010-12-09 c:\windows\Tasks\FDRANTRADIO.job
- c:\documents and settings\Phil\Desktop\fdrantradio\FDRANTRADIO.m3u [2010-09-22 18:23]

2010-11-09 c:\windows\Tasks\Forced Reboot.job
- c:\documents and settings\Phil\Desktop\Forced Reboot.lnk [2006-07-27 03:59]

2011-01-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-17 21:31]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-17 21:32]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-17 21:32]

2009-12-27 c:\windows\Tasks\HELPCHRTY_obj_del.job
- c:\program files\APRS\HELPCHRTY_obj_del.vbs [2009-12-23 05:37]

2010-06-19 c:\windows\Tasks\monitor.job
- c:\monitor\Com 4\monitor.exe [2009-05-19 01:56]

2011-01-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

2010-06-19 c:\windows\Tasks\ncfd-west.job
- c:\streamripper\ncfd-west.bat [2007-05-05 00:51]

2010-06-19 c:\windows\Tasks\ncfd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\ncfd_archive.lnk [2010-05-27 03:13]

2010-05-28 c:\windows\Tasks\ncpd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\ncpd_archive.lnk [2010-05-27 03:23]

2011-01-02 c:\windows\Tasks\NEWYEAR_obj_create.job
- c:\program files\APRS\NEWYEAR_obj_create.vbs [2009-12-23 05:51]

2011-01-02 c:\windows\Tasks\NEWYEAR_obj_del.job
- c:\program files\APRS\NEWYEAR_obj_del.vbs [2009-12-23 05:53]

2010-12-28 c:\windows\Tasks\SANTA-1_obj_create.job
- c:\program files\APRS\SANTA-1_obj_create.vbs [2009-12-23 05:44]

2011-01-02 c:\windows\Tasks\SANTA-1_obj_del.job
- c:\program files\APRS\SANTA-1_obj_del.vbs [2009-12-23 05:38]

2010-12-11 c:\windows\Tasks\scfd-east.job
- c:\streamripper\scfd-east.bat [2008-03-30 02:24]

2010-06-19 c:\windows\Tasks\scfd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\scfd_archive.lnk [2010-05-27 03:28]

2010-06-19 c:\windows\Tasks\SimpleCast Special.job
- c:\documents and settings\Phil\Desktop\Live Feeds\SimpleCast Special.lnk [2009-02-17 04:48]

2010-02-21 c:\windows\Tasks\SKYWARN_obj_create.job
- c:\program files\APRS\SKYWARN_obj_create.vbs [2009-01-18 20:04]

2010-02-21 c:\windows\Tasks\SKYWARN_obj_del.job
- c:\program files\APRS\SKYWARN_obj_del.vbs [2009-01-18 20:04]

2010-12-11 c:\windows\Tasks\special_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\special_archive.lnk [2010-05-27 03:23]

2011-01-02 c:\windows\Tasks\w2lie-sql_tables.job
- c:\program files\WinSCP3\w2lie-sql_tables.bat [2009-09-21 05:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: w2lie.net\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4D830200-C534-435F-8ECA-955EEBB8DB34} - hxxp://www.visualradio.de/download/sdr_ocx.cab
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\lqyyugge.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: e107 Debugger: {ce54f00e-29ba-444c-ab72-f845d4c57612} - %profile%\extensions\{ce54f00e-29ba-444c-ab72-f845d4c57612}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-02 22:31:01
ComboFix-quarantined-files.txt 2011-01-03 03:30
ComboFix2.txt 2011-01-03 00:03

Pre-Run: 30,940,168,192 bytes free
Post-Run: 30,970,535,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 2FDDFA516B35B5B1027494A4FF4988FD

Edited by Liquid_Squelch, 02 January 2011 - 10:40 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:01 PM

Posted 02 January 2011 - 11:07 PM

Hello

I have a 2nd drive in this PC that I had to pull off because it would BSOD on me when it was hooked up. When you feel my PC is cleaned "to the max" i would like to put that other drive back into service. I don't do anything until you say it is ok to do so.

this don't sound good so we will wait on it

I also have to figure out how to completely remove Computer Associates Anti Virus from this PC. I no longer use it.

