Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects and unsupported form of compression errors


  • This topic is locked This topic is locked
21 replies to this topic

#1 CarylE

CarylE

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 30 March 2011 - 06:05 PM

I first noticed this problem a few days ago, and at first it was infrequent and I thought it was a slip on my part. Now it is nearly every search. I can do a google search but then it redirects to what appears to be a random site, sometimes related to my search. None have been especially nasty. I often get an error that a site uses an unsupported form of compression, but I can access the cache version.

I had an up-to-date Windows defender, my firewall is enabled. Windows defender scans once per week. I run malware bytes and adaware about once per month, followed by advanced system care and then CCleaner to finish up. It had been about 3 weeks since my last scans. I'm pretty conservative in my browsing and don't go to suspicious sites.

I did some reading and though it might have been related to Java, which I did allow to get out of date. I had read on another forum that it might help to uninstall Java and do a fresh reinstall. It seemed that I could not do a clean uninstall (files not found errors). After several attempts, including removing all the files manually, installing the latest version and then doing an uninstall, it seemed like I was able to do a clean uninstall of all Java programs. I then did my usually cleaning, and then did a system restore to 2 months previous and then ran all my security tools again. No luck

I have also tried IOBIT 360 and Windows malware removal tool- neither shows up anything.

I tried to follow all your instructions in the preparation guide. The DDS.text file is terribly long, and the forum would not let me post the whole thing. I posted the first third below, and the next two section in follow-up posts. I also have a hijackthis report

