Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit? ZwImpersonateAnonymous Token


  • This topic is locked This topic is locked
26 replies to this topic

#1 jnord24

jnord24

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 07 March 2011 - 10:39 AM

When the computer boots up, it takes forever for the desktop to come up. I see 100% cpu usage, high memory usage, programs won't launch.

I followed the instructions in the preparation guide; however, I left gmer running over night twice and it still never completes so I won't be able to attach the log, but here are the entries before it hangs:

ZwAlertResumeThread
ZwAlertThread
ZwConnectPort
ZwCreateMutant
ZwCreateThread
ZwDeleteValueKey
ZwFreeVirtualMemory
ZwImpersonate Anonymous Token
ZwImpersonateThread
ZwMapViewOfSection
ZwOpenEvent
ZwOpenProcessToken
ZwOpenThreadToken
ZwQueryValueKey
ZwResumeThread
ZwSetContextThread
ZwSetInformationProcess
ZwSetInformationThread
ZwSetValueKey [0xB185FF10]
ZwSuspendProcess
ZwSuspendThread
ZwTerminateProcess
ZwTherminateThread
ZwUnmapViewOfSection
ZwWriteVirtualMemory
ZwAcceptConnectPort
ZwAccessCheck
ZwAccessCheckandAuditAlarm
ZwAccessCheckByType
ZwAccessCheckByTypeandAuditAlarm
ZwAccessCheckByTypeResultList
ZwAccessCheckbyTypeREsultListAndAuditAlarm
ZwAccesscheckByTypeResultListAndAuditAlarmbyHandle
ZwAddAtom
ZwAddBootEntry
ZwAdjustGroupsToken
ZwAdjustPrivelagesToken
ZwAllocateLocallyUniqueId
ZwAllocateUserPhysicalPages
ZwAllocateUuids
ZwAreMappedFilesTheSame

Here is the contents of the dds log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 10:15:24.96 on 03/07/11
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.571 [GMT -5:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\system32\svchost.exe -k WudfServiceGroup
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\WgaTray.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\MsiExec.exe
C:\temp\00 computer check\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uWindow Title = Microsoft Internet Explorer provided by Advanced Networking & ComputerS
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:23012
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7c5c0f58-e061-457d-9033-77307f5ed00c} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [rvfuwuwd] c:\docume~1\admini~1.jah\locals~1\temp\ycjgdpvoh\jwpnriytsbl.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\admini~1.jah\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131241954171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {9B479D7B-916A-45B0-B042-D42865A60E21} - hxxp://largo.is-a-geek.com/DvrOcx.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - hxxp://10.100.100.66/CSViewer.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\winnt\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\winnt\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 10.100.100.18 HP0015604A0A69
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1.jah\applic~1\mozilla\firefox\profiles\iipisylg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1446069&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ftabins Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1446069&q=
FF - component: c:\documents and settings\administrator.jah\application data\mozilla\firefox\profiles\iipisylg.default\extensions\{42fe564a-cb41-4b4c-b6ae-c52b73f6150d}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\administrator.jah\application data\mozilla\firefox\profiles\iipisylg.default\extensions\{42fe564a-cb41-4b4c-b6ae-c52b73f6150d}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\administrator.jah\application data\mozilla\firefox\profiles\iipisylg.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: XHTML Mobile Profile: {8ea9957e-2953-402f-80e0-bceb5f169d6f} - %profile%\extensions\{8ea9957e-2953-402f-80e0-bceb5f169d6f}
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: ftabins Toolbar: {42fe564a-cb41-4b4c-b6ae-c52b73f6150d} - %profile%\extensions\{42fe564a-cb41-4b4c-b6ae-c52b73f6150d}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 io.sys;IO.DLL Driver;c:\winnt\system32\drivers\io.sys [2009-3-12 5152]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-28 102448]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\winnt\system32\drivers\libusb0.sys [2009-3-12 28672]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101128.002\naveng.sys [2010-11-28 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101128.002\navex15.sys [2010-11-28 1371184]
S2 MSSQL$WHATSUP;MSSQL$WHATSUP;c:\program files\microsoft sql server\mssql$whatsup\binn\sqlservr.exe -swhatsup --> c:\program files\microsoft sql server\mssql$whatsup\binn\sqlservr.exe -sWHATSUP [?]
S3 DtvAudio;DtvAudio;c:\winnt\system32\drivers\DtvAudio.sys [2006-6-8 10330]
S3 DtvVideo;DtvVideo;c:\winnt\system32\drivers\DtvVideo.sys [2006-6-8 25600]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\common files\symantec shared\eengine\eraserutildrvi7.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrvI7.sys [?]
S3 GTWINSER;GTWINSER;c:\winnt\system32\drivers\gtwinser.sys --> c:\winnt\system32\drivers\GTwinSER.sys [?]
S3 ICam7fil;Intel® CS431 Audio Filter Driver;c:\winnt\system32\drivers\icam7fil.sys [2001-7-31 19640]
S3 Icam7USB;Intel® PC Camera CS431;c:\winnt\system32\drivers\Icam7USB.sys [2001-7-31 158848]
S3 PIOdriver;PIOdriver;c:\winnt\system32\drivers\PIOdriver.sys [2008-4-15 3712]
S3 SPCA506AV;D-Link USB TV Tuner, WDM Video Capture;c:\winnt\system32\drivers\CA506AV.SYS [2006-2-10 173730]
S3 SQLAgent$WHATSUP;SQLAgent$WHATSUP;c:\program files\microsoft sql server\mssql$whatsup\binn\sqlagent.exe -i whatsup --> c:\program files\microsoft sql server\mssql$whatsup\binn\sqlagent.EXE -i WHATSUP [?]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
S3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2005-11-5 49776]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\winnt\system32\drivers\netusb.sys --> c:\winnt\system32\drivers\netusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\winnt\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== File Associations ===============
.
regfile=regedit.exe "%1" %*
scrfile="%1" %*
.
=============== Created Last 30 ================
.
2011-03-07 14:54:23 625664 ----a-w- c:\temp\00 computer check\dds.scr
2011-02-19 20:30:24 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-02-19 20:30:13 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
.
==================== Find3M ====================
.
2009-01-13 18:45:08 81920 ----a-w- c:\program files\common files\WIZ1x0SR_105SR_CFG.exe
2006-12-01 09:54:32 626688 ----a-w- c:\program files\common files\MSVCR80.dll
2002-07-26 21:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
.
============= FINISH: 10:16:41.21 ===============

Edited by jnord24, 07 March 2011 - 10:40 AM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:16 AM

Posted 11 March 2011 - 03:46 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


GooredFix
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


NEXT:




Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 jnord24

jnord24
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 12 March 2011 - 11:23 AM

Just to be clear, the issue posted here is different than the one posted

http://www.bleepingcomputer.com/forums/topic384436.html/page__p__2165157__fromsearch__1#entry2165157 which has been closed out.

That one is also on a different computer.

The one with the ZwImpersonateAnonymous is my Windows XP machine
The other post which is closed (and I believe is fixed) is Windows 7.

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:16 AM

Posted 12 March 2011 - 11:29 AM

Okay, thanks for letting me know, please proceed with the instructions above.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 jnord24

jnord24
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 12 March 2011 - 11:44 AM

Tried to run GooredFix and received:

c:\temp\00comp~1\10Goor~1\Beta_G`1.exe
The NTVDM has encountered an illegal instruction.
CS:0562: IP:fff9 OP:ff ff 01 62 ff Choose 'Close' to terminate the application