try this

AppRemover

Please download AppRemover and save it to your DeskTop

  • Double click on AppRemover.exe to Start the program
  • Click on the NEXTbutton
  • select cleanup Failed uninstall and click on the NEXT
  • after the scan has completed (may take a few min) click on NEXT again
  • select all things that you know have been uninstalled before click on NEXT
  • after it has completed click on NEXT
  • click on Reboot Now to finish the removal

I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

SecCenter::
AV: CA Anti-Virus *Enabled/Outdated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

RenV::
c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
c:\program files\AnalogX\NetStat Live\nsl .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Common Files\Nero\Lib\NeroCheck .exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr .exe
c:\program files\Logitech\Video\ISStart .exe
c:\program files\Logitech\Video\LogiTray .exe
c:\program files\Logitech\Video\ManifestEngine .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\Microsoft IntelliType Pro\itype .exe
c:\program files\Microsoft Security Essentials\msseces .exe
c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\TightVNC\tvnserver .exe
c:\windows\system32\DeltTray .exe


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Liquid_Squelch

Liquid_Squelch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 02 January 2011 - 11:11 PM

Gringo,
Will Running:

RenV::

c:\program files\AnalogX\NetStat Live\nsl .exe
c:\program files\TightVNC\tvnserver .exe

Remove TVNServer and NetStat Live?

I run TightVNC on this PC so I can access it from work, and also run NetStat to see my monthly bandwidth on that PC. I'm not too concerned about losing NSL, but I need TightVNC or something equivalent running.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:01 PM

Posted 02 January 2011 - 11:16 PM

It will not remove it - the malware has modified the file - if you look close it has a space before .EXE that this command will remove

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Liquid_Squelch

Liquid_Squelch
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:01 PM

Posted 02 January 2011 - 11:41 PM

Thanks again for the help Gringo.
FYI - each time I run Combofix it wants to install M$ Recovery Console. I don't know why Combofix thinks it isn't installing.

I am done for the night, so we'll pick this up tomorrow.

THANK YOU AGAIN!