I am so grateful for your time.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 15:09:30.29 on Wed 03/30/2011
internet explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.1762 [GMT -7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
C:\Program Files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\vssvc.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Running Processes ===============
.
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe
C:\Program Files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\vssvc.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main
NoUpdateCheck REG_DWORD 1 (0x1)
NoJITSetup REG_DWORD 1 (0x1)
Disable Script Debugger REG_SZ no
Show_ChannelBand REG_SZ No
Anchor Underline REG_SZ yes
Cache_Update_Frequency REG_SZ Once_Per_Session
Display Inline Images REG_SZ yes
Do404Search REG_BINARY 01000000
Save_Session_History_On_Exit REG_SZ no
Show_FullURL REG_SZ no
Show_StatusBar REG_SZ yes
Show_ToolBar REG_SZ yes
Show_URLinStatusBar REG_SZ yes
Show_URLToolBar REG_SZ yes
Use_DlgBox_Colors REG_SZ yes
Search Page REG_SZ http://www.google.com
XMLHTTP REG_DWORD 1 (0x1)
UseClearType REG_SZ yes
AlwaysShowMenus REG_DWORD 1 (0x1)
Enable Browser Extensions REG_SZ yes
Play_Background_Sounds REG_SZ yes
Play_Animations REG_SZ yes
CompatibilityFlags REG_DWORD 0 (0x0)
FullScreen REG_SZ no
SearchMigrated REG_DWORD 1 (0x1)
Window_Placement REG_BINARY 2c0000000200000003000000ffffffffffffffffffffffffffffffffaf00000023000000cf0300007b020000
IE8RunOnceLastShown REG_DWORD 1 (0x1)
IE8RunOnceLastShown_TIMESTAMP REG_BINARY 5e747308aff4ca01
IE8TourShown REG_DWORD 1 (0x1)
IE8TourShownTime REG_BINARY 241aa9823625ca01
NotifyDownloadComplete REG_SZ yes
Check_Associations REG_SZ no
ShowedCheckBrowser REG_SZ Yes
Search Bar REG_SZ http://www.google.com/ie
Default_Search_URL REG_SZ http://www.google.com/ie
IE8RunOncePerInstallCompleted REG_DWORD 1 (0x1)
IE8RunOnceCompletionTime REG_BINARY 9e5a1f1cb0f4ca01
Friendly http errors REG_SZ no
Print_Background REG_SZ no
SmoothScroll REG_DWORD 0 (0x0)
Use StyleSheets REG_SZ yes
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main\Default Feeds
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main\FeatureControl
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\main\WindowsSearch
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main
Enable_Disk_Cache REG_SZ yes
Cache_Percent_of_Disk REG_BINARY 0a000000
Delete_Temp_Files_On_Exit REG_SZ yes
Anchor_Visitation_Horizon REG_BINARY 01000000
Use_Async_DNS REG_SZ yes
Placeholder_Width REG_BINARY 1a000000
Placeholder_Height REG_BINARY 1a000000
CompanyName REG_SZ Microsoft Corporation
Custom_Key REG_SZ MICROSO
Wizard_Version REG_SZ 6.0.2600.0000
Default_Secondary_Page_URL REG_MULTI_SZ \0
Extensions Off Page REG_SZ about:NoAdd-ons
Security Risk Page REG_SZ about:SecurityRisk
Check_Associations REG_SZ yes
IEWatsonDisable REG_DWORD 1 (0x1)
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\ErrorThresholds
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\FeatureControl
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\UrlTemplate
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings
User Agent REG_SZ Mozilla/4.0 (compatible; MSIE 8.0; Win32)
IE5_UA_Backup_Flag REG_SZ 5.0
NoNetAutodial REG_DWORD 0 (0x0)
MigrateProxy REG_DWORD 1 (0x1)
EmailName REG_SZ IEUser@
AutoConfigProxy REG_SZ wininet.dll
MimeExclusionListForCache REG_SZ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges
WarnOnPost REG_BINARY 01000000
UseSchannelDirectly REG_BINARY 01000000
EnableHttp1_1 REG_DWORD 1 (0x1)
PrivacyAdvanced REG_DWORD 0 (0x0)
EnableNegotiate REG_DWORD 1 (0x1)
ProxyEnable REG_DWORD 0 (0x0)
UrlEncoding REG_DWORD 0 (0x0)
SecureProtocols REG_DWORD 160 (0xa0)
PrivDiscUiShown REG_DWORD 1 (0x1)
DisableCachingOfSSLPages REG_DWORD 0 (0x0)
WarnonZoneCrossing REG_DWORD 0 (0x0)
CertificateRevocation REG_DWORD 0 (0x0)
ZonesSecurityUpgrade REG_BINARY de04d291deefca01
EnableAutodial REG_DWORD 0 (0x0)
MaxConnectionsPerServer REG_DWORD 10 (0xa)
MaxConnectionsPer1_0Server REG_DWORD 10 (0xa)
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\5.0
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Activities
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Cache
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Connections
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Lockdown_Zones
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\P3P
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Passport
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Protocols
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\TemplatePolicies
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\User Agent
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\ZoneMap
.
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\Zones
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\internet explorer\search
SearchAssistant REG_SZ http://www.google.com/ie
Default_Search_URL REG_SZ http://www.google.com/ie
usearchurl,(default) = hxxp://www.google.com/search?q=%s
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\search
SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
HKEY_CURRENT_USER\software\microsoft\internet explorer\urlsearchhooksURLSearchHooks: H - No File
SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
Error: Key: software\microsoft\internet explorer\urlsearchhooks does not exist!URLSearchHooks: H - No File
SteelWerX Registry Console Tool 2.0URLSearchHooks: H - No File
Written by Bobbi Flekman 2006 ©URLSearchHooks: H - No File
Error: Key: .default\software\microsoft\internet explorer\urlsearchhooks does not exist!URLSearchHooks: H - No File
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
AutoRestartShell REG_DWORD 1 (0x1)
DefaultUserName REG_SZ Administrator
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ c:\WINDOWS\system32e\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD -1 (0xffffffff)
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0 (0x0)
passwordexpirywarning REG_DWORD 14 (0xe)
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 1 (0x1)
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 1 (0x1)
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0 (0x0)
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 1 (0x1)
ShowLogonOptions REG_DWORD 0 (0x0)
AltDefaultUserName REG_SZ Administrator
AltDefaultDomainName REG_SZ GX620
DefaultPassword REG_SZ
DefaultDomainName REG_SZ GX620
ChangePasswordUseKerberos REG_DWORD 1 (0x1)
SfcDisabled REG_DWORD 0 (0x0)
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts
.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Credentials
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon
ParseAutoexec REG_SZ 1
ExcludeProfileDirs REG_SZ Local Settings;Temporary Internet Files;History;Temp
BuildNumber REG_DWORD 2600 (0xa28)
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows
DebugOptions REG_SZ 2048
Documents REG_SZ
DosPrint REG_SZ no
load REG_SZ
NetMessage REG_SZ no
NullPort REG_SZ None
Programs REG_SZ com exe bat pif cmd
Device REG_SZ HP LaserJet 4P,winspool,LPT1:
.
HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows\Load
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - No File
BHO: <NO NAME> - No File
BHO: NoExplorer - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: NoExplorer - No File
urun: [ctfmon.exe] c:\WINDOWS\system32e\ctfmon.exe
urun: [Advanced SystemCare 3] "c:\Program Files\IObit\Advanced SystemCare 3e\AWC.exe" /startup
urunonce: [Shockwave Updater] c:\WINDOWS\system32\Adobe\SHOCKW~1e\SWHELP~1.EXE -Update -1103472 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729)" -"http://www.explorelearning.com/index.cfm?method=cResource.dspView&ResourceID=653"
mrun: [SoundMAXPnP] c:\Program Files\Analog Devices\Coree\smax4pnp.exe
mrun: [Ad-Watch] c:\Program Files\Lavasoft\Ad-Awaree\AAWTray.exe
mrun: [igfxtray] c:\WINDOWS\system32e\igfxtray.exe
mrun: [igfxhkcmd] c:\WINDOWS\system32e\hkcmd.exe
mrun: [igfxpers] c:\WINDOWS\system32e\igfxpers.exe
mrun: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Readere\Reader_sl.exe"
mrun: [NA1Messenger] c:\UPS\WSTDe\UPSNA1Msgr.exe
mrun: [Carbonite Backup] c:\Program Files\Carbonite\Carbonite Backupe\CarboniteUI.exe
mrun: [QuickTime Task] "c:\Program Files\QuickTimee\QTTask.exe" -atboottime
mrun: [iTunesHelper] "c:\Program Files\iTunese\iTunesHelper.exe"
mrun: [MSC] "c:\Program Files\Microsoft Security Cliente\msseces.exe" -hide -runkey
mrun: [IObit Security 360] "c:\Program Files\IObit\IObit Security 360e\IS360tray.exe" /autostart
drun: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DWe\dwtrig20.exe" -t
c:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files\OpenOffice.org 3\programe\quickstart.exe
c:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgente\qbdagent2002.exe
c:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\SERVIC~1.LNK - C:\Program Files\MICROSOFT SQL SERVER\80\TOOLS\BINNe\sqlmangr.exe
c:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\UPSWOR~2.LNK - C:\UPS\WSTDe\WSTDMessaging.exe
c:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\UPSWOR~1.LNK - C:\UPS\WSTDe\wstdPldReminder.exe
.
ie: SteelWerX Registry Console Tool 2.0
ie: Written by Bobbi Flekman 2006 ©
.
ie: HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext
.
ie: HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\Add to Google Photos Screensa&ver
ie: <NO NAME> REG_SZ res://c:\WINDOWS\system32e\GPhotos.scr/200
ie: Contexts REG_DWORD 34 (0x22)
.
ie: HKEY_CURRENT_USER\software\microsoft\internet explorer\menuext\E&xport to Microsoft Excel
ie: <NO NAME> REG_SZ res://c:\PROGRA~1\MICROS~4\OFFICE11e\EXCEL.EXE/3000
ie: Contexts REG_DWORD 1 (0x1)
.
ie: {SteelWerX Registry Console Tool 2.0
ie: {Written by Bobbi Flekman 2006 ©
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}
ie: { ButtonText - REG_SZ Blog This
ie: { HotIcon - REG_SZ c:\Program Files\Windows Live\Writere\WriterBrowserExtension.dll,201
ie: { Icon - REG_SZ c:\Program Files\Windows Live\Writere\WriterBrowserExtension.dll,201
ie: { Default Visible - REG_SZ Yes
ie: { MenuText - REG_SZ &Blog This in Windows Live Writer
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ie: { ButtonText - REG_SZ Research
ie: { Icon - REG_SZ c:\PROGRA~1\MICROS~4\OFFICE11e\REFBAR.ICO
ie: { Default Visible - REG_SZ Yes
ie: { HotIcon - REG_SZ c:\PROGRA~1\MICROS~4\OFFICE11e\REFBARH.ICO
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}
ie: { MenuText - REG_SZ @xpsp3res.dll,-20001
ie: { Exec - REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe
.
ie: {HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ie: { ButtonText - REG_SZ Messenger
ie: { CLSID - REG_SZ !{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
ie: { Default Visible - REG_SZ Yes
ie: { Exec - REG_SZ c:\Program Files\Messengere\msmsgs.exe
ie: { HotIcon - REG_SZ c:\Program Files\Messengere\msmsgs.exe,302
ie: { Icon - REG_SZ c:\Program Files\Messengere\msmsgs.exe,301
ie: { MenuText - REG_SZ Windows Messenger
ie: { ToolTip - REG_SZ Windows Messenger
IE: { CLSID - REG_SZ {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
IE: { ClsidExtension - REG_SZ {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - {5f7b1267-94a9-47f5-98db-e99415f33aec}\inprocserver32 does not exist!
IE: { BandCLSID - REG_SZ {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - {ff059e31-cc5a-4e2e-bf3b-96e929d65503}\inprocserver32 does not exist!
IE: { CLSID - REG_SZ {E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16} - {e0dd6cab-2d10-11d2-8f1a-0000f87abd16}\inprocserver32 does not exist!
IE: { CLSID - REG_SZ {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - {1fba04ee-3024-11d2-8f1f-0000f87abd16}\inprocserver32 does not exist!
NOTE: I DELETED A PILE OF PERIODS HERE
.
.
.
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\Microsoft XML Parser for Java
<NO NAME> REG_SZ Microsoft XML Parser for Java
SystemComponent REG_DWORD 1 (0x1)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\Microsoft XML Parser for Java\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\Microsoft XML Parser for Java\Contains\Java
com.ms.xml.dso REG_SZ
com.ms.xml.om REG_SZ
com.ms.xml.parser REG_SZ
com.ms.xml.util REG_SZ
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\Microsoft XML Parser for Java\DownloadInformation
CODEBASE REG_SZ file:///C:/WINDOWS/Java/classes/xmldso.cab
OSD REG_SZ c:\WINDOWS\Downloaded Program Filese\Microsoft XML Parser for Java.osd
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\Microsoft XML Parser for Java\InstalledVersion
<NO NAME> REG_SZ 1,0,9,2
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}\DownloadInformation
CODEBASE REG_SZ http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\swdir.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}\InstalledVersion
<NO NAME> REG_SZ 11,0,3,472
LastModified REG_SZ Fri, 16 Jan 2009 11:50:18 GMT
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6414512B-B978-451D-A0D8-FCFDF33E833C}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\Contains\Files
c:\WINDOWS\system32e\wuweb.dll REG_SZ
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\DownloadInformation
CODEBASE REG_SZ http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234891585125
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\wuweb.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6414512B-B978-451D-A0D8-FCFDF33E833C}\InstalledVersion
<NO NAME> REG_SZ 7,2,6001,788
LastModified REG_SZ Fri, 17 Oct 2008 03:12:37 GMT
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}\Contains\Files
c:\WINDOWS\system32e\muweb.dll REG_SZ
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}\DownloadInformation
CODEBASE REG_SZ http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234891665265
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\muweb.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}\InstalledVersion
<NO NAME> REG_SZ 7,2,6001,788
LastModified REG_SZ Fri, 17 Oct 2008 03:13:18 GMT
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
SystemComponent REG_DWORD 0 (0x0)
Installer REG_SZ MSICD
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\Contains
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\DownloadInformation
CODEBASE REG_SZ http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
INF REG_SZ c:\WINDOWS\Downloaded Program Filese\erma.inf
.
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\InstalledVersion
<NO NAME> REG_SZ 1,0,0,29
LastModified REG_SZ Mon, 15 Sep 2008 19:22:01 GMT
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
NameServer REG_SZ
CLSID - REG_SZ {419A0123-4312-1122-A0C0-434FDA6DA542} -
ssodl: wpdshserviceobj - {aaa288ba-9a4c-45b0-95d7-94d524869db5} - c:\WINDOWS\system32e\WPDShServiceObj.dll
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
d; /.* /!d; s//securityproviders: /
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Authentication Packages REG_MULTI_SZ msv1_0
Bounds REG_BINARY 0030000000200000
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest
ImpersonatePrivilegeUpgradeToolHasRun REG_DWORD 1 (0x1)
LsaPid REG_DWORD 744 (0x2e8)
SecureBoot REG_DWORD 1 (0x1)
auditbaseobjects REG_DWORD 0 (0x0)
crashonauditfail REG_DWORD 0 (0x0)
disabledomaincreds REG_DWORD 0 (0x0)
everyoneincludesanonymous REG_DWORD 0 (0x0)
fipsalgorithmpolicy REG_DWORD 0 (0x0)
forceguest REG_DWORD 1 (0x1)
fullprivilegeauditing REG_BINARY 00
limitblankpassworduse REG_DWORD 1 (0x1)
lmcompatibilitylevel REG_DWORD 0 (0x0)
nodefaultadminowner REG_DWORD 1 (0x1)
nolmhash REG_DWORD 0 (0x0)
restrictanonymous REG_DWORD 0 (0x0)
restrictanonymoussam REG_DWORD 1 (0x1)
d;/^((authentication|notification) packages) .* /i!d; s//lsa: 1 = /
Notification Packages REG_MULTI_SZ scecli
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\AccessProviders
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Audit
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Data
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\GBG
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\JD
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Kerberos
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\MSV1_0
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\Skew1
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SSO
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa\SspiCache
.
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
.
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems
windows REG_EXPAND_SZ %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
.