I ran rootkit unhooker as instructed. Here are the results:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Shadow
==============================================
==============================================
>Drivers
==============================================
0x804D7000 C:\WINNT\system32\ntoskrnl.exe 2189056 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189056 bytes
0x804D7000 RAW 2189056 bytes
0x804D7000 WMIxWDM 2189056 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINNT\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAF873000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110307.002\navex15.sys 1355776 bytes (Symantec Corporation, AV Engine)
0xBA3D8000 C:\WINNT\System32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBFA3A000 C:\WINNT\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xB9C9A000 C:\WINNT\System32\drivers\dmboot.sys 802816 bytes (Microsoft Corp., Veritas Software, NT Disk Manager Startup Driver)
0xB9E03000 C:\WINNT\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB0F39000 C:\WINNT\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB0FD4000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 401408 bytes (Symantec Corporation, SPBBC Driver)
0xB0EDB000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB9D5E000 C:\WINNT\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB1109000 C:\WINNT\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB137A000 C:\Program Files\Symantec AntiVirus\savrt.sys 360448 bytes (Symantec Corporation, AutoProtect)
0xAFCD9000 C:\WINNT\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINNT\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9EDA000 C:\WINNT\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xB10A6000 C:\WINNT\System32\Drivers\SYMTDI.SYS 241664 bytes (Symantec Corporation, Network Dispatch Driver)
0xBFA05000 C:\WINNT\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xB9DBC000 C:\WINNT\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB0207000 C:\WINNT\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7411000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAF6FD000 C:\WINNT\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB0FA9000 C:\WINNT\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9F77000 C:\WINNT\system32\DRIVERS\hcwPP2.sys 163840 bytes (Hauppauge Computer Works, Inc., WinTV PVR PCI II (v2) WDM Video Capture)
0xB1058000 C:\WINNT\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF74B2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB9F2E000 C:\WINNT\System32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xB1080000 C:\WINNT\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9EB6000 C:\WINNT\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xBA3A0000 C:\WINNT\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9F54000 C:\WINNT\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAFB26000 C:\WINNT\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xB1036000 C:\WINNT\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF9E3000 C:\WINNT\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xB1358000 C:\Program Files\Symantec\SYMEVENT.SYS 139264 bytes (Symantec Corporation, Symantec Event Library)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINNT\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF747A000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB0EBE000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xBAFE6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF749A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB0E7E000 C:\WINNT\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7451000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9DEC000 C:\WINNT\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB0521000 C:\WINNT\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xAF85F000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110307.002\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)
0xB9F1A000 C:\WINNT\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB1344000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)
0xBA3C4000 C:\WINNT\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB1162000 C:\WINNT\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF743E000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF9C3000 C:\WINNT\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7468000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF7577000 C:\WINNT\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA576000 C:\WINNT\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7697000 C:\WINNT\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7657000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF76B7000 C:\WINNT\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBAF5E000 C:\WINNT\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA5A6000 C:\WINNT\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA566000 C:\WINNT\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB066E000 C:\WINNT\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7527000 C:\WINNT\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7667000 C:\WINNT\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBF9D5000 C:\WINNT\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF7637000 C:\WINNT\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBAF0E000 C:\WINNT\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB9FEF000 C:\WINNT\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76E7000 C:\WINNT\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xB9F9F000 C:\WINNT\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB9FDF000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 49152 bytes (-, SASKUTIL.SYS)
0xBAF4E000 C:\WINNT\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA586000 C:\WINNT\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB9FBF000 C:\WINNT\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7587000 C:\WINNT\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7647000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB035C000 C:\WINNT\System32\Drivers\SYMREDRV.SYS 40960 bytes (Symantec Corporation, Redirector Filter Driver)
0xBA516000 C:\WINNT\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBAEFE000 C:\WINNT\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA01F000 C:\WINNT\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBAF2E000 C:\WINNT\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB0726000 C:\WINNT\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA02F000 C:\WINNT\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF778F000 C:\WINNT\System32\Drivers\ASAPIW2K.sys 32768 bytes (VOB Computersysteme GmbH, ASAPI)
0xF77C7000 C:\WINNT\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF776F000 C:\WINNT\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF781F000 C:\WINNT\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF775F000 C:\WINNT\system32\Drivers\nvport.sys 28672 bytes (NVIDIA Corporation., Port Driver)
0xF7707000 C:\WINNT\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7767000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 28672 bytes (-, SASDIFSV)
0xF777F000 C:\WINNT\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7787000 C:\WINNT\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xAFF03000 C:\WINNT\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF77EF000 C:\WINNT\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77A7000 C:\WINNT\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB1185000 C:\WINNT\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7747000 C:\WINNT\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF774F000 C:\WINNT\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7797000 C:\WINNT\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7777000 C:\WINNT\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF77E7000 C:\WINNT\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7933000 C:\WINNT\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB10E5000 C:\WINNT\SYSTEM32\DRIVERS\OMCI.SYS 16384 bytes (Dell Computer Corporation, OMCI Device Driver)
0xB1101000 C:\WINNT\system32\drivers\pclepci.sys 16384 bytes (Pinnacle Systems GmbH, PCLEPCI)
0xBAB85000 C:\WINNT\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7897000 C:\WINNT\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB0E9A000 C:\WINNT\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF791B000 C:\WINNT\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBAB81000 C:\WINNT\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)
0xBAB89000 C:\WINNT\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7995000 C:\WINNT\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798B000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79DB000 C:\WINNT\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79FF000 C:\WINNT\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINNT\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79B5000 C:\WINNT\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79FB000 C:\WINNT\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79B9000 C:\WINNT\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79F9000 C:\WINNT\System32\DRIVERS\serscan.sys 8192 bytes (Microsoft Corporation, Serial Imaging Device Driver)
0xF79A9000 C:\WINNT\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79B1000 C:\WINNT\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINNT\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7AB5000 C:\WINNT\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7AAD000 C:\WINNT\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A9D000 C:\WINNT\system32\drivers\io.sys 4096 bytes
0xBABAD000 C:\WINNT\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


Nothing detected :(

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:16 AM

Posted 12 March 2011 - 11:47 AM

Tried to run GooredFix and received:

c:\temp\00comp~1\10Goor~1\Beta_G`1.exe
The NTVDM has encountered an illegal instruction.
CS:0562: IP:fff9 OP:ff ff 01 62 ff Choose 'Close' to terminate the applicat

Okay, please post the OTL logs when you get a chance.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 jnord24

jnord24
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 12 March 2011 - 12:12 PM

OTL.txt

OTL logfile created on: 03/12/11 12:05:12 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator.JAH\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 45.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 9.70 Gb Free Space | 13.02% Space Free | Partition Type: NTFS
Drive W: | 232.88 Gb Total Space | 7.96 Gb Free Space | 3.42% Space Free | Partition Type: NTFS

Computer Name: CAMSRV | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/12 11:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.JAH\Desktop\OTL.exe
PRC - [2011/03/11 11:07:43 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/08/24 04:38:16 | 000,247,144 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
PRC - [2008/10/14 20:38:56 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2008/05/29 13:09:17 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/02/27 11:39:26 | 001,310,720 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2006/03/17 05:34:30 | 000,124,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/03/17 05:34:24 | 000,115,952 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2006/03/17 05:34:20 | 001,799,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/03/17 05:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/03/07 12:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/03/07 12:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/03/07 12:02:14 | 000,053,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/02/06 11:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/03/12 11:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.JAH\Desktop\OTL.exe
MOD - [2008/04/13 19:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (wuauserv)
SRV - File not found [Disabled | Stopped] -- -- (RoxWatch9)
SRV - File not found [Disabled | Stopped] -- -- (RoxMediaDB9)
SRV - File not found [Disabled | Stopped] -- -- (RoxLiveShare9)
SRV - File not found [Disabled | Stopped] -- -- (Roxio Upnp Server 9)
SRV - File not found [Disabled | Stopped] -- -- (Roxio UPnP Renderer 9)
SRV - [2010/08/24 04:38:18 | 000,092,008 | ---- | M] (TomTom) [On_Demand | Stopped] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/12/05 13:36:42 | 000,045,056 | ---- | M] (Intuit) [Disabled | Stopped] -- c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2009/07/23 21:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/05/29 13:09:17 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/04/13 19:12:38 | 000,050,176 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINNT\system32\utilman.exe -- (UtilMan)
SRV - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2006/03/17 05:34:24 | 000,115,952 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/03/17 05:34:20 | 001,799,408 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/03/17 05:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/03/07 12:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/03/07 12:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/02/23 10:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/02/06 11:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/01/24 19:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Disabled | Stopped] -- C:\WINNT\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/10/03 11:11:32 | 000,693,416 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Ghost\ngserver.exe -- (NGServer)
SRV - [2003/10/03 11:03:52 | 000,045,056 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Ghost\bin\dbserv.exe -- (ngdbserv)


========== Driver Services (SafeList) ==========

DRV - [2011/03/07 01:00:00 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110307.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/03/07 01:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110307.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/11/28 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/11/28 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/03/12 15:55:36 | 000,005,152 | ---- | M] () [Kernel | Auto | Running] -- C:\WINNT\system32\drivers\io.sys -- (io.sys)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/04/15 17:38:56 | 000,003,712 | ---- | M] (Beyond Logic http://www.beyondlogic.org) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\PIOdriver.sys -- (PIOdriver)
DRV - [2008/04/13 13:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\mpe.sys -- (MPE)
DRV - [2007/03/20 08:33:26 | 000,028,672 | ---- | M] (http://libusb-win32.sourceforge.net) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\libusb0.sys -- (libusb0)
DRV - [2007/02/27 11:39:26 | 000,032,256 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2006/10/10 12:53:48 | 000,005,632 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2006/02/24 20:48:02 | 000,004,608 | ---- | M] (NVIDIA Corporation.) [Kernel | System | Running] -- C:\WINNT\system32\drivers\nvport.sys -- (nvport)
DRV - [2006/02/16 16:51:08 | 000,004,096 | R--- | M] (SuperAdBlocker, Inc.) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2006/02/08 11:55:24 | 000,009,856 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\pfc.sys -- (pfc)
DRV - [2006/02/06 11:50:22 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/01/31 12:29:20 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/01/24 19:06:36 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINNT\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/01/24 19:06:32 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINNT\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/12/21 10:14:52 | 000,100,957 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\emDevice.sys -- (DCamUSBEMPIA)
DRV - [2005/12/21 10:14:52 | 000,005,245 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\emFilter.sys -- (FiltUSBEMPIA)
DRV - [2005/12/21 10:14:52 | 000,004,493 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\emScan.sys -- (ScanUSBEMPIA)
DRV - [2005/12/21 09:14:52 | 000,019,712 | ---- | M] (Pinnacle Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\emAudio.sys -- (emAudio)
DRV - [2005/12/19 19:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/12/19 19:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/12/14 12:46:58 | 000,160,256 | ---- | M] (Hauppauge Computer Works, Inc.) [23|25|26]xxx) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\hcwPP2.sys -- (hcwPP2)
DRV - [2005/02/23 17:40:26 | 000,011,264 | ---- | M] (VOB Computersysteme GmbH) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\asapiW2k.sys -- (ASAPIW2K)
DRV - [2005/02/09 11:59:00 | 000,014,165 | ---- | M] (Pinnacle Systems GmbH) [Kernel | System | Running] -- C:\WINNT\system32\drivers\Pclepci.sys -- (PCLEPCI)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINNT\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/06/19 21:28:00 | 000,025,600 | R--- | M] (TwinHan Provide) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\DtvVideo.sys -- (DtvVideo)
DRV - [2004/06/19 21:28:00 | 000,010,330 | R--- | M] (TwinHan Provide) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\DtvAudio.sys -- (DtvAudio)
DRV - [2003/10/15 17:52:50 | 000,174,530 | ---- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\ov519vid.sys -- (ovt519)
DRV - [2003/06/19 12:05:04 | 000,049,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\usbhub20.sys -- (usbhub20)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINNT\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/07/31 16:34:44 | 000,019,640 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\icam7fil.sys -- (ICam7fil) Intel®
DRV - [2001/07/31 16:33:26 | 000,158,848 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\Icam7USB.sys -- (Icam7USB) Intel®
DRV - [2001/01/16 09:21:40 | 000,173,730 | ---- | M] (Sunplus Technology Co. LTD.) [Kernel | On_Demand | Stopped] -- C:\WINNT\system32\drivers\CA506AV.SYS -- (SPCA506AV)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-299502267-764733703-1060284298-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-299502267-764733703-1060284298-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-21-299502267-764733703-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-299502267-764733703-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "ftabins Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1446069&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "ftabins Customized Web Search"
FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.32
FF - prefs.js..extensions.enabledItems: {42fe564a-cb41-4b4c-b6ae-c52b73f6150d}:2.5.8.6
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.5.10.1
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT1446069&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/11 11:15:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/11 11:15:27 | 000,000,000 | ---D | M]