ComboFix 11-01-02.03 - Phil 01/02/2011 23:26:45.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2750.2135 [GMT -5:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phil\Desktop\CFScript.txt.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-03 04:02 . 2011-01-03 04:02 -------- d-----w- c:\windows\LastGood
2011-01-03 03:43 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-03 03:41 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{64DB3A57-589B-4BAA-91FD-2D5BA1AC2460}\mpengine.dll
2011-01-02 23:12 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-17 15:47 . 2010-12-17 15:47 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Western_Digital
2010-12-16 00:15 . 2010-12-16 00:15 -------- d-----w- c:\documents and settings\Phil\Application Data\Western Digital
2010-12-16 00:03 . 2010-12-16 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-12-16 00:03 . 2010-12-16 00:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-12-16 00:02 . 2009-02-13 16:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-12-16 00:00 . 2010-12-16 00:00 -------- d-----w- c:\program files\Western Digital
2010-12-15 23:58 . 2010-12-15 23:58 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Western Digital
2010-12-15 02:18 . 2010-12-15 02:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-12-14 02:16 . 2010-12-14 23:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-14 02:16 . 2010-12-14 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-13 08:12 . 2010-12-13 08:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Thunderbird
2010-12-13 08:12 . 2010-12-13 08:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\Thunderbird
2010-12-13 02:58 . 2011-01-03 04:26 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-12-12 17:04 . 2010-12-12 17:04 0 ----a-w- c:\windows\system32\lsp5C.tmp
2010-12-11 19:37 . 2010-12-11 19:37 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-12-11 10:20 . 2010-12-11 10:20 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-04 04:45 . 2009-09-29 02:38 249856 ------w- c:\windows\Setup1.exe
2010-12-04 04:45 . 2006-05-14 13:26 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-11-29 22:42 . 2008-11-15 04:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2008-11-15 04:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-05-22 23:14 . 2007-04-29 17:07 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-22 23:17 . 2007-04-29 17:07 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-01-02_23.54.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-03 02:22 . 2011-01-03 02:22 16384 c:\windows\Temp\Perflib_Perfdata_4c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2010-07-08 815704]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-25 90112]
"NetStat Live"="c:\program files\AnalogX\NetStat Live\nsl.exe" [2008-10-26 126980]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"KBD"="c:\hp\KBD\KBD.EXE" [2011-01-03 37380]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"DeltTray"="DeltTray.exe" [2004-08-27 56320]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-7 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [N/A]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-8-22 819200]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UI-View32.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UI-View32.lnk
backup=c:\windows\pss\UI-View32.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^NCPD.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\NCPD.lnk
backup=c:\windows\pss\NCPD.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^No-IP DUC.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\No-IP DUC.lnk
backup=c:\windows\pss\No-IP DUC.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Phil^Desktop^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Phil\Desktop\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1146936353\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-14 23:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-01-03 01:09 37384 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-17 21:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UPS-Status]
2006-11-15 16:22 69632 ----a-w- c:\program files\Belkin Bulldog Plus\UPS-Status.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VETMSGNT"=2 (0x2)
"CAISafe"=2 (0x2)
"Icecast"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146936353\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1146936353\\ee\\aim6.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 1\\SimpleCast.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 3\\SimpleCast.exe"=
"c:\\Proxy\\serproxy.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 2\\SimpleCast.exe"=
"c:\\Program Files\\GuildFTPd\\GuildFTPd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ICQLite\\ICQLite.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Icecast2 Win32\\Icecast2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Icecast2 Win32\\Icetrunk\\Icecast2win.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\WinSCP3\\WinSCP.exe"=
"c:\\Program Files\\K1RFD\\EchoLink\\EchoLink.exe"=
"c:\\Program Files\\APRS\\UI-View32\\UI-WebServer\\uiwebsrv.exe"=
"c:\\Paclink MP\\Bin\\Paclink MP.exe"=
"c:\\Program Files\\APRS\\UI-View32\\Uiview32.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SpacialAudio\\SimpleCast 4\\SimpleCast.exe"=
"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HamRadioDeluxe.exe"=
"c:\\Program Files\\Amateur Radio\\Ham Radio Deluxe\\HRDLogbook.exe"=
"c:\\Program Files\\APRS\\UI-View32\\PA7RHM\\Map Server\\InitPA7RHMsvr.exe"=
"c:\\Program Files\\BuTel\\ARCXT\\arcxt.exe"=
"c:\\Program Files\\BuTel\\ARC15PRO\\ARC15P.exe"=
"c:\\Program Files\\TightVNC\\tvnserver.exe"=
"c:\\Program Files\\TightVNC\\vncviewer.exe"=
"c:\\Program Files\\PCR Server\\PcrServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5198:UDP"= 5198:UDP:Echolink UDP 5198
"5199:UDP"= 5199:UDP:ECHOLINK UDP 5199

R2 HRD RemoteSvr;Ham Radio Deluxe Remote Server;c:\program files\Amateur Radio\Ham Radio Deluxe\HRDRemoteSvr.exe [10/12/2008 6:24 PM 196608]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/8/2008 8:50 PM 50944]
S2 gupdate1c9bfa3ff7897bc;Google Update Service (gupdate1c9bfa3ff7897bc);c:\program files\Google\Update\GoogleUpdate.exe [4/17/2009 4:32 PM 133104]
S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe [7/8/2010 8:28 AM 815704]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
S3 EdgeSer;Edgeport Serial Port Driver for Windows 2000, XP, Vista & Server 2003;c:\windows\system32\drivers\edgeser.sys [6/18/2010 10:46 PM 229376]
S3 Ionenum;Edgeport Filter Driver;c:\windows\system32\drivers\ionenum.sys [6/18/2010 10:46 PM 17920]
S3 KLSIENET;Driver for USB Ethernet Adapter;c:\windows\system32\drivers\usb101et.sys [1/12/2007 11:09 PM 32384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/15/2010 7:02 PM 11520]
S4 Icecast;Icecast Media Server;c:\program files\Icecast2 Win32\icecastService.exe [5/5/2006 10:54 PM 393216]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2010-09-14 c:\windows\Tasks\9-11_Stream.job
- c:\documents and settings\Phil\Desktop\9-11\FDNY Audio\Recoded\9-11_Stream.m3u [2008-09-10 00:36]

2009-12-17 c:\windows\Tasks\ARESMTG_obj_create.job
- c:\program files\APRS\ARESMTG_obj_create.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARESMTG_obj_del.job
- c:\program files\APRS\ARESMTG_obj_del.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARESMTG_obj_del_special.job
- c:\program files\APRS\ARESMTG_obj_del.vbs [2009-01-22 04:48]