Attached Files



BC AdBot (Login to Remove)

 


#2 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 30 March 2011 - 06:06 PM

Removed contents of DDS log as it was all garbled.--ST

Edited by SweetTech, 05 April 2011 - 05:18 PM.
Removed Contents of DDS log--ST


#3 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 30 March 2011 - 06:08 PM

Removed contents of DDS log as it was all garbled.--ST

Edited by SweetTech, 05 April 2011 - 05:19 PM.
Removed Contents of DDS log--ST


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:06 PM

Posted 05 April 2011 - 05:17 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 05 April 2011 - 08:25 PM

Thank you so much for responding SweetTech. The file you requested are attached below.

I have not run any scans since I first posted, and have not used this computer much. I have not updated any of my software except when I just started firefox (to test if I am still getting redirects), it updated automatically to 3.6.16. I am still getting redirects in both Firefox and Explorer.

Let me know what to do next! Thanks!

Here is the rootkit file:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9A83000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1306624 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 929792 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xB9E63000 iaStor.sys 786432 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xB98F0000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
0xB9C62000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA9490000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB975E000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA959B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA8B08000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF15A000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB99EA000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xB9DE0000 a320raid.sys 237568 bytes (Adaptec, Inc., Adaptec hostRAID for Ultra320 SCSI)
0xB9DA9000 aarich.sys 225280 bytes (Adaptec, Inc., Adaptec hostRAID for Serial ATA)
0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xB985C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA8CF0000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9C35000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA7252000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA9500000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA9573000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA964F000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA954D000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9D85000 adpu320.sys 147456 bytes (Adaptec, Inc., Adaptec Win2K/XP/Server2003 Ultra320 SCSI Driver)
0xA718E000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB99C6000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9A2A000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9D62000 fasttx2k.sys 143360 bytes (Promise Technology, Inc., Promise FastTrak Series Driver for WindowsXP)
0xB99A3000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA952B000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xB9A4E000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 135168 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9D2B000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9C1B000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9E1A000 adpu160m.sys 102400 bytes (Microsoft Corporation, Adaptec Ultra160 SCSI miniport)
0xB9E4B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9E33000 C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9D02000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB98C5000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB9D4B000 symmpi.sys 94208 bytes (LSI Logic, LSI Logic Fusion-MPT MiniPort Driver (ScsiPort))
0xA8F2B000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB98DC000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9A6F000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA95F4000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9CEF000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9D19000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB988C000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA73D2000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xBA2B8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA188000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA158000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA128000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA9228000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA228000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 aic78u2.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra2 SCSI miniport)
0xBA0D8000 aic78xx.sys 57344 bytes (Microsoft Corporation, Adaptec Ultra SCSI miniport)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xBA118000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA298000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA208000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0F8000 aac.sys 36864 bytes (Adaptec, Inc., Adaptec RAID Miniport Driver)
0xBA108000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA288000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA148000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA278000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA7477000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA268000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA338000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xBA480000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA388000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA458000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA490000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA410000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA418000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA438000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{749B75FD-BC94-483C-A9CE-F85F593DED25}\MpKsl76e532f5.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xBA380000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA460000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA340000 megasas.sys 20480 bytes (LSI Logic Corporation, MEGASAS RAID Controller Driver for XP 32)
0xBA470000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA400000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA4A0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA7726000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xBA57C000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA598000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA9188000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA568000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA9617000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB98A1000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA7606000 C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys 12288 bytes
0xA9686000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA574000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA56C000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5CE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AE000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5CA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5AC000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5D2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5D6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5BA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA759000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA764000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7E4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x8A075AF1 ?_empty_? 1295 bytes
0x8A075ECC unknown_irp_handler 308 bytes
!!!!!!!!!!!Hidden driver: 0x8A108090 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xB9E4B000 WARNING: suspicious driver modification [atapi.sys::0x8A075AF1]
0xBA56C000 WARNING: Virus alike driver modification [rasacd.sys], 12288 bytes
0x03540000 Hidden Image-->UPS.Interop.ManagedProxies.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 155648 bytes
0x034F0000 Hidden Image-->UPS.Components.LANPolicyManager.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 233472 bytes
0x03E90000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 270336 bytes
0x039F0000 Hidden Image-->System.Data.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 2961408 bytes
0x03980000 Hidden Image-->Interop.DBSUPPORTENGINELib.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 36864 bytes
0x03E80000 Hidden Image-->Microsoft.ApplicationBlocks.Data.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 36864 bytes
0x03900000 Hidden Image-->UPS.InteropFramework.Util.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 45056 bytes
0x037E0000 Hidden Image-->msvcm80.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 507904 bytes
0x00ED0000 Hidden Image-->UPS.Components.NA1MessengerServer.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 53248 bytes
0x034A0000 Hidden Image-->UPS.Components.PolicyActions.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 61440 bytes
0x03960000 Hidden Image-->UPS.Components.PolicyHolder.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 61440 bytes
0x03860000 Hidden Image-->UPS.InteropFramework.Core.dll [ EPROCESS 0x89ACDBC0 ] PID: 2804, 73728 bytes



Here is the OTL file

OTL logfile created on: 4/5/2011 6:10:23 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.64 Gb Total Space | 547.68 Gb Free Space | 78.39% Space Free | Partition Type: NTFS

Computer Name: GX620 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/05 18:09:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/03/22 13:53:56 | 002,403,024 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2011/03/01 21:07:20 | 003,261,072 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
PRC - [2011/03/01 21:07:20 | 000,931,472 | R--- | M] (Carbonite, Inc.) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
PRC - [2011/01/19 17:37:32 | 003,470,168 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/28 23:39:23 | 000,928,496 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/11/28 23:39:16 | 001,375,992 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/11/08 14:36:10 | 000,393,216 | ---- | M] () -- C:\UPS\WSTD\WSTDMessaging.exe
PRC - [2010/06/11 18:14:24 | 001,280,344 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe
PRC - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2009/12/01 21:36:12 | 000,024,576 | ---- | M] () -- C:\UPS\WSTD\UPSNA1Msgr.exe
PRC - [2009/08/19 15:23:24 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 15:23:22 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
PRC - [2008/04/14 10:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/11/14 03:25:12 | 000,311,296 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe


========== Modules (SafeList) ==========

MOD - [2011/04/05 18:09:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2011/01/19 19:53:34 | 000,238,424 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360mon.dll
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - [2011/03/01 21:07:20 | 003,261,072 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe -- (CarboniteService)
SRV - [2010/11/28 23:39:16 | 001,375,992 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -- (MSSQL$UPSWSDBSERVER)
SRV - [2005/05/03 21:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -- (SQLAgent$UPSWSDBSERVER)


========== Driver Services (SafeList) ==========

DRV - [2011/04/05 11:55:40 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{749B75FD-BC94-483C-A9CE-F85F593DED25}\MpKsl76e532f5.sys -- (MpKsl76e532f5)
DRV - [2010/11/08 11:18:12 | 000,015,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/08/12 05:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2006/05/11 13:55:34 | 000,093,568 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\symmpi.sys -- (Symmpi)
DRV - [2005/05/17 19:12:40 | 000,204,800 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aarich.sys -- (aarich)
DRV - [2005/03/17 21:30:10 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/02/17 21:05:16 | 000,218,112 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\a320raid.sys -- (a320raid)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/04/07 15:14:30 | 000,048,140 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\aac.sys -- (aac)
DRV - [2003/04/28 09:15:38 | 000,140,544 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/02/24 11:02:58 | 000,011,029 | ---- | M] (VMware, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\vmscsi.sys -- (vmscsi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2506059724-3432134811-1174848262-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2506059724-3432134811-1174848262-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-2506059724-3432134811-1174848262-500\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-2506059724-3432134811-1174848262-500\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-2506059724-3432134811-1174848262-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: seotoolbar@seobook.com:1.1.3
FF - prefs.js..extensions.enabledItems: seo4firefox@seobook.com:3.4.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/29 21:54:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/29 21:54:29 | 000,000,000 | ---D | M]