[2009/11/23 18:01:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Extensions
[2009/08/22 11:07:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Extensions\home2@tomtom.com
[2011/03/11 11:26:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\extensions
[2010/06/03 08:20:51 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/04/06 21:42:31 | 000,000,000 | ---D | M] (ftabins Toolbar) -- C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\extensions\{42fe564a-cb41-4b4c-b6ae-c52b73f6150d}
[2008/04/16 06:13:52 | 000,000,000 | ---D | M] (XHTML Mobile Profile) -- C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\extensions\{8ea9957e-2953-402f-80e0-bceb5f169d6f}
[2009/11/28 16:40:07 | 000,000,000 | ---D | M] ("SearchStatus") -- C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2010/03/24 14:16:52 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\searchplugins\conduit.xml
[2011/03/12 12:03:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2008/03/24 19:21:00 | 002,889,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2011/03/07 13:15:18 | 000,000,027 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - File not found
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-299502267-764733703-1060284298-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-299502267-764733703-1060284298-500..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKU\S-1-5-21-299502267-764733703-1060284298-500..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-299502267-764733703-1060284298-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-299502267-764733703-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-299502267-764733703-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-299502267-764733703-1060284298-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131241954171 (WUWebControl Class)
O16 - DPF: {9B479D7B-916A-45B0-B042-D42865A60E21} http://largo.is-a-geek.com/DvrOcx.cab (DvrOcx Control)
O16 - DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} http://10.100.100.66/CSViewer.cab (CSViewer Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jah.com
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINNT\system32\NavLogon.dll - C:\WINNT\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\wzcnotif: DllName - wzcdlg.dll - C:\WINNT\System32\wzcdlg.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/11/04 18:51:07 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/12 12:04:52 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator.JAH\Desktop\OTL.exe
[2011/03/11 14:03:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.JAH\Local Settings\Application Data\VS Revo Group
[2011/03/08 09:28:56 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/03/07 14:00:04 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/07 11:58:17 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/07 11:53:32 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\CF22447.exe
[2011/03/07 11:50:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/03/07 11:48:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2011/03/07 11:12:29 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2011/03/07 11:12:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/07 11:12:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2011/03/07 11:12:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/03/07 11:06:02 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/03/07 11:06:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2010/04/02 15:42:37 | 000,081,920 | ---- | C] (WIZnet Corp.) -- C:\Program Files\Common Files\WIZ1x0SR_105SR_CFG.exe
[2010/04/02 15:42:34 | 000,626,688 | ---- | C] (Microsoft Corporation) -- C:\Program Files\Common Files\MSVCR80.dll
[2008/07/17 09:58:25 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Administrator.JAH\Application Data\pcouffin.sys
[2004/11/24 13:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINNT\System32\drvc.dll
[7 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[6 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/12 11:55:59 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2011/03/12 11:55:35 | 1340,133,376 | -HS- | M] () -- C:\hiberfil.sys
[2011/03/12 11:26:38 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.JAH\Desktop\OTL.exe
[2011/03/10 10:44:56 | 000,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2011/03/07 15:29:12 | 000,467,026 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2011/03/07 15:29:12 | 000,081,472 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2011/03/07 13:15:18 | 000,000,027 | ---- | M] () -- C:\WINNT\System32\drivers\etc\hosts
[2011/03/07 11:58:34 | 000,000,323 | RHS- | M] () -- C:\boot.ini
[2011/03/07 11:53:02 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\CF22447.exe
[2011/03/07 11:50:35 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/03/07 11:12:30 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/19 15:22:39 | 001,707,144 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[7 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
[6 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/07 11:58:34 | 000,000,207 | ---- | C] () -- C:\Boot.bak
[2011/03/07 11:58:28 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/03/07 11:55:23 | 000,089,088 | ---- | C] () -- C:\WINNT\MBR.exe
[2011/03/07 11:55:22 | 000,256,512 | ---- | C] () -- C:\WINNT\PEV.exe
[2011/03/07 11:50:35 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/03/07 11:16:21 | 1340,133,376 | -HS- | C] () -- C:\hiberfil.sys
[2011/03/07 11:12:30 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/03 08:28:25 | 000,000,194 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\RmUserCfg.ini
[2010/06/03 08:28:25 | 000,000,026 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\IpAndPort.fig
[2010/04/12 13:37:42 | 000,022,528 | ---- | C] () -- C:\WINNT\System32\DvrOcxRUS.dll
[2010/04/12 13:37:02 | 000,209,408 | ---- | C] () -- C:\WINNT\System32\DvrOcxCHS.dll
[2010/04/12 13:37:02 | 000,074,240 | ---- | C] () -- C:\WINNT\System32\CovH264ToAvi.dll
[2010/03/31 15:43:28 | 000,196,608 | ---- | C] () -- C:\WINNT\System32\nvrfs.dll
[2010/03/13 22:25:37 | 000,643,344 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/03/13 13:46:04 | 000,671,839 | ---- | C] () -- C:\WINNT\System32\RM_DVRNET_DLL.dll
[2010/03/09 10:40:11 | 000,000,135 | ---- | C] () -- C:\WINNT\System32\AddPort.ini
[2010/03/09 10:40:10 | 000,003,399 | ---- | C] () -- C:\WINNT\System32\hptcpmon.ini
[2010/03/09 10:37:42 | 000,068,274 | ---- | C] () -- C:\WINNT\hpoins05.dat
[2010/02/02 20:59:13 | 000,000,095 | ---- | C] () -- C:\WINNT\QBChanUtil_Trigger.ini
[2009/11/27 23:44:25 | 000,000,471 | ---- | C] () -- C:\WINNT\System32\restore.ini
[2009/11/24 19:16:53 | 000,000,038 | ---- | C] () -- C:\WINNT\ainpr.ini
[2009/11/24 19:16:00 | 000,000,038 | ---- | C] () -- C:\WINNT\aqbpr.ini
[2009/11/24 19:03:48 | 000,000,196 | ---- | C] () -- C:\WINNT\aqpr.ini
[2009/09/11 23:09:32 | 000,000,256 | ---- | C] () -- C:\WINNT\System32\pool.bin
[2009/09/03 10:45:04 | 000,002,596 | ---- | C] () -- C:\WINNT\aopr.ini
[2009/09/02 09:54:49 | 000,188,416 | ---- | C] () -- C:\WINNT\System32\intelbth.dll
[2009/09/02 09:54:49 | 000,065,536 | ---- | C] () -- C:\WINNT\System32\ICE_JNIRegistry.dll
[2009/09/02 09:30:24 | 000,001,095 | ---- | C] () -- C:\WINNT\ARPR.INI
[2009/09/02 09:29:47 | 000,000,196 | ---- | C] () -- C:\WINNT\apdfpr.ini
[2009/09/02 09:24:55 | 000,001,456 | ---- | C] () -- C:\WINNT\ARCHPR.INI
[2009/09/02 09:23:01 | 000,000,967 | ---- | C] () -- C:\WINNT\APDFPRP.INI
[2009/08/13 11:19:40 | 000,036,425 | ---- | C] () -- C:\Documents and Settings\Administrator.JAH\Application Data\Microsoft Excel 97-2003.ADR
[2009/07/23 17:51:26 | 000,229,442 | ---- | C] () -- C:\WINNT\System32\winpubf.dll
[2009/06/22 11:42:35 | 000,069,417 | ---- | C] () -- C:\WINNT\hpoins05.dat.temp
[2009/06/22 11:42:35 | 000,019,696 | ---- | C] () -- C:\WINNT\hpomdl05.dat.temp