2010-02-21 c:\windows\Tasks\ARES_obj_create.job
- c:\program files\APRS\ARES_obj_create.vbs [2009-01-12 06:36]

2010-02-21 c:\windows\Tasks\ARES_obj_del.job
- c:\program files\APRS\ARES_obj_del.vbs [2009-01-12 06:36]

2010-12-09 c:\windows\Tasks\FDRANTRADIO.job
- c:\documents and settings\Phil\Desktop\fdrantradio\FDRANTRADIO.m3u [2010-09-22 18:23]

2010-11-09 c:\windows\Tasks\Forced Reboot.job
- c:\documents and settings\Phil\Desktop\Forced Reboot.lnk [2006-07-27 03:59]

2011-01-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-17 21:31]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-17 21:32]

2011-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-17 21:32]

2009-12-27 c:\windows\Tasks\HELPCHRTY_obj_del.job
- c:\program files\APRS\HELPCHRTY_obj_del.vbs [2009-12-23 05:37]

2010-06-19 c:\windows\Tasks\monitor.job
- c:\monitor\Com 4\monitor.exe [2009-05-19 01:56]

2011-01-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]

2010-06-19 c:\windows\Tasks\ncfd-west.job
- c:\streamripper\ncfd-west.bat [2007-05-05 00:51]

2010-06-19 c:\windows\Tasks\ncfd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\ncfd_archive.lnk [2010-05-27 03:13]

2010-05-28 c:\windows\Tasks\ncpd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\ncpd_archive.lnk [2010-05-27 03:23]

2011-01-02 c:\windows\Tasks\NEWYEAR_obj_create.job
- c:\program files\APRS\NEWYEAR_obj_create.vbs [2009-12-23 05:51]

2011-01-02 c:\windows\Tasks\NEWYEAR_obj_del.job
- c:\program files\APRS\NEWYEAR_obj_del.vbs [2009-12-23 05:53]

2010-12-28 c:\windows\Tasks\SANTA-1_obj_create.job
- c:\program files\APRS\SANTA-1_obj_create.vbs [2009-12-23 05:44]

2011-01-02 c:\windows\Tasks\SANTA-1_obj_del.job
- c:\program files\APRS\SANTA-1_obj_del.vbs [2009-12-23 05:38]

2010-12-11 c:\windows\Tasks\scfd-east.job
- c:\streamripper\scfd-east.bat [2008-03-30 02:24]

2010-06-19 c:\windows\Tasks\scfd_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\scfd_archive.lnk [2010-05-27 03:28]

2010-06-19 c:\windows\Tasks\SimpleCast Special.job
- c:\documents and settings\Phil\Desktop\Live Feeds\SimpleCast Special.lnk [2009-02-17 04:48]

2010-02-21 c:\windows\Tasks\SKYWARN_obj_create.job
- c:\program files\APRS\SKYWARN_obj_create.vbs [2009-01-18 20:04]

2010-02-21 c:\windows\Tasks\SKYWARN_obj_del.job
- c:\program files\APRS\SKYWARN_obj_del.vbs [2009-01-18 20:04]

2010-12-11 c:\windows\Tasks\special_archive.job
- c:\documents and settings\Phil\Desktop\Live Feeds\special_archive.lnk [2010-05-27 03:23]

2011-01-02 c:\windows\Tasks\w2lie-sql_tables.job
- c:\program files\WinSCP3\w2lie-sql_tables.bat [2009-09-21 05:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: w2lie.net\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {4D830200-C534-435F-8ECA-955EEBB8DB34} - hxxp://www.visualradio.de/download/sdr_ocx.cab
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\lqyyugge.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: e107 Debugger: {ce54f00e-29ba-444c-ab72-f845d4c57612} - %profile%\extensions\{ce54f00e-29ba-444c-ab72-f845d4c57612}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1604)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-01-02 23:35:14
ComboFix-quarantined-files.txt 2011-01-03 04:34
ComboFix2.txt 2011-01-03 03:31
ComboFix3.txt 2011-01-03 00:03

Pre-Run: 30,894,542,848 bytes free
Post-Run: 30,863,691,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - CDC40789045B0E82C6CF5537A3528057

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:01 PM

Posted 02 January 2011 - 11:49 PM

These logs are looking alot better. so you can do this when you come back and leave me the reports


Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 7.0.9
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 7


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users