[2010/01/13 17:04:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/04/04 15:58:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions
[2010/04/27 09:38:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/29 21:56:35 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}(2)
[2010/09/12 21:16:45 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}(2)
[2010/09/12 21:16:44 | 000,000,000 | ---D | M] (Diigo Bookmarks and Web Annotations) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}(2)
[2011/03/29 21:54:06 | 000,000,000 | ---D | M] (Diigo Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}(3)
[2010/09/12 21:16:45 | 000,000,000 | ---D | M] ("RankChecker") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\rankchecker@seobook(2).com
[2011/03/29 21:53:14 | 000,000,000 | ---D | M] ("RankChecker") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\rankchecker@seobook(3).com
[2011/03/29 21:53:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\rankchecker@seobook.com
[2010/09/12 21:16:46 | 000,000,000 | ---D | M] ("SEO For Firefox") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\seo4firefox@seobook(2).com
[2011/01/18 15:39:59 | 000,000,000 | ---D | M] ("SEO For Firefox") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\seo4firefox@seobook.com
[2010/09/12 21:16:46 | 000,000,000 | ---D | M] ("Seo Toolbar") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\seotoolbar@seobook(2).com
[2010/12/06 10:40:38 | 000,000,000 | ---D | M] ("Seo Toolbar") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\seotoolbar@seobook.com
[2011/04/04 15:58:32 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\searchplugins\diigo--google.xml
[2011/04/05 09:10:57 | 000,012,804 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\searchplugins\majestic-seo.xml
[2011/04/04 15:58:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/01 08:20:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/03/30 07:32:51 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/17 22:51:42 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2004/08/12 06:19:39 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe ()
O4 - HKU\S-1-5-21-2506059724-3432134811-1174848262-500..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKU\S-1-5-21-2506059724-3432134811-1174848262-500..\RunOnce: [Shockwave Updater] File not found
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe (UPS)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2506059724-3432134811-1174848262-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2506059724-3432134811-1174848262-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O15 - HKU\S-1-5-21-2506059724-3432134811-1174848262-500\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234891585125 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234891665265 (MUWebControl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.232.84.3 66.232.84.6
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/28 10:13:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/05 18:08:57 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/04 16:38:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\mail backup
[2011/03/31 09:36:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Carbonite
[2011/03/30 15:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2011/03/30 14:23:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360
[2011/03/30 14:23:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/03/29 21:52:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}
[2011/03/29 21:51:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/03/29 20:30:48 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/03/27 21:29:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}(2)
[2011/03/15 20:19:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\ImgBurn
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/05 18:09:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/05 18:03:20 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office Word 2003.lnk
[2011/04/05 17:19:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/05 12:17:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2506059724-3432134811-1174848262-500.job
[2011/04/05 12:01:00 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/05 11:57:57 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/04/05 11:56:33 | 000,000,199 | ---- | M] () -- C:\WINDOWS\wstdUPSWSHIP.INI
[2011/04/05 11:54:52 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/05 11:54:06 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/05 11:54:03 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2506059724-3432134811-1174848262-500.job
[2011/04/05 11:53:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/04 12:59:32 | 000,144,113 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\april4.xps
[2011/04/02 20:28:00 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office Excel 2003.lnk
[2011/03/31 09:36:34 | 000,001,873 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Carbonite InfoCenter.lnk
[2011/03/30 15:13:20 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2011/03/30 15:08:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/03/30 14:23:08 | 000,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2011/03/30 07:32:48 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/03/30 03:19:38 | 000,228,000 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/30 03:03:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/29 21:34:00 | 000,016,986 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Restore Report 03-21-1970 08-29-40AM.html
[2011/03/28 14:00:49 | 000,144,874 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\March 28.xps
[2011/03/28 08:13:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ccamamalanunev.bin
[2011/03/28 08:13:22 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Qvulebewah.dat
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/04 12:59:30 | 000,144,113 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\april4.xps
[2011/03/30 15:13:15 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2011/03/30 15:08:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/03/30 14:23:08 | 000,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2011/03/30 03:00:47 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/03/28 14:00:47 | 000,144,874 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\March 28.xps
[2011/01/24 21:25:29 | 000,040,856 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/01/14 15:57:33 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/09/13 12:15:22 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/09/11 23:02:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Qvulebewah.dat
[2010/09/11 23:02:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ccamamalanunev.bin
[2010/02/02 12:21:52 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS4b.DLL
[2010/01/30 17:08:59 | 000,000,199 | ---- | C] () -- C:\WINDOWS\wstdUPSWSHIP.INI
[2010/01/27 21:23:10 | 000,001,515 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/27 21:15:31 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2010/01/27 21:15:31 | 000,040,129 | ---- | C] () -- C:\WINDOWS\iccsigs.dat
[2010/01/27 21:15:30 | 000,000,150 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2010/01/27 19:00:05 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/01/16 19:33:20 | 000,088,576 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/13 17:04:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/10/28 07:52:08 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\GetHostIP.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/02/17 10:18:58 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/24 16:55:20 | 000,004,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\WinIo.sys
[2006/09/24 16:53:02 | 000,000,798 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/07/28 10:34:06 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2006/07/28 10:16:22 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/28 10:10:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/07/28 03:04:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/07/28 03:03:01 | 000,228,000 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/10/28 19:58:38 | 028,828,672 | ---- | C] () -- C:\Program Files\Alderspring Ranch Grass Fed Beef Retail.QBW
[2004/08/12 06:36:06 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/12 06:36:06 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/12 06:28:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/12 06:26:08 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/12 06:26:07 | 000,463,200 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/12 06:26:06 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/12 06:26:05 | 000,080,260 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/12 06:24:57 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/12 06:22:08 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/12 06:22:01 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/12 06:18:55 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/12 06:18:32 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/08/30 15:08:52 | 013,621,248 | ---- | C] () -- C:\Program Files\Alderspring Grass Fed Beef.QBW
[2003/04/08 13:41:20 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\nssckbi.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

< End of report >



Here is the OTL Extras.txt file

OTL Extras logfile created on: 4/5/2011 6:10:23 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.64 Gb Total Space | 547.68 Gb Free Space | 78.39% Space Free | Partition Type: NTFS

Computer Name: GX620 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-2506059724-3432134811-1174848262-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\xampplite\apache\bin\httpd.exe" = C:\xampplite\apache\bin\httpd.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\xampplite\mysql\bin\mysqld.exe" = C:\xampplite\mysql\bin\mysqld.exe:*:Enabled:The MySQL Server -- (MySQL AB)
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05C26234-29BA-4694-8FE9-BBC41B648E73}" = Homeschool Tracker Plus
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2A033A00-FE0D-4609-B0E8-2C49CC494FC8}" = WorldShip
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{33035862-543C-4405-9CC6-08593CF2C25F}" = ReportServer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{390160B4-D276-4A04-8002-8D3101A0D367}" = UPSICC
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4AE3EAC8-FAD9-4ECC-A339-BBAD8C72DE71}" = UPSDB
"{56B59C2A-EFB8-44AC-88F5-3280171E4522}" = PolicyManager
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5AE59A84-B2F3-42CC-A246-5AF80F6EE770}" = Reconciler
"{67B9AF41-C0B9-4960-84D9-A61D23DE85D8}" = Garmin Trip and Waypoint Manager v4
"{68AF09E3-1167-4771-903C-CCCDCF7E171C}" = NRF
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{809987B2-F964-11D4-A1A5-00104BD190B1}" = QuickBooks Premier 2002
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8C5BD501-AD5D-4A75-9321-076509B438FC}" = WebHelp
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95749C5B-BC37-41E3-8D39-EEF4C21A2825}" = CCC
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5763105-D1D5-4862-A3FE-EC058F9AA73E}" = ICCHelp
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BC728F95-2D3F-4D05-9E1E-F2A3CEBF3FE8}" = FormsComponent
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23415D8-FE94-4F52-B5C4-0FFA2202C6D9}" = UPSVCMM
"{C30E30A6-0AB5-470A-AB67-D322938F5429}" = SupportUtility
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C9D43B38-34AD-4EC2-B696-46F42D49D174}" = MSIChecker
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF2962CB-E3E7-4AA5-B6CE-EE59A600ECBE}" = UnifiedPrinting
"{D44E7219-947E-4F1B-830E-66EF11ACC543}" = NA1Messenger
"{DB2C58E0-6284-4B48-97F2-22A980B6360B}" = System
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (UPSWSDBSERVER)
"{E358CC1E-4953-4E27-ADEB-8B27D8BBC20E}" = UPSlinkHTTP
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{EA6EB7D0-C920-4434-B43D-0DDD0AF8F497}" = Garmin MapSource
"{EA9629DA-5715-48BA-B054-28169702B176}" = FOSS
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E2B312-D7FD-4349-A9B6-E90B36DB1BD0}" = Paint.NET v3.5.5
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"7-Zip" = 7-Zip 9.10 beta
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 5.0 Limited Edition" = Adobe Photoshop 5.0 Limited Edition
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Carbonite Backup" = Carbonite
"CCleaner" = CCleaner
"Core FTP LE 2.1" = Core FTP LE 2.1
"Equestrian Challenge" = Equestrian Challenge
"Foxit Reader" = Foxit Reader
"HTMLKit_is1" = HTML-Kit
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"IObit Security 360_is1" = IObit Security 360
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Picasa 3" = Picasa 3
"PROSet" = Intel® PRO Network Adapters and Drivers
"UPS WorldShip" = UPS WorldShip
"VLC media player" = VLC media player 1.0.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinHTTrack Website Copier_is1" = WinHTTrack Website Copier 3.43-9
"WinLiveSuite_Wave3" = Windows Live Essentials
"Winsyntax" = Winsyntax 2.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2506059724-3432134811-1174848262-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/17/2011 5:38:21 PM | Computer Name = GX620 | Source = Application Error | ID = 1000
Description = Faulting application worldshiptd.exe, version 12.0.17.0, faulting
module worldshiptd.exe, version 12.0.17.0, fault address 0x00001210.