[2009/06/22 10:56:34 | 000,019,696 | ---- | C] () -- C:\WINNT\hpomdl05.dat
[2009/05/26 15:27:27 | 000,001,324 | ---- | C] () -- C:\WINNT\System32\d3d9caps.dat
[2009/03/12 15:56:15 | 000,000,019 | ---- | C] () -- C:\WINNT\info4.ini
[2009/03/12 15:56:15 | 000,000,019 | ---- | C] () -- C:\WINNT\info10.ini
[2009/03/12 15:56:12 | 000,000,019 | ---- | C] () -- C:\WINNT\info2.ini
[2009/03/12 15:56:12 | 000,000,019 | ---- | C] () -- C:\WINNT\info12.ini
[2009/03/12 15:56:11 | 000,000,019 | ---- | C] () -- C:\WINNT\info9.ini
[2009/03/12 15:56:11 | 000,000,019 | ---- | C] () -- C:\WINNT\info7.ini
[2009/03/12 15:56:10 | 001,269,760 | ---- | C] () -- C:\WINNT\System32\asocket.dll
[2009/03/12 15:55:36 | 000,005,152 | ---- | C] () -- C:\WINNT\System32\drivers\io.sys
[2009/01/29 15:24:34 | 000,000,000 | ---- | C] () -- C:\WINNT\System32\CMMGR32.EXE
[2008/12/24 17:30:41 | 000,000,000 | ---- | C] () -- C:\WINNT\Graffiti5.2Pin.ini
[2008/08/28 15:12:25 | 000,000,056 | -H-- | C] () -- C:\WINNT\System32\ezsidmv.dat
[2008/08/12 17:47:26 | 000,000,038 | ---- | C] () -- C:\WINNT\AviSplitter.INI
[2008/07/17 09:59:03 | 000,000,668 | ---- | C] () -- C:\Documents and Settings\Administrator.JAH\Application Data\vso_ts_preview.xml
[2008/07/17 09:58:25 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Administrator.JAH\Application Data\pcouffin.cat
[2008/07/17 09:58:25 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Administrator.JAH\Application Data\pcouffin.inf
[2008/07/17 09:52:33 | 000,000,067 | ---- | C] () -- C:\WINNT\Easy WMV ASF ASX to DVD Burner.INI
[2008/07/16 12:34:01 | 000,000,116 | ---- | C] () -- C:\WINNT\NeroDigital.ini
[2008/07/05 11:41:09 | 000,126,976 | ---- | C] () -- C:\WINNT\System32\THBIni20.dll
[2008/07/05 05:14:48 | 000,456,192 | ---- | C] () -- C:\WINNT\System32\libmplayer.dll
[2008/07/05 05:14:44 | 003,591,168 | ---- | C] () -- C:\WINNT\System32\libavcodec.dll
[2008/07/05 05:13:16 | 000,708,096 | ---- | C] () -- C:\WINNT\System32\ff_x264.dll
[2008/06/22 11:34:00 | 000,177,664 | ---- | C] () -- C:\WINNT\System32\ff_theora.dll
[2008/06/13 05:39:38 | 000,023,552 | ---- | C] () -- C:\WINNT\System32\ff_wmv9.dll
[2008/06/12 12:36:38 | 000,007,680 | ---- | C] () -- C:\WINNT\System32\ff_vfw.dll
[2008/06/06 15:54:44 | 000,098,816 | ---- | C] () -- C:\WINNT\sed.exe
[2008/06/06 15:54:44 | 000,080,412 | ---- | C] () -- C:\WINNT\grep.exe
[2008/06/06 15:54:44 | 000,068,096 | ---- | C] () -- C:\WINNT\zip.exe
[2008/04/16 06:14:15 | 000,000,000 | ---- | C] () -- C:\WINNT\vpc32.INI
[2008/04/15 11:57:59 | 000,000,105 | ---- | C] () -- C:\WINNT\ftk.INI
[2008/02/10 20:27:11 | 000,000,000 | ---- | C] () -- C:\WINNT\brmx2001.ini
[2008/02/10 20:27:10 | 000,000,146 | ---- | C] () -- C:\WINNT\BRVIDEO.INI
[2008/02/10 20:27:02 | 000,000,426 | ---- | C] () -- C:\WINNT\BRWMARK.INI
[2008/02/10 20:27:02 | 000,000,034 | ---- | C] () -- C:\WINNT\System32\BD2170W.DAT
[2008/02/10 20:26:52 | 000,009,853 | ---- | C] () -- C:\WINNT\HL-2170W.INI
[2008/02/10 20:26:02 | 000,000,286 | ---- | C] () -- C:\WINNT\Brownie.ini
[2007/02/22 18:29:38 | 000,000,017 | ---- | C] () -- C:\WINNT\MovingPicture.ini
[2007/02/22 17:47:05 | 000,194,248 | ---- | C] () -- C:\WINNT\System32\LTRFD13n.DLL
[2007/02/22 17:43:48 | 000,001,289 | ---- | C] () -- C:\WINNT\VFO.INI
[2007/02/22 17:43:47 | 000,196,096 | ---- | C] () -- C:\WINNT\System32\macd32.dll
[2007/02/22 17:43:47 | 000,138,752 | ---- | C] () -- C:\WINNT\System32\mase32.dll
[2007/02/22 17:43:47 | 000,136,192 | ---- | C] () -- C:\WINNT\System32\mamc32.dll
[2007/02/22 17:43:47 | 000,057,856 | ---- | C] () -- C:\WINNT\System32\masd32.dll
[2007/02/22 17:43:47 | 000,027,648 | ---- | C] () -- C:\WINNT\System32\ma32.dll
[2007/01/17 21:20:34 | 000,001,471 | ---- | C] () -- C:\WINNT\mozver.dat
[2007/01/17 21:19:41 | 000,000,000 | ---- | C] () -- C:\WINNT\nsreg.dat
[2006/11/02 10:10:16 | 000,080,912 | ---- | C] () -- C:\WINNT\System32\sherlock2.exe
[2006/03/07 15:04:22 | 000,210,944 | ---- | C] () -- C:\WINNT\System32\Msvcrt10.dll
[2006/03/07 15:04:20 | 000,065,536 | ---- | C] () -- C:\WINNT\System32\adistres.dll
[2006/03/03 00:33:26 | 000,000,729 | ---- | C] () -- C:\WINNT\hpntwksetup.ini
[2006/03/02 17:24:00 | 000,012,288 | ---- | C] () -- C:\WINNT\System32\e100bmsg.dll
[2006/03/02 16:49:06 | 000,002,048 | --S- | C] () -- C:\WINNT\bootstat.dat
[2006/03/02 01:00:28 | 000,200,704 | ---- | C] () -- C:\WINNT\sel3110.exe
[2006/03/02 01:00:28 | 000,040,960 | ---- | C] () -- C:\WINNT\CleanDev.exe
[2006/03/02 01:00:26 | 000,032,528 | ---- | C] () -- C:\WINNT\amcap.exe
[2006/02/18 09:47:32 | 000,006,550 | ---- | C] () -- C:\WINNT\jautoexp.dat
[2006/02/12 10:08:32 | 000,209,920 | ---- | C] () -- C:\Documents and Settings\Administrator.JAH\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/02/11 12:13:25 | 000,000,028 | ---- | C] () -- C:\WINNT\nanoPEG.ini
[2006/02/11 12:13:08 | 000,065,536 | ---- | C] () -- C:\WINNT\System32\dmcrypto.dll
[2006/02/11 12:11:02 | 000,000,248 | ---- | C] () -- C:\WINNT\HCWBlast.ini
[2006/02/11 12:10:42 | 000,026,549 | ---- | C] () -- C:\WINNT\Irremote.ini
[2006/02/11 12:00:50 | 000,102,400 | ---- | C] () -- C:\WINNT\System32\hcwXDS.dll
[2006/02/10 15:37:13 | 000,000,579 | ---- | C] () -- C:\WINNT\HCWPNP.INI
[2006/02/10 11:34:16 | 000,188,416 | ---- | C] () -- C:\WINNT\Hws5a.exe
[2006/02/10 11:34:16 | 000,118,784 | ---- | C] () -- C:\WINNT\ShowBmp.exe
[2006/02/10 11:34:16 | 000,065,024 | ---- | C] () -- C:\WINNT\amcap5a.exe
[2006/02/10 11:34:16 | 000,014,848 | ---- | C] () -- C:\WINNT\Tuner.exe
[2006/02/10 11:34:16 | 000,014,345 | ---- | C] () -- C:\WINNT\tw5a.ini
[2006/02/10 11:34:16 | 000,014,336 | ---- | C] () -- C:\WINNT\I2C.exe
[2006/02/10 11:34:16 | 000,000,162 | ---- | C] () -- C:\WINNT\Setup5a.ini
[2005/11/05 22:06:21 | 000,000,140 | ---- | C] () -- C:\Documents and Settings\Administrator.JAH\Local Settings\Application Data\fusioncache.dat
[2005/11/05 22:03:06 | 000,000,701 | ---- | C] () -- C:\WINNT\ODBC.INI
[2005/11/04 18:50:14 | 000,021,952 | -H-- | C] () -- C:\Program Files\folder.htt
[2005/11/04 18:49:22 | 000,022,688 | ---- | C] () -- C:\WINNT\System32\emptyregdb.dat
[2005/11/04 13:42:11 | 000,004,283 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2005/11/04 13:39:53 | 001,707,144 | ---- | C] () -- C:\WINNT\System32\FNTCACHE.DAT
[2004/10/03 11:50:54 | 000,129,024 | ---- | C] () -- C:\WINNT\System32\ff_mpeg2enc.dll
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINNT\System32\secupd.dat
[2004/03/11 00:26:10 | 000,406,016 | ---- | C] () -- C:\WINNT\System32\PSDrvCheck.exe
[2002/03/21 14:39:02 | 000,073,728 | ---- | C] () -- C:\WINNT\System32\UNACEV2.DLL
[2001/08/23 11:00:00 | 013,107,200 | ---- | C] () -- C:\WINNT\System32\oembios.bin
[2001/08/23 11:00:00 | 000,004,463 | ---- | C] () -- C:\WINNT\System32\oembios.dat
[2001/08/23 10:00:00 | 000,673,088 | ---- | C] () -- C:\WINNT\System32\mlang.dat
[2001/08/23 10:00:00 | 000,272,128 | ---- | C] () -- C:\WINNT\System32\perfi009.dat
[2001/08/23 10:00:00 | 000,218,003 | ---- | C] () -- C:\WINNT\System32\dssec.dat
[2001/08/23 10:00:00 | 000,046,258 | ---- | C] () -- C:\WINNT\System32\mib.bin
[2001/08/23 10:00:00 | 000,028,626 | ---- | C] () -- C:\WINNT\System32\perfd009.dat
[2001/08/23 10:00:00 | 000,001,804 | ---- | C] () -- C:\WINNT\System32\dcache.bin
[2001/08/17 17:36:28 | 000,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[1999/12/07 07:00:00 | 000,467,026 | ---- | C] () -- C:\WINNT\System32\perfh009.dat
[1999/12/07 07:00:00 | 000,176,400 | ---- | C] () -- C:\WINNT\System32\qcut.dll
[1999/12/07 07:00:00 | 000,081,472 | ---- | C] () -- C:\WINNT\System32\perfc009.dat
[1999/12/07 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINNT\System32\noise.dat
[1999/09/25 05:36:24 | 000,088,816 | ---- | C] () -- C:\WINNT\System32\drivers\lvcam.sys
[1999/09/25 05:36:22 | 000,017,424 | ---- | C] () -- C:\WINNT\System32\drivers\lvsound.sys

< End of report >

Extras.txt

OTL Extras logfile created on: 03/12/11 12:05:12 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator.JAH\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 45.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1920 3840 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 9.70 Gb Free Space | 13.02% Space Free | Partition Type: NTFS
Drive W: | 232.88 Gb Total Space | 7.96 Gb Free Space | 3.42% Space Free | Partition Type: NTFS

Computer Name: CAMSRV | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-299502267-764733703-1060284298-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- %1
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDSee Pro 2.0.Browse] -- "C:\Program Files\ACD Systems\ACDSee Pro\2.0\ACDSeeQVPro2.exe" "%1" (ACD Systems)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"12121:TCP" = 12121:TCP:*:Enabled:ElcomSoft Distributed Agents TCP Port
"12122:TCP" = 12122:TCP:*:Enabled:ElcomSoft Distributed Password Recovery Console TCP Port

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"12121:TCP" = 12121:TCP:*:Enabled:ElcomSoft Distributed Agents TCP Port
"12122:TCP" = 12122:TCP:*:Enabled:ElcomSoft Distributed Password Recovery Console TCP Port

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"W:\Program Files\webcamXP\webcamXP.exe" = W:\Program Files\webcamXP\webcamXP.exe:*:Enabled:webcamXP
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
"C:\Program Files\ElcomSoft\Distributed Password Recovery\esdprs.exe" = C:\Program Files\ElcomSoft\Distributed Password Recovery\esdprs.exe:*:Enabled:ElcomSoft Distributed Password Recovery Server
"C:\Program Files\ElcomSoft\Distributed Password Recovery\esdpr.exe" = C:\Program Files\ElcomSoft\Distributed Password Recovery\esdpr.exe:*:Enabled:ElcomSoft Distributed Password Recovery Console
"C:\Program Files\ElcomSoft\Distributed Password Recovery\esda.exe" = C:\Program Files\ElcomSoft\Distributed Password Recovery\esda.exe:*:Enabled:ElcomSoft Distributed Agent

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Pinnacle\Studio 10\programs\RM.exe" = C:\Program Files\Pinnacle\Studio 10\programs\RM.exe:*:Enabled:Render Manager -- (Pinnacle Systems, Inc.)
"C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe:*:Enabled:Studio -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe" = C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile -- ( )
"C:\Program Files\Pinnacle\Studio 10\programs\umi.exe" = C:\Program Files\Pinnacle\Studio 10\programs\umi.exe:*:Enabled:umi -- (Pinnacle Systems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{055FEF8E-4B86-400F-A5C6-8FAC0042DCD9}" = NVIDIA PureVideo Decoder
"{06A9E630-DBA6-4D92-9DE7-A235AA6496C7}" = QuickBooks
"{0700E22B-A422-40A5-BD20-04BF618CA0F9}" = QuickBooks Pro 2010
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{2227E1FA-01F5-483C-AB0E-2A308E900B3D}" = InterVideo FilterSDK for Hauppauge
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{268723B7-A994-4286-9F85-B974D5CAFC7B}" = EasyRecovery Professional
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2A7F5E60-329D-4A9F-8FAA-CEE297F2D25B}" = AccessData Forensic Toolkit
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{38A50E67-F58B-43B1-B5C3-CB7CEB2187F9}_is1" = JtagUtility v1.3
"{38DD4DDD-A6BD-4B21-B61F-18561575C7DB}" = IPView SE
"{3CB05291-F546-458E-A796-B5BCF5A3CDC4}" = Studio 10
"{3E908702-AF35-4611-9518-955DA24B7E07}" = Microsoft XML Parser and SDK
"{3F9B2FD2-1C83-4401-9967-C3636638E958}" = Adobe SING CS3
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4AAC95F4-A30E-4EE5-A086-6F79581D0D70}" = ACDSee Pro 2
"{4D612FB2-1AE7-4E46-9377-35BB2F06A787}" = Roxio Media Manager
"{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}" = Adobe Setup
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{5469D537-9B44-4c78-BF2D-5F9807564F74}" = HP PSC & OfficeJet 4.7
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{56B8B892-317E-4FDE-9E4D-44B189848A27}" = Adobe Setup
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{6A012D9C-2E2E-405A-B87C-E909F5297C3F}" = Studio 10 Bonus DVD
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6BAE05B5-0DB4-4152-B28E-529D55C1DD9F}" = D-Link TV Tuner & Video Capture
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{75CBE62D-E961-42B4-0084-2314E5B00035}" = Symantec Ghost Console and Standard Tools
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8DA11374-789A-4CDF-8938-93143F0BDA14}" = Brother HL-2170W
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Modules
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}" = Symantec AntiVirus
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A5B5B6D8-DE44-44A3-90C4-8C07A1E0FAD4}" = WBFS Manager 2.5
"{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}" = DiscAPI (Studio 10)
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{B32261CD-F1C8-42C3-B507-CB6B87CEC1A8}" = Passware Kit Enterprise 9.3
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BB406CEB-6207-4512-9BB2-89950DC9D6B6}_is1" = ConvertXtoDVD 2.2.3.258h
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{CB011820-5484-4BC9-9644-88C17A69E708}" = WIZ1x0_105SR Configtool
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF1CEE5B-EA17-469A-995B-91A1FC03E031}" = 4Team DuplicateKiller
"{D041EB9E-890A-4098-8F94-51DA194AC72A}" = Pinnacle Studio 12
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1860E6E-520E-4380-8433-E58E8F88B473}" = Pinnacle Studio 12 Ultimate Plugins
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (WHATSUP)
"{E1D8B687-F098-4C43-B388-CFE3C621EE38}" = AccessData FTK Imager
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{EA79BC0F-9FD3-438A-8FF7-4F5FE1F80EA5}" = AccessData KFF Database Jun 07
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EEECE229-49F6-4851-A73A-99B058221F8C}" = RAPID (Studio 10)
"{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}" = Pinnacle Instant DVD Recorder
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0 Professional
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8.1.3 Professional
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"Adobe_05ba3a63f36684fe0c5dde2ebe6f8f5" = Adobe InDesign CS3
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_a04a925a57548091300ada368235fc6" = Adobe Illustrator CS3
"Advanced Port Scanner v1.3" = Advanced Port Scanner v1.3
"Advanced QuickBooks Password Recovery" = Advanced QuickBooks Password Recovery
"Advanced RAR Password Recovery" = Advanced RAR Password Recovery (remove only)
"BitLord" = BitLord 1.1
"Distributed Password Recovery" = Distributed Password Recovery
"D-Link VGA Webcam" = D-Link VGA Webcam
"Easy WMV/ASF/ASX to DVD Burner_is1" = Easy WMV/ASF/ASX to DVD Burner 1.8.10
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"File Shredder_is1" = File Shredder 2.0
"FixTunes" = FixTunes (remove only)
"gBurner" = gBurner
"Hauppauge WinTV2000" = Hauppauge WinTV2000
"Hauppauge WinTV-PVR 150 Drivers" = Hauppauge WinTV-PVR 150 Drivers
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.7
"HyperSnap 6" = HyperSnap 6
"ImgBurn" = ImgBurn
"ImTOO iPod Manager" = ImTOO iPod Computer Transfer
"InstallShield_{268723B7-A994-4286-9F85-B974D5CAFC7B}" = EasyRecovery Professional
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"LibUSB-Win32_is1" = LibUSB-Win32-0.1.12.1
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
"Mozilla Firefox (3.6.15)" = Mozilla Firefox (3.6.15)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"nanoPEG-Editor 2.2 Hauppauge Edition_is1" = nanoPEG-Editor 2.2 Hauppauge Edition
"NeroMultiInstaller!UninstallKey" = Nero Suite
"proDAD-Heroglyph-2.5" = proDAD Heroglyph 2.5
"proDAD-Vitascene-1.0" = proDAD Vitascene 1.0
"PROPLUS" = Microsoft Office Professional Plus 2007
"PROSet" = Intel® PRO Network Adapters and Drivers
"RAR Password Cracker" = RAR Password Cracker 4.12
"Tansee iPod Transfer_is1" = Tansee iPod Transfer v3.8
"Tipard iPod to PC Transfer_is1" = Tipard iPod to PC Transfer
"TomTom HOME" = TomTom HOME 2.7.6.2056
"WGA" = Windows Genuine Advantage Validation Tool
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xilisoft Video Converter Ultimate" = Xilisoft Video Converter Ultimate
"XP Codec Pack" = XP Codec Pack

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 03/11/11 3:18:17 PM | Computer Name = CAMSRV | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 03/11/11 3:20:12 PM | Computer Name = CAMSRV | Source = UserInit | ID = 1000
Description = Could not execute the following script login.bat. The system cannot
find the file specified. .