Error - 1/17/2011 5:38:30 PM | Computer Name = GX620 | Source = Application Error | ID = 1000
Description = Faulting application worldshiptd.exe, version 12.0.17.0, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x000449cf.

Error - 1/27/2011 12:50:36 AM | Computer Name = GX620 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 3.0.8107.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 2/3/2011 11:38:23 AM | Computer Name = GX620 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070670, P2 patchapplication, P3 am bdd,
P4 10.3.1781.0, P5 mpsigstub.exe, P6 3.0.8107.0, P7 microsoft security essentials,
P8 NIL, P9 NIL, P10 NIL.

Error - 2/14/2011 4:51:24 PM | Computer Name = GX620 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 3/16/2011 4:34:55 PM | Computer Name = GX620 | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.4079, faulting
module xul.dll, version 1.9.2.4079, fault address 0x0073f912.

Error - 3/16/2011 6:19:05 PM | Computer Name = GX620 | Source = VSS | ID = 12292
Description = Volume Shadow Copy Service error: Error creating the Shadow Copy Provider
COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80080005].

Error - 3/30/2011 12:58:30 AM | Computer Name = GX620 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070002, P2 moac, P3 cachereset, P4 3.0.8107.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 3/30/2011 12:58:50 AM | Computer Name = GX620 | Source = JavaQuickStarterService | ID = 1
Description =

Error - 3/30/2011 12:39:34 PM | Computer Name = GX620 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
0, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 3/30/2011 6:22:13 AM | Computer Name = GX620 | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service iPod Service
with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error - 3/30/2011 6:22:13 AM | Computer Name = GX620 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the iPod Service service
to connect.

Error - 3/30/2011 6:22:13 AM | Computer Name = GX620 | Source = Service Control Manager | ID = 7000
Description = The iPod Service service failed to start due to the following error:
%%1053

Error - 3/30/2011 6:38:45 PM | Computer Name = GX620 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 3/30/2011 6:39:30 PM | Computer Name = GX620 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 3/30/2011 6:45:22 PM | Computer Name = GX620 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 3/30/2011 6:47:04 PM | Computer Name = GX620 | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
period.

Error - 4/2/2011 10:39:59 PM | Computer Name = GX620 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library SanDisk Cruzer
USB Device.

Error - 4/2/2011 10:40:02 PM | Computer Name = GX620 | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library SanDisk Cruzer
USB Device.

Error - 4/4/2011 7:40:45 PM | Computer Name = GX620 | Source = VolSnap | ID = 393228
Description = The shadow copy of volume C: became low on diff area space before
it was properly installed.


< End of report >

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:06 PM

Posted 06 April 2011 - 08:39 AM

Hi CaryIE,

How are you doing today?

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
    O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
    O4 - HKU\S-1-5-21-2506059724-3432134811-1174848262-500..\RunOnce: [Shockwave Updater] File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Value error.)
    O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
    [2011/03/29 21:52:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}
    [2011/03/27 21:29:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}(2)
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [2011/03/28 08:13:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ccamamalanunev.bin
    [2011/03/28 08:13:22 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Qvulebewah.dat
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [2010/09/11 23:02:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Qvulebewah.dat
    [2010/09/11 23:02:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ccamamalanunev.bin
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:


Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



What issues are you currently experiencing?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 06 April 2011 - 01:07 PM

Hi SweetTech

I'm doing much better today, because after following your steps, it seems the redirect is gone, and my browsers (both IE and Firefox) are behaving themselves. You are the malware guru!

Do I need to do anything else? How do I avoid such nasties in the future? Do I need to worry that my passwords may have been compromised (I have already changed the most critical ones on another computer)?

Here are the logs you requested:

OTL file
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Service NMIndexingService stopped successfully!
Service NMIndexingService deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-2506059724-3432134811-1174848262-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Shockwave Updater deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
File oft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}\chrome\content folder moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}\chrome folder moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907} folder moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}(2)\chrome(2)\content(2) folder moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}(2)\chrome(2) folder moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\{C49EF58D-682C-4079-A72B-56058515A907}(2) folder moved successfully.
C:\WINDOWS\002820_.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\WINDOWS\Ccamamalanunev.bin moved successfully.
C:\WINDOWS\Qvulebewah.dat moved successfully.
File C:\WINDOWS\Qvulebewah.dat not found.
File C:\WINDOWS\Ccamamalanunev.bin not found.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (68719476736)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 26305035 bytes
->Temporary Internet Files folder emptied: 60520239 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 295933433 bytes
->Google Chrome cache emptied: 6383179 bytes
->Flash cache emptied: 21476 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Glenn Elzinga

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33036 bytes

User: NetworkService
->Temp folder emptied: 1553256 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6503073 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 77739566 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1423122615 bytes

Total Files Cleaned = 1,810.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: Glenn Elzinga

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04062011_102455

Files\Folders moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YIFPD3WV\page__p__2188486__fromsearch__1[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temp\MpCmdRun.log moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_139c.dat not found!

Registry entries deleted on Reboot...