Error - 03/12/11 12:17:54 PM | Computer Name = CAMSRV | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 03/12/11 12:17:57 PM | Computer Name = CAMSRV | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 03/12/11 12:18:00 PM | Computer Name = CAMSRV | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 03/12/11 12:18:50 PM | Computer Name = CAMSRV | Source = UserInit | ID = 1000
Description = Could not execute the following script login.bat. The system cannot
find the file specified. .

Error - 03/12/11 12:59:59 PM | Computer Name = CAMSRV | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 03/12/11 1:00:02 PM | Computer Name = CAMSRV | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 03/12/11 1:00:04 PM | Computer Name = CAMSRV | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 03/12/11 1:01:54 PM | Computer Name = CAMSRV | Source = UserInit | ID = 1000
Description = Could not execute the following script login.bat. The system cannot
find the file specified. .

[ OSession Events ]
Error - 06/22/09 11:28:22 AM | Computer Name = CAMSRV | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6212.1000, Microsoft Office Version: 12.0.6215.1000. This session lasted 81848
seconds with 180 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 03/12/11 12:20:19 PM | Computer Name = CAMSRV | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 03/12/11 12:20:19 PM | Computer Name = CAMSRV | Source = Service Control Manager | ID = 7034
Description = The Adobe Active File Monitor V6 service terminated unexpectedly.
It has done this 1 time(s).

Error - 03/12/11 12:34:26 PM | Computer Name = CAMSRV | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 03/12/11 12:46:32 PM | Computer Name = CAMSRV | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126

Error - 03/12/11 12:47:02 PM | Computer Name = CAMSRV | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.

Error - 03/12/11 1:00:02 PM | Computer Name = CAMSRV | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain JAH due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 03/12/11 1:00:08 PM | Computer Name = CAMSRV | Source = Print | ID = 33
Description = The PrintQueue Container could not be found because the DNS Domain
name could not be retrieved. Error: 54b

Error - 03/12/11 1:00:51 PM | Computer Name = CAMSRV | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 03/12/11 1:00:51 PM | Computer Name = CAMSRV | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 03/12/11 1:01:36 PM | Computer Name = CAMSRV | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126


< End of report >

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:16 AM

Posted 12 March 2011 - 12:22 PM

Hello,

How are things running?

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    SRV - File not found [Disabled | Stopped] -- -- (RoxWatch9)
    SRV - File not found [Disabled | Stopped] -- -- (RoxMediaDB9)
    SRV - File not found [Disabled | Stopped] -- -- (RoxLiveShare9)
    SRV - File not found [Disabled | Stopped] -- -- (Roxio Upnp Server 9)
    SRV - File not found [Disabled | Stopped] -- -- (Roxio UPnP Renderer 9)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
    O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-299502267-764733703-1060284298-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
    [2011/03/07 11:53:32 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\CF22447.exe
    [7 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
    [6 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
    [7 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
    [6 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 jnord24

jnord24
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 12 March 2011 - 12:44 PM

Not soo good. Desktop takes forever to show up after rebooting. Looks like something might be hooked on explorer.exe. Explorer starts running and fighting with system idle for CPU and memory, and the memory used by explorer just keeps climbing. So it takes forever for the task bar to appear and the desktop flashes a whole bunch of times. The icons show up without their pictures.

Here is the contents of the OTL log, I'm going to run combofix right now.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service RoxWatch9 stopped successfully!
Service RoxWatch9 deleted successfully!
Service RoxMediaDB9 stopped successfully!
Service RoxMediaDB9 deleted successfully!
Service RoxLiveShare9 stopped successfully!
Service RoxLiveShare9 deleted successfully!
Service Roxio Upnp Server 9 stopped successfully!
Service Roxio Upnp Server 9 deleted successfully!
Service Roxio UPnP Renderer 9 stopped successfully!
Service Roxio UPnP Renderer 9 deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel\ not found.
Registry key HKEY_USERS\S-1-5-21-299502267-764733703-1060284298-500\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
File Animation Java Classes file://C:\WINNT\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
C:\WINNT\system32\CF22447.exe moved successfully.
C:\WINNT\002450_.tmp deleted successfully.
C:\WINNT\006033_.tmp deleted successfully.
C:\WINNT\msdownld.tmp folder deleted successfully.
C:\WINNT\msiinst.tmp\msiexec.exe deleted successfully.
C:\WINNT\msiinst.tmp folder deleted successfully.
C:\WINNT\SET38.tmp deleted successfully.
C:\WINNT\SET67.tmp deleted successfully.
C:\WINNT\SET71.tmp deleted successfully.
C:\WINNT\System32\CONFIG.TMP deleted successfully.
C:\WINNT\System32\SET6A5.tmp deleted successfully.
C:\WINNT\System32\SET6A6.tmp deleted successfully.
C:\WINNT\System32\SET700.tmp deleted successfully.
C:\WINNT\System32\SET705.tmp deleted successfully.
C:\WINNT\System32\SET70C.tmp deleted successfully.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator.JAH\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator.JAH\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINNT\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134 bytes
->FireFox cache emptied: 3409457 bytes

User: Administrator.JAH
->Temp folder emptied: 82063275 bytes
->Temporary Internet Files folder emptied: 109504 bytes
->Java cache emptied: 10681033 bytes
->FireFox cache emptied: 85951385 bytes
->Flash cache emptied: 2096 bytes

User: ADMINI~1~JAH

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 70635 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 174.00 mb


[EMPTYFLASH]

User: Administrator

User: Administrator.JAH
->Flash cache emptied: 0 bytes

User: ADMINI~1~JAH

User: All Users

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03122011_123147

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:16 AM

Posted 12 March 2011 - 12:46 PM

Okay.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 jnord24

jnord24
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 12 March 2011 - 01:03 PM

Ran combofix and it appears to have hung during stage 5. I say hung, because the mouse won't mouse and that's not normal even during combofix. It's been stuck like this for over 10 minutes.

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:16 AM

Posted 12 March 2011 - 01:06 PM

Wait a little bit longer, and if it still is frozen do a hard reset and run ComboFix in Safe Mode.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 jnord24

jnord24
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 12 March 2011 - 01:52 PM

Results of combofix in safe mode:

ComboFix 11-03-06.06 - Administrator 03/12/2011 13:18:52.5.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.1012 [GMT -5:00]
Running from: c:\temp\00 computer check\06 combofix\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files\Java
c:\program files\Java\jre1.5.0_10\lib\ext\QTJava.zip
c:\winnt\system32\LogFiles
c:\winnt\system32\LogFiles\WUDF\WUDFTrace.etl
.
.
((((((((((((((((((((((((( Files Created from 2011-02-12 to 2011-03-12 )))))))))))))))))))))))))))))))
.
.
2011-03-12 17:31 . 2011-03-12 17:31 -------- d-----w- C:\_OTL
2011-03-12 16:26 . 2011-03-12 16:26 580608 ----a-w- c:\temp\00 computer check\12 OTL\OTL.exe
2011-03-12 16:26 . 2011-03-12 16:26 133632 ----a-w- c:\temp\00 computer check\11 rootkit unhooker\RKUnhookerLE.EXE
2011-03-11 19:03 . 2011-03-11 19:03 -------- d-----w- c:\documents and settings\Administrator.JAH\Local Settings\Application Data\VS Revo Group
2011-03-11 18:52 . 2010-03-12 17:24 720539 ----a-w- c:\temp\501_b073_multilanguage\_setup.exe
2011-03-11 18:52 . 2010-03-12 17:24 2584848 ----a-w- c:\temp\501_b073_multilanguage\WindowsInstaller-KB893803-x86.exe
2011-03-11 18:51 . 2010-03-12 17:24 4890096 ----a-w- c:\temp\501_b073_multilanguage\SR_MM\setup.exe
2011-03-11 18:51 . 2010-03-12 17:24 2003176 ----a-w- c:\temp\501_b073_multilanguage\SR_MM\INSNTMSI.EXE
2011-03-11 18:50 . 2010-03-12 17:24 186864 ----a-w- c:\temp\501_b073_multilanguage\SR_MM\ACTIVATION_103\Rsl.dll
2011-03-11 18:50 . 2010-03-12 17:24 186864 ----a-w- c:\temp\501_b073_multilanguage\SR_MM\ACTIVATION_103\Rcsl.dll
2011-03-11 18:50 . 2010-03-12 17:24 925544 ----a-w- c:\temp\501_b073_multilanguage\ISSetupPrerequisites\{C970AF69-402F-4513-A810-4EAD0168C8BF}\msxml6-KB933579-enu-x86.exe
2011-03-11 18:50 . 2010-03-12 17:24 1858904 ----a-w- c:\temp\501_b073_multilanguage\ISSetupPrerequisites\{00236291-2326-456A-B4B0-45805F39E8D2}\msxml6-KB933579-enu-amd64.exe
2011-03-11 18:50 . 2010-03-12 17:24 2246808 ----a-w- c:\temp\501_b073_multilanguage\FLEXnet_patch_Q113020.exe
2011-03-11 18:49 . 2010-03-12 17:24 390488 ----a-w- c:\temp\501_b073_multilanguage\BlackBerrySetup.exe
2011-03-11 18:49 . 2010-03-12 17:24 460120 ----a-w- c:\temp\501_b073_multilanguage\BBDMUtil.dll
2011-03-11 18:47 . 2010-04-13 17:39 271491416 ----a-w- c:\temp\501_b073_multilanguage.exe
2011-03-07 19:00 . 2011-03-07 19:00 -------- d-----w- c:\program files\ESET
2011-03-07 19:00 . 2011-03-07 18:59 2322184 ----a-w- c:\temp\00 computer check\esetsmartinstaller_enu.exe
2011-03-07 16:48 . 2011-03-07 16:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-03-07 16:12 . 2011-03-07 16:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-07 16:12 . 2010-12-20 23:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-03-07 16:12 . 2011-03-07 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-07 16:12 . 2010-12-20 23:08 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2011-03-07 16:08 . 2011-03-07 16:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-03-07 16:07 . 2005-10-20 17:02 163328 ----a-w- c:\temp\ERDNT\3-7-2011\ERDNT.EXE
2011-03-07 16:06 . 2011-03-07 16:06 -------- d-----w- c:\program files\ERUNT
2011-03-07 16:00 . 2011-03-07 16:10 7734240 ----a-w- c:\temp\00 computer check\02 mawarebytes\mbam-setup.exe
2011-03-07 16:00 . 2008-10-17 19:11 791393 ----a-w- c:\temp\00 computer check\01a erunt\erunt_setup.exe
2011-03-07 16:00 . 2008-06-06 18:51 812344 ----a-w- c:\temp\00 computer check\05 hijackthis\HJTInstall.exe
2011-03-07 16:00 . 2008-06-06 18:50 401720 ----a-w- c:\temp\00 computer check\05 hijackthis\HiJackThis.exe
2011-03-07 16:00 . 2008-06-06 18:49 5797152 ----a-w- c:\temp\00 computer check\03 superantisypare\SUPERAntiSpyware.exe
2011-03-07 16:00 . 2008-06-06 18:47 128368 ----a-w- c:\temp\00 computer check\02 mawarebytes\Download_mbam-setup.exe
2011-03-07 16:00 . 2008-06-06 18:45 50688 ----a-w- c:\temp\00 computer check\01 atfcleaner\ATF_Cleaner.exe
2011-03-07 16:00 . 2011-03-07 16:54 4281741 ----a-r- c:\temp\00 computer check\06 combofix\ComboFix.exe
2011-03-07 15:58 . 2008-05-31 04:09 731136 ----a-w- c:\temp\00 computer check\avenger\avenger.exe
2011-03-07 15:19 . 2010-11-08 15:32 296448 ----a-w- c:\temp\00 computer check\gmer\gmer.exe
2011-03-07 14:54 . 2011-03-07 14:51 625664 ----a-w- c:\temp\00 computer check\dds.scr
2011-02-19 20:30 . 2011-03-11 16:08 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-02-19 20:30 . 2011-03-11 16:08 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 18:45 . 2010-04-02 20:42 81920 ----a-w- c:\program files\Common Files\WIZ1x0SR_105SR_CFG.exe
2006-12-01 09:54 . 2010-04-02 20:42 626688 ----a-w- c:\program files\Common Files\MSVCR80.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-03-17 124656]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 16:39 282624 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-299502267-764733703-1060284298-500\Scripts\Logon\0\0]
"Script"=login.bat
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\winnt\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-06-19 16:49 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-08-09 18:28 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=3 (0x3)
"TlntSvr"=3 (0x3)
"TapiSrv"=3 (0x3)
"seclogon"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"mnmsrvc"=3 (0x3)
"idsvc"=3 (0x3)
"Fax"=2 (0x2)
"Bonjour Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"12121:TCP"= 12121:TCP:ElcomSoft Distributed Agents TCP Port
"12122:TCP"= 12122:TCP:ElcomSoft Distributed Password Recovery Console TCP Port
.
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 12:53 PM 5632]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 11:39 AM 32256]
S2 io.sys;IO.DLL Driver;c:\winnt\system32\drivers\io.sys [3/12/2009 3:55 PM 5152]
S2 MSSQL$WHATSUP;MSSQL$WHATSUP;c:\program files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlservr.exe -sWHATSUP --> c:\program files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlservr.exe -sWHATSUP [?]
S2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 5:34 AM 115952]
S3 DtvAudio;DtvAudio;c:\winnt\system32\drivers\DtvAudio.sys [6/8/2006 12:43 PM 10330]
S3 DtvVideo;DtvVideo;c:\winnt\system32\drivers\DtvVideo.sys [6/8/2006 12:43 PM 25600]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/28/2010 12:21 PM 102448]
S3 GTWINSER;GTWINSER;c:\winnt\system32\DRIVERS\GTwinSER.sys --> c:\winnt\system32\DRIVERS\GTwinSER.sys [?]
S3 ICam7fil;Intel® CS431 Audio Filter Driver;c:\winnt\system32\drivers\icam7fil.sys [7/31/2001 4:34 PM 19640]
S3 Icam7USB;Intel® PC Camera CS431;c:\winnt\system32\drivers\Icam7USB.sys [7/31/2001 4:33 PM 158848]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\winnt\system32\drivers\libusb0.sys [3/12/2009 1:36 PM 28672]
S3 PIOdriver;PIOdriver;c:\winnt\system32\drivers\PIOdriver.sys [4/15/2008 11:59 AM 3712]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S3 SPCA506AV;D-Link USB TV Tuner, WDM Video Capture;c:\winnt\system32\drivers\CA506AV.SYS [2/10/2006 11:34 AM 173730]
S3 SQLAgent$WHATSUP;SQLAgent$WHATSUP;c:\program files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlagent.EXE -i WHATSUP --> c:\program files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlagent.EXE -i WHATSUP [?]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
S3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [11/5/2005 8:26 PM 49776]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\winnt\system32\DRIVERS\netusb.sys --> c:\winnt\system32\DRIVERS\netusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\winnt\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {9B479D7B-916A-45B0-B042-D42865A60E21} - hxxp://largo.is-a-geek.com/DvrOcx.cab
DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - hxxp://10.100.100.66/CSViewer.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zumc53sb.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 13:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,00,ca,44,
94,65,c7,b8,9e,f0,c9,43,73,61,69,f5,d6,49,45,90,d5,9d,18,9e,a5,f6,68,d3,37,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A54AE6D9-1146-03FB-2857897F111C6A4F}\{DD8CECF2-78C0-CF9A-49F4FAE856227A78}\{638B8461-7EC5-D2C3-C076811FCCFACE61}*]
"FMILNAD2OUWIP3LCLKWC3ML3DG1"=hex:01,00,01,00,00,00,00,00,43,5d,7a,5c,ca,2b,32,
77,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A76448FF-EA59-23D3-98F3B9C94A7EC293}\{51B7BFF3-30C4-3859-72DBC6993BF1721D}\{60FC5D85-3D13-ED0E-8811CBE6817E353D}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,00,ca,44,
94,65,c7,b8,9e,f0,c9,43,73,61,69,f5,d6,49,45,90,d5,9d,18,9e,a5,f6,68,d3,37,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB53ABC9-60C7-8B2C-A2AB126EB1F03A59}\{6511FF0A-0202-CA71-9BBA47A5377501DE}\{CE12CB05-B8C7-0E6B-6DC342F04A20B600}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,00,ca,44,
94,65,c7,b8,9e,f0,c9,43,73,61,69,f5,d6,49,45,90,d5,9d,18,9e,a5,f6,68,d3,37,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CD78DEAB-EC34-4DBA-708695CFC66C434E}\{9B07BBBD-296F-3B7C-2BDF54F1C8A81F31}\{FDFE4940-DE05-5675-1C56B565A6F7C9A3}*]
"FMILNAD2OUWIP3LCLKWC3ML3DG1"=hex:01,00,01,00,00,00,00,00,43,5d,7a,5c,ca,2b,32,
77,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DF771B98-AC91-34D8-F0EE49DCFFD7BEDE}\{02C90D3B-A401-D38F-0F8BFA977E327E75}\{1704AFF6-6AA2-2F70-F8B468ED602E6063}*]
"FMILNAD2OUWIP3LCLKWC3ML3DG1"=hex:01,00,01,00,00,00,00,00,43,5d,7a,5c,ca,2b,32,
77,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(232)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2011-03-12 13:32:45
ComboFix-quarantined-files.txt 2011-03-12 18:32
ComboFix2.txt 2011-03-07 18:33
ComboFix3.txt 2008-06-06 21:15
.
Pre-Run: 11,835,060,224 bytes free
Post-Run: 11,791,101,952 bytes free
.
- - End Of File - - C30DD323B2859207276E6ABA60B8C270

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:16 AM

Posted 12 March 2011 - 01:55 PM

Locating ComboFix Log
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Click on Qoobox in the left-hand window pane
  • Look for ComboFix2.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 jnord24

jnord24
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 12 March 2011 - 02:02 PM

The one I copied is the current one. The one you pointed me to is the old one dated 03/07/2011? Do you want a copy of that log for some reason?