TDSSKiller log

2011/04/06 10:38:53.0468 2256 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/06 10:38:54.0437 2256 ================================================================================
2011/04/06 10:38:54.0437 2256 SystemInfo:
2011/04/06 10:38:54.0437 2256
2011/04/06 10:38:54.0437 2256 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/06 10:38:54.0437 2256 Product type: Workstation
2011/04/06 10:38:54.0453 2256 ComputerName: GX620
2011/04/06 10:38:54.0453 2256 UserName: Administrator
2011/04/06 10:38:54.0453 2256 Windows directory: C:\WINDOWS
2011/04/06 10:38:54.0453 2256 System windows directory: C:\WINDOWS
2011/04/06 10:38:54.0453 2256 Processor architecture: Intel x86
2011/04/06 10:38:54.0453 2256 Number of processors: 2
2011/04/06 10:38:54.0453 2256 Page size: 0x1000
2011/04/06 10:38:54.0453 2256 Boot type: Normal boot
2011/04/06 10:38:54.0453 2256 ================================================================================
2011/04/06 10:38:55.0156 2256 Initialize success
2011/04/06 10:38:58.0750 3444 ================================================================================
2011/04/06 10:38:58.0750 3444 Scan started
2011/04/06 10:38:58.0750 3444 Mode: Manual;
2011/04/06 10:38:58.0750 3444 ================================================================================
2011/04/06 10:38:59.0421 3444 a320raid (28615e07c5b8803841a038418406b98e) C:\WINDOWS\system32\DRIVERS\a320raid.sys
2011/04/06 10:38:59.0484 3444 aac (74365ea0c390d9af5d2ee720c65be2a9) C:\WINDOWS\system32\DRIVERS\aac.sys
2011/04/06 10:38:59.0531 3444 aarich (b7dbe200b5395fe2937ea2b69e413dad) C:\WINDOWS\system32\DRIVERS\aarich.sys
2011/04/06 10:38:59.0703 3444 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/06 10:38:59.0781 3444 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/06 10:38:59.0843 3444 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/04/06 10:38:59.0890 3444 adpu320 (e4e13ce4c85c7e45a643ba54b8c8b16b) C:\WINDOWS\system32\drivers\adpu320.sys
2011/04/06 10:38:59.0968 3444 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/06 10:39:00.0015 3444 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/06 10:39:00.0062 3444 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/04/06 10:39:00.0093 3444 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/04/06 10:39:00.0390 3444 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/06 10:39:00.0406 3444 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/06 10:39:00.0468 3444 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/06 10:39:00.0500 3444 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/06 10:39:00.0546 3444 b57w2k (241474d01380e9ed41d4c07f4f5fd401) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/04/06 10:39:00.0578 3444 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/06 10:39:00.0656 3444 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/06 10:39:00.0718 3444 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/06 10:39:00.0765 3444 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/06 10:39:00.0796 3444 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/06 10:39:00.0828 3444 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/04/06 10:39:01.0109 3444 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/06 10:39:01.0156 3444 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/06 10:39:01.0187 3444 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/06 10:39:01.0203 3444 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/06 10:39:01.0234 3444 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/06 10:39:01.0265 3444 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/06 10:39:01.0328 3444 E1000 (a8b3ec8ee13cbe14f067c72110155a1b) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2011/04/06 10:39:01.0390 3444 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/06 10:39:01.0421 3444 fasttx2k (b62ba9f5e991d64c28dd75121aa38c81) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
2011/04/06 10:39:01.0468 3444 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/06 10:39:01.0500 3444 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/06 10:39:01.0515 3444 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/06 10:39:01.0562 3444 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/06 10:39:01.0625 3444 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/06 10:39:01.0656 3444 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/06 10:39:01.0687 3444 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/06 10:39:01.0734 3444 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/06 10:39:01.0781 3444 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys
2011/04/06 10:39:01.0843 3444 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/06 10:39:01.0937 3444 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/06 10:39:02.0015 3444 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/06 10:39:02.0093 3444 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/04/06 10:39:02.0156 3444 iaStor (1c77a81756d4777ccb0425ae8107fe96) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/04/06 10:39:02.0359 3444 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/06 10:39:02.0671 3444 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/06 10:39:03.0156 3444 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/06 10:39:03.0265 3444 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/06 10:39:03.0328 3444 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/06 10:39:03.0390 3444 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/06 10:39:03.0437 3444 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/06 10:39:03.0500 3444 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/06 10:39:03.0546 3444 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/06 10:39:03.0562 3444 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/06 10:39:03.0593 3444 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/06 10:39:03.0671 3444 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/06 10:39:03.0750 3444 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/06 10:39:03.0796 3444 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/06 10:39:03.0937 3444 Lavasoft Kernexplorer (0bd6d3f477df86420de942a741dabe37) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/04/06 10:39:03.0984 3444 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/04/06 10:39:04.0125 3444 megasas (b9ca93897ee500c87471d4353707ee43) C:\WINDOWS\system32\drivers\megasas.sys
2011/04/06 10:39:04.0171 3444 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/06 10:39:04.0250 3444 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/06 10:39:04.0296 3444 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/06 10:39:04.0343 3444 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/06 10:39:04.0375 3444 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/06 10:39:04.0437 3444 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/04/06 10:39:04.0609 3444 MpKsl299064c2 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{497F63D4-F7DD-4D94-A4F6-4F105A2395E6}\MpKsl299064c2.sys
2011/04/06 10:39:04.0640 3444 MpKsl876e83df (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{497F63D4-F7DD-4D94-A4F6-4F105A2395E6}\MpKsl876e83df.sys
2011/04/06 10:39:04.0750 3444 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/06 10:39:04.0828 3444 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/06 10:39:04.0875 3444 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/06 10:39:04.0921 3444 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/06 10:39:05.0000 3444 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/06 10:39:05.0046 3444 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/06 10:39:05.0093 3444 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/06 10:39:05.0109 3444 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/06 10:39:05.0156 3444 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/06 10:39:05.0171 3444 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/06 10:39:05.0203 3444 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/06 10:39:05.0234 3444 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/06 10:39:05.0281 3444 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/06 10:39:05.0296 3444 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/06 10:39:05.0328 3444 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/06 10:39:05.0390 3444 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/06 10:39:05.0421 3444 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/06 10:39:05.0500 3444 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/06 10:39:05.0531 3444 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/06 10:39:05.0578 3444 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/06 10:39:05.0625 3444 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/06 10:39:05.0640 3444 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/06 10:39:05.0671 3444 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/06 10:39:05.0687 3444 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/06 10:39:05.0734 3444 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/06 10:39:05.0781 3444 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/06 10:39:05.0984 3444 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/06 10:39:06.0000 3444 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/06 10:39:06.0031 3444 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/06 10:39:06.0140 3444 RasAcd (515999c081837165b9e5a26d22f4dd40) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/06 10:39:06.0140 3444 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\rasacd.sys. Real md5: 515999c081837165b9e5a26d22f4dd40, Fake md5: fe0d99d6f31e4fad8159f690d68ded9c
2011/04/06 10:39:06.0156 3444 RasAcd - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/04/06 10:39:06.0203 3444 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/06 10:39:06.0218 3444 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/06 10:39:06.0234 3444 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/06 10:39:06.0312 3444 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/06 10:39:06.0343 3444 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/06 10:39:06.0406 3444 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/06 10:39:06.0453 3444 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/06 10:39:06.0515 3444 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/06 10:39:06.0640 3444 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/06 10:39:06.0750 3444 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/04/06 10:39:06.0796 3444 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/06 10:39:06.0828 3444 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/06 10:39:06.0890 3444 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/06 10:39:06.0984 3444 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2011/04/06 10:39:07.0140 3444 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/06 10:39:07.0234 3444 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/06 10:39:07.0312 3444 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/06 10:39:07.0359 3444 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/06 10:39:07.0390 3444 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/06 10:39:07.0578 3444 Symmpi (e16380d5911fa00e90452f90f49ed352) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2011/04/06 10:39:07.0718 3444 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/06 10:39:07.0781 3444 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/06 10:39:07.0843 3444 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/06 10:39:07.0906 3444 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/06 10:39:07.0953 3444 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/06 10:39:08.0062 3444 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/06 10:39:08.0203 3444 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/06 10:39:08.0265 3444 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/06 10:39:08.0328 3444 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/06 10:39:08.0359 3444 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/06 10:39:08.0437 3444 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/06 10:39:08.0500 3444 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/06 10:39:08.0562 3444 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/06 10:39:08.0593 3444 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/06 10:39:08.0640 3444 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/06 10:39:08.0718 3444 vmscsi (cd8a1f04836111dc0e6c0cd904b3c660) C:\WINDOWS\system32\drivers\vmscsi.sys
2011/04/06 10:39:08.0781 3444 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/06 10:39:08.0828 3444 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/06 10:39:08.0921 3444 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/06 10:39:09.0046 3444 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/04/06 10:39:09.0109 3444 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/06 10:39:09.0125 3444 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/06 10:39:09.0296 3444 ================================================================================
2011/04/06 10:39:09.0296 3444 Scan finished
2011/04/06 10:39:09.0296 3444 ================================================================================
2011/04/06 10:39:09.0312 3440 Detected object count: 1
2011/04/06 10:39:31.0515 3440 RasAcd (515999c081837165b9e5a26d22f4dd40) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/06 10:39:31.0515 3440 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\rasacd.sys. Real md5: 515999c081837165b9e5a26d22f4dd40, Fake md5: fe0d99d6f31e4fad8159f690d68ded9c
2011/04/06 10:39:32.0375 3440 Backup copy found, using it..
2011/04/06 10:39:32.0390 3440 C:\WINDOWS\system32\DRIVERS\rasacd.sys - will be cured after reboot
2011/04/06 10:39:32.0390 3440 Rootkit.Win32.TDSS.tdl3(RasAcd) - User select action: Cure
2011/04/06 10:39:50.0906 2260 Deinitialize success






Malware bytes log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 6288

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/6/2011 10:55:21 AM
mbam-log-2011-04-06 (10-55-21).txt

Scan type: Quick scan
Objects scanned: 157354
Time elapsed: 9 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:06 PM

Posted 06 April 2011 - 01:25 PM

Hi CaryIE,

You are the malware guru!

aww.. Thanks!