Here is is:

ComboFix 11-03-06.06 - Administrator 03/07/11 12:51:19.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.609 [GMT -5:00]
Running from: c:\temp\00 computer check\06 combofix\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.JAH\Application Data\inst.exe
c:\documents and settings\Administrator.JAH\GoToAssistDownloadHelper.exe
c:\program files\UNWISE.EXE
c:\winnt\system32\drivers\gmreadme.txt
c:\winnt\system32\LogFiles\HTTPERR\httperr1.log
c:\winnt\system32\LogFiles . . . . Failed to delete
c:\winnt\system32\LogFiles\WUDF\WUDFTrace.etl . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\Service_IAS
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2011-03-07 16:53 . 2011-03-07 16:53 389120 ----a-w- c:\winnt\system32\CF22447.exe
2011-03-07 16:48 . 2011-03-07 16:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-03-07 16:12 . 2011-03-07 16:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-07 16:12 . 2010-12-20 23:09 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2011-03-07 16:12 . 2011-03-07 16:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-07 16:12 . 2010-12-20 23:08 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2011-03-07 16:08 . 2011-03-07 16:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-03-07 16:07 . 2005-10-20 17:02 163328 ----a-w- c:\temp\ERDNT\3-7-2011\ERDNT.EXE
2011-03-07 16:06 . 2011-03-07 16:06 -------- d-----w- c:\program files\ERUNT
2011-03-07 16:00 . 2011-03-07 16:10 7734240 ----a-w- c:\temp\00 computer check\02 mawarebytes\mbam-setup.exe
2011-03-07 16:00 . 2008-10-17 19:11 791393 ----a-w- c:\temp\00 computer check\01a erunt\erunt_setup.exe
2011-03-07 16:00 . 2008-06-06 18:51 812344 ----a-w- c:\temp\00 computer check\05 hijackthis\HJTInstall.exe
2011-03-07 16:00 . 2008-06-06 18:50 401720 ----a-w- c:\temp\00 computer check\05 hijackthis\HiJackThis.exe
2011-03-07 16:00 . 2008-06-06 18:49 5797152 ----a-w- c:\temp\00 computer check\03 superantisypare\SUPERAntiSpyware.exe
2011-03-07 16:00 . 2008-06-06 18:47 128368 ----a-w- c:\temp\00 computer check\02 mawarebytes\Download_mbam-setup.exe
2011-03-07 16:00 . 2008-06-06 18:45 50688 ----a-w- c:\temp\00 computer check\01 atfcleaner\ATF_Cleaner.exe
2011-03-07 16:00 . 2011-03-07 16:54 4281741 ----a-r- c:\temp\00 computer check\06 combofix\ComboFix.exe
2011-03-07 15:58 . 2008-05-31 04:09 731136 ----a-w- c:\temp\00 computer check\avenger\avenger.exe
2011-03-07 15:19 . 2010-11-08 15:32 296448 ----a-w- c:\temp\00 computer check\gmer\gmer.exe
2011-03-07 14:54 . 2011-03-07 14:51 625664 ----a-w- c:\temp\00 computer check\dds.scr
2011-02-19 20:30 . 2011-02-19 20:30 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-02-19 20:30 . 2011-02-19 20:30 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 18:45 . 2010-04-02 20:42 81920 ----a-w- c:\program files\Common Files\WIZ1x0SR_105SR_CFG.exe
2006-12-01 09:54 . 2010-04-02 20:42 626688 ----a-w- c:\program files\Common Files\MSVCR80.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 1310720]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2006-03-17 124656]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\Administrator.JAH\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 16:39 282624 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-299502267-764733703-1060284298-500\Scripts\Logon\0\0]
"Script"=login.bat
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\winnt\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-06-19 16:49 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-08-09 18:28 1961984 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=3 (0x3)
"TlntSvr"=3 (0x3)
"TapiSrv"=3 (0x3)
"seclogon"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"mnmsrvc"=3 (0x3)
"idsvc"=3 (0x3)
"Fax"=2 (0x2)
"Bonjour Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"12121:TCP"= 12121:TCP:ElcomSoft Distributed Agents TCP Port
"12122:TCP"= 12122:TCP:ElcomSoft Distributed Password Recovery Console TCP Port
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/06 12:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [02/27/07 11:39 AM 32256]
R2 io.sys;IO.DLL Driver;c:\winnt\system32\drivers\io.sys [03/12/09 3:55 PM 5152]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [03/17/06 5:34 AM 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/28/10 12:21 PM 102448]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [02/16/06 4:51 PM 4096]
S2 MSSQL$WHATSUP;MSSQL$WHATSUP;c:\program files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlservr.exe -sWHATSUP --> c:\program files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlservr.exe -sWHATSUP [?]
S3 DtvAudio;DtvAudio;c:\winnt\system32\drivers\DtvAudio.sys [06/08/06 12:43 PM 10330]
S3 DtvVideo;DtvVideo;c:\winnt\system32\drivers\DtvVideo.sys [06/08/06 12:43 PM 25600]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]
S3 GTWINSER;GTWINSER;c:\winnt\system32\DRIVERS\GTwinSER.sys --> c:\winnt\system32\DRIVERS\GTwinSER.sys [?]
S3 ICam7fil;Intel® CS431 Audio Filter Driver;c:\winnt\system32\drivers\icam7fil.sys [07/31/01 4:34 PM 19640]
S3 Icam7USB;Intel® PC Camera CS431;c:\winnt\system32\drivers\Icam7USB.sys [07/31/01 4:33 PM 158848]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\winnt\system32\drivers\libusb0.sys [03/12/09 1:36 PM 28672]
S3 PIOdriver;PIOdriver;c:\winnt\system32\drivers\PIOdriver.sys [04/15/08 11:59 AM 3712]
S3 SPCA506AV;D-Link USB TV Tuner, WDM Video Capture;c:\winnt\system32\drivers\CA506AV.SYS [02/10/06 11:34 AM 173730]
S3 SQLAgent$WHATSUP;SQLAgent$WHATSUP;c:\program files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlagent.EXE -i WHATSUP --> c:\program files\Microsoft SQL Server\MSSQL$WHATSUP\Binn\sqlagent.EXE -i WHATSUP [?]
S3 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/24/10 4:38 AM 92008]
S3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [11/05/05 8:26 PM 49776]
S3 USBNET;Instant Wireless USB Network Adapter ver.2.6 Driver;c:\winnt\system32\DRIVERS\netusb.sys --> c:\winnt\system32\DRIVERS\netusb.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\winnt\system32\drivers\wdcsam.sys [05/06/08 4:06 PM 11520]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {9B479D7B-916A-45B0-B042-D42865A60E21} - hxxp://largo.is-a-geek.com/DvrOcx.cab
DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - hxxp://10.100.100.66/CSViewer.cab
FF - ProfilePath - c:\documents and settings\Administrator.JAH\Application Data\Mozilla\Firefox\Profiles\iipisylg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1446069&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ftabins Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1446069&q=
FF - Ext: XHTML Mobile Profile: {8ea9957e-2953-402f-80e0-bceb5f169d6f} - %profile%\extensions\{8ea9957e-2953-402f-80e0-bceb5f169d6f}
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: ftabins Toolbar: {42fe564a-cb41-4b4c-b6ae-c52b73f6150d} - %profile%\extensions\{42fe564a-cb41-4b4c-b6ae-c52b73f6150d}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{7c5c0f58-e061-457d-9033-77307f5ed00c} - (no file)
SafeBoot-sglfb.sys
SafeBoot-tga.sys
MSConfigStartUp-webcamXP - w:\program files\webcamXP\webcamXP.exe
AddRemove-Advanced PDF Password Recovery - c:\program files\ElcomSoft\Advanced PDF Password Recovery\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-07 13:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,00,ca,44,
94,65,c7,b8,9e,f0,c9,43,73,61,69,f5,d6,49,45,90,d5,9d,18,9e,a5,f6,68,d3,37,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A54AE6D9-1146-03FB-2857897F111C6A4F}\{DD8CECF2-78C0-CF9A-49F4FAE856227A78}\{638B8461-7EC5-D2C3-C076811FCCFACE61}*]
"FMILNAD2OUWIP3LCLKWC3ML3DG1"=hex:01,00,01,00,00,00,00,00,43,5d,7a,5c,ca,2b,32,
77,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A76448FF-EA59-23D3-98F3B9C94A7EC293}\{51B7BFF3-30C4-3859-72DBC6993BF1721D}\{60FC5D85-3D13-ED0E-8811CBE6817E353D}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,00,ca,44,
94,65,c7,b8,9e,f0,c9,43,73,61,69,f5,d6,49,45,90,d5,9d,18,9e,a5,f6,68,d3,37,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB53ABC9-60C7-8B2C-A2AB126EB1F03A59}\{6511FF0A-0202-CA71-9BBA47A5377501DE}\{CE12CB05-B8C7-0E6B-6DC342F04A20B600}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,00,ca,44,
94,65,c7,b8,9e,f0,c9,43,73,61,69,f5,d6,49,45,90,d5,9d,18,9e,a5,f6,68,d3,37,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CD78DEAB-EC34-4DBA-708695CFC66C434E}\{9B07BBBD-296F-3B7C-2BDF54F1C8A81F31}\{FDFE4940-DE05-5675-1C56B565A6F7C9A3}*]
"FMILNAD2OUWIP3LCLKWC3ML3DG1"=hex:01,00,01,00,00,00,00,00,43,5d,7a,5c,ca,2b,32,
77,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DF771B98-AC91-34D8-F0EE49DCFFD7BEDE}\{02C90D3B-A401-D38F-0F8BFA977E327E75}\{1704AFF6-6AA2-2F70-F8B468ED602E6063}*]
"FMILNAD2OUWIP3LCLKWC3ML3DG1"=hex:01,00,01,00,00,00,00,00,43,5d,7a,5c,ca,2b,32,
77,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(536)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
- - - - - - - > 'explorer.exe'(3156)
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\winnt\System32\SCardSvr.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\winnt\system32\msiexec.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\winnt\system32\MsiExec.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\progra~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe
.
**************************************************************************
.
Completion time: 2011-03-07 13:33:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-07 18:33
ComboFix2.txt 2008-06-06 21:15
.
Pre-Run: 18,676,957,184 bytes free
Post-Run: 18,560,425,984 bytes free
.
- - End Of File - - 1F00457816BF800C71D9733E3E5B670E




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users