Do I need to do anything else? How do I avoid such nasties in the future? Do I need to worry that my passwords may have been compromised (I have already changed the most critical ones on another computer)?

We will be running some additional scans to ensure we have gotten it all. I will cover how to avoid such nasties in my all clean speech (will come later)


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



The main infection that you were infected with is called TDL3.

See the snippet of text below:

2011/04/06 10:39:09.0312 3440 Detected object count: 1
2011/04/06 10:39:31.0515 3440 RasAcd (515999c081837165b9e5a26d22f4dd40) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/06 10:39:31.0515 3440 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\rasacd.sys. Real md5: 515999c081837165b9e5a26d22f4dd40, Fake md5: fe0d99d6f31e4fad8159f690d68ded9c
2011/04/06 10:39:32.0375 3440 Backup copy found, using it..
2011/04/06 10:39:32.0390 3440 C:\WINDOWS\system32\DRIVERS\rasacd.sys - will be cured after reboot
2011/04/06 10:39:32.0390 3440 Rootkit.Win32.TDSS.tdl3(RasAcd) - User select action: Cure
2011/04/06 10:39:50.0906 2260 Deinitialize success


You can read more about this infection here:

Special thanks to quietman7 for providing the above links.



NEXT:



Your version of MBAM is outdated.

The latest version is 1.50.1.100

Please update it to the latest version:

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 06 April 2011 - 03:11 PM

Well, rats.

A couple questions:
1) How high do you think is the risk?

2) Could my data be infected? I use an off-site backup system (Carbonite) for my data files. It is fairly easy to put those back on a clean install, but do I have to worry that they could be a source for re-infection?

3) We have three computers connected to the internet through a link-sys router, but we are not networked. Do I have to be concerned about infection of the other 2 computers? They have not shown any weird behavior.

4) We have used a thumb drive from my computer to one of the others. Is there a potential for contamination to the other computer?

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:06 PM

Posted 06 April 2011 - 03:22 PM

A couple questions:

1) How high do you think is the risk?

It's hard to say. I don't know what type of damage was done before I got to work on removing it.

2) Could my data be infected? I use an off-site backup system (Carbonite) for my data files. It is fairly easy to put those back on a clean install, but do I have to worry that they could be a source for re-infection?

It's possible, the best way to ensure that you don't get infected by your back-up files is to scan them when you restore them (if need be).

3) We have three computers connected to the internet through a link-sys router, but we are not networked. Do I have to be concerned about infection of the other 2 computers? They have not shown any weird behavior.

I think the other 3 computers should be fine.

4) We have used a thumb drive from my computer to one of the others. Is there a potential for contamination to the other computer?

There's a possibility. I can check the other computer after we finish cleaning this one (if that is what you decide to do)

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 06 April 2011 - 03:56 PM

I guess I'd like the 100% certainty that we are rid of this thing and completely secure, so I'll plan to do a re-install. I will need to wait to do that, however, until next Monday. We ship UPS every Monday, and this is our shipping computer- I don't think I can get UPS re-installed and running by Monday even if I start this afternoon (clunky, rotten, counterintuitive software...). In the meantime, tho, I'll follow your steps above to get a little closer to certainty that this thing "may" be clean. I'd also like to completely scan the other two computers using the tools you recommend so we can continue to use them (I'll be changing all our passwords and we use one of them for online financial business every day). So, here's some more questions for you :)

1) Do you want me to start a new thread with the other computers?
2) What scans do you want me to do/ tools to use on those computers? (I have already scanned them with Malware bytes, adaware, IOBIT, and Windows defender in both regular and safe mode and turned up nothing)

I'll hit reply and then post the results from the scans you requested in a few minutes. Again, thank you so much for all your help!

#12 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 06 April 2011 - 04:04 PM

Malware bytes log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 6290

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/6/2011 2:03:14 PM
mbam-log-2011-04-06 (14-03-14).txt

Scan type: Quick scan
Objects scanned: 158264
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 06 April 2011 - 06:03 PM

ESET scan Looks like a trojan in one of the wordpress themes I downloaded

C:\xampplite\htdocs\wordpressmag\wp-content\themes\iRestaurant\iRestaurant\header.php PHP/Kryptik.AB trojan

Security Check scan
Results of screen317's Security Check version 0.99.10
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
Microsoft Security Essentials
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Adobe Flash Player 10.1.102.64
Adobe Reader 9.1.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.16) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:06:06 PM

Posted 07 April 2011 - 03:20 PM

Hi CaryIE,

1) Do you want me to start a new thread with the other computers?
2) What scans do you want me to do/ tools to use on those computers? (I have already scanned them with Malware bytes, adaware, IOBIT, and Windows defender in both regular and safe mode and turned up nothing)

Yes, you will need to create a new thread for the other computers. I only work on one computer per thread. It's easier that way.

You'll need to run the scans in this thread here: http://www.bleepingcomputer.com/forums/topic34773.html

The version of MBAM you posted is currently outdated.

You have version: Database version: 6290 installed and the latest version is 1.50.1.100

Please follow these instructions to install the latest version:

Can you please update your database version by doing the following:
  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates


NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



Lets submit the file found by ESET.

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: C:\xampplite\htdocs\wordpressmag\wp-content\themes\iRestaurant\iRestaurant\header.php
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please post the results in your next reply



NEXT:



Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following bolded text into the Posted Image textbox.


    netsvcs
    drivers32
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 CarylE

CarylE
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 07 April 2011 - 09:54 PM

I had updated Malware bytes as you described before the last scan, so thought perhaps it was not updating correctly. I removed the version I had, and then downloaded, reinstalled, updated and scanned. I did a complete scan. THe log is pasted below.

I removed Adobe reader and reinstalled. I actually have been using foxit for the past couple years but uninstalled it when I started having problems.

My computer does seem to be behaving itself!

A little later this evening I'll prepare the files for the other two computers and submit a new thread. I feel badly using up one of you rock star's time when other people are having so many problems, but I do need to make sure those computers have not been compromised. If there are some scans that I could do myself that would ensure they were clean, I would be glad to.

Here are the logs:

MALWARE BYTES LOG

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6306

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/7/2011 6:49:00 PM
mbam-log-2011-04-07 (18-49-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 300218
Time elapsed: 1 hour(s), 19 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.04.08.01 2011.04.08 -
AntiVir 7.11.6.6 2011.04.08 -
Antiy-AVL 2.0.3.7 2011.04.08 -
Avast 4.8.1351.0 2011.04.08 -
Avast5 5.0.677.0 2011.04.01 -
AVG 10.0.0.1190 2011.04.07 -
BitDefender 7.2 2011.04.08 -
CAT-QuickHeal 11.00 2011.04.07 -
ClamAV 0.97.0.0 2011.04.08 -
Commtouch 5.2.11.5 2011.04.06 -
Comodo 8261 2011.04.08 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.04.08 -
eSafe 7.0.17.0 2011.04.07 -
eTrust-Vet 36.1.8259 2011.04.07 -
F-Prot 4.6.2.117 2011.04.07 -
F-Secure 9.0.16440.0 2011.04.08 -
Fortinet 4.2.254.0 2011.04.08 -
GData 22 2011.04.08 -
Ikarus T3.1.1.103.0 2011.04.08 -
Jiangmin 13.0.900 2011.04.07 -
K7AntiVirus 9.96.4320 2011.04.07 -
McAfee 5.400.0.1158 2011.04.08 -
McAfee-GW-Edition 2010.1C 2011.04.07 -
Microsoft 1.6702 2011.04.07 -
NOD32 6025 2011.04.08 PHP/Kryptik.AB
Norman 6.07.07 2011.04.07 -
Panda 10.0.3.5 2011.04.07 -
PCTools 7.0.3.5 2011.04.07 -
Prevx 3.0 2011.04.08 -
Rising 23.52.03.06 2011.04.07 -
Sophos 4.64.0 2011.04.08 -
SUPERAntiSpyware 4.40.0.1006 2011.04.07 -
Symantec 20101.3.2.89 2011.04.08 -
TheHacker 6.7.0.1.168 2011.04.08 -
TrendMicro 9.200.0.1012 2011.04.07 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.08 -
VBA32 3.12.14.3 2011.04.07 -
VIPRE 8952 2011.04.08 -
ViRobot 2011.4.7.4398 2011.04.08 -
VirusBuster 13.6.293.1 2011.04.07 -
Additional informationShow all
MD5 : e1cbb649b40b03b20b15b93153cd5caf
SHA1 : 687670284192163d7d2f55c5fa5c3d37425a0a86
SHA256: a2fe03bd4a75a8bc9bcb2af3e9e89d7d932a8617dea1c42eaf455f7136e2a427
ssdeep: 96:FEvpoYy1UB4GUiYk0MGsNLLoN0/KR9xPUWII+XBl10M4fkLcc1FuO4lutQL+NP26:FEd0MeN
kWII+XBn0M4fQbGuOL+NJrn
File size : 4906 bytes
First seen: 2011-04-08 02:37:22
Last seen : 2011-04-08 02:37:22
TrID:
file seems to be plain text/ASCII (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned



VT Community

0
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
VirusTotal Team





OTL LOG FILE

OTL logfile created on: 4/7/2011 7:45:26 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.64 Gb Total Space | 548.77 Gb Free Space | 78.55% Space Free | Partition Type: NTFS
Drive E: | 983.72 Mb Total Space | 775.48 Mb Free Space | 78.83% Space Free | Partition Type: FAT

Computer Name: GX620 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/05 18:09:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/03/22 13:53:56 | 002,403,024 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2011/03/01 21:07:20 | 003,261,072 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
PRC - [2011/03/01 21:07:20 | 000,931,472 | R--- | M] (Carbonite, Inc.) -- C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
PRC - [2011/01/19 17:37:32 | 003,470,168 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/28 23:39:23 | 000,928,496 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/11/28 23:39:16 | 001,375,992 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/11/08 14:36:10 | 000,393,216 | ---- | M] () -- C:\UPS\WSTD\WSTDMessaging.exe
PRC - [2010/06/11 18:14:24 | 001,280,344 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe
PRC - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2009/12/01 21:36:12 | 000,024,576 | ---- | M] () -- C:\UPS\WSTD\UPSNA1Msgr.exe
PRC - [2009/08/19 15:23:24 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 15:23:22 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
PRC - [2008/04/14 10:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/11/14 03:25:12 | 000,311,296 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe


========== Modules (SafeList) ==========

MOD - [2011/04/05 18:09:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2011/01/19 19:53:34 | 000,238,424 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360mon.dll
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/03/01 21:07:20 | 003,261,072 | R--- | M] (Carbonite, Inc. (www.carbonite.com)) [Auto | Running] -- C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe -- (CarboniteService)
SRV - [2010/11/28 23:39:16 | 001,375,992 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/06/11 18:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2008/12/18 10:47:08 | 009,158,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -- (MSSQL$UPSWSDBSERVER)
SRV - [2005/05/03 21:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -- (SQLAgent$UPSWSDBSERVER)


========== Driver Services (SafeList) ==========

DRV - [2011/04/07 18:30:10 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB3E40C4-2440-4A99-802D-AB8AAB03265C}\MpKsladaac75b.sys -- (MpKsladaac75b)
DRV - [2010/11/08 11:18:12 | 000,015,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)
DRV - [2010/08/12 05:15:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2006/05/11 13:55:34 | 000,093,568 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\symmpi.sys -- (Symmpi)
DRV - [2005/05/17 19:12:40 | 000,204,800 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aarich.sys -- (aarich)
DRV - [2005/03/17 21:30:10 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/02/17 21:05:16 | 000,218,112 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\a320raid.sys -- (a320raid)
DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/04/07 15:14:30 | 000,048,140 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\aac.sys -- (aac)
DRV - [2003/04/28 09:15:38 | 000,140,544 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2003/02/24 11:02:58 | 000,011,029 | ---- | M] (VMware, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\vmscsi.sys -- (vmscsi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: seotoolbar@seobook.com:1.1.3
FF - prefs.js..extensions.enabledItems: seo4firefox@seobook.com:3.4.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/05 18:21:52 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/07 17:05:57 | 000,000,000 | ---D | M]

[2010/01/13 17:04:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/04/07 17:25:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions
[2010/04/27 09:38:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/03/29 21:56:35 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}(2)
[2010/09/12 21:16:45 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}(2)
[2010/09/12 21:16:44 | 000,000,000 | ---D | M] (Diigo Bookmarks and Web Annotations) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}(2)
[2011/03/29 21:54:06 | 000,000,000 | ---D | M] (Diigo Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\{fc2b8f80-d9a5-4f51-8076-7c7ce3c67ee3}(3)
[2010/09/12 21:16:45 | 000,000,000 | ---D | M] ("RankChecker") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\rankchecker@seobook(2).com
[2011/03/29 21:53:14 | 000,000,000 | ---D | M] ("RankChecker") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\rankchecker@seobook(3).com
[2011/03/29 21:53:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\rankchecker@seobook.com
[2010/09/12 21:16:46 | 000,000,000 | ---D | M] ("SEO For Firefox") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\seo4firefox@seobook(2).com
[2011/01/18 15:39:59 | 000,000,000 | ---D | M] ("SEO For Firefox") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\seo4firefox@seobook.com
[2010/09/12 21:16:46 | 000,000,000 | ---D | M] ("Seo Toolbar") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\seotoolbar@seobook(2).com
[2010/12/06 10:40:38 | 000,000,000 | ---D | M] ("Seo Toolbar") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\extensions\seotoolbar@seobook.com
[2011/04/04 15:58:32 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\searchplugins\diigo--google.xml
[2011/04/05 09:10:57 | 000,012,804 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3azwq652.default\searchplugins\majestic-seo.xml
[2011/04/06 20:13:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/01 08:20:41 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2011/03/30 07:32:51 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/17 22:51:42 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2011/04/06 10:25:07 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe ()
O4 - HKCU..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Premier\Components\QBAgent\qbdagent2002.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe (UPS)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O15 - HKCU\..Trusted Domains: localhost ([]* in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234891585125 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234891665265 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 66.232.84.3 66.232.84.6
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/07/28 10:13:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2011/04/07 17:26:36 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/07 17:26:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/07 17:26:29 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/07 17:26:28 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/07 16:57:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2011/04/07 16:53:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2011/04/06 14:13:18 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/06 10:38:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tdsskiller
[2011/04/06 10:24:55 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/05 18:08:57 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/04 16:38:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\mail backup
[2011/03/31 09:36:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Carbonite
[2011/03/30 15:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\gmer
[2011/03/30 14:23:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\IObit Security 360
[2011/03/30 14:23:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/03/29 21:51:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/03/29 20:30:48 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/03/15 20:19:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\ImgBurn

========== Files - Modified Within 30 Days ==========

[2011/04/07 19:19:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/07 19:19:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/07 18:27:37 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/07 17:26:38 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 17:25:21 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/04/07 17:22:36 | 000,000,199 | ---- | M] () -- C:\WINDOWS\wstdUPSWSHIP.INI
[2011/04/07 17:21:32 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/07 17:20:39 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2506059724-3432134811-1174848262-500.job
[2011/04/07 17:20:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/07 17:05:57 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/04/07 14:18:11 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office Excel 2003.lnk
[2011/04/06 17:22:41 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office Word 2003.lnk
[2011/04/06 16:01:30 | 000,879,081 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\SecurityCheck.exe
[2011/04/06 10:36:25 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/04/06 10:25:07 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/05 20:54:09 | 000,088,576 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/05 19:13:43 | 028,828,672 | ---- | M] () -- C:\Program Files\Alderspring Ranch Grass Fed Beef Retail.QBW
[2011/04/05 18:09:14 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/04/05 12:17:00 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2506059724-3432134811-1174848262-500.job
[2011/04/04 12:59:32 | 000,144,113 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\april4.xps
[2011/03/31 09:36:34 | 000,001,873 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Carbonite InfoCenter.lnk
[2011/03/30 15:13:20 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2011/03/30 15:08:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/03/30 14:23:08 | 000,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2011/03/30 03:19:38 | 000,228,000 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/03/30 03:03:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/29 21:34:00 | 000,016,986 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Restore Report 03-21-1970 08-29-40AM.html
[2011/03/28 14:00:49 | 000,144,874 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\March 28.xps

========== Files Created - No Company Name ==========

[2011/04/07 17:26:38 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 17:05:57 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/04/07 17:05:57 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/04/06 16:04:22 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/06 16:01:15 | 000,879,081 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\SecurityCheck.exe
[2011/04/06 10:36:07 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/04/04 12:59:30 | 000,144,113 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\april4.xps
[2011/03/30 15:13:15 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\gmer.zip
[2011/03/30 15:08:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/03/30 14:23:08 | 000,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IObit Security 360.lnk
[2011/03/30 03:00:47 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2011/03/28 14:00:47 | 000,144,874 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\March 28.xps
[2011/01/24 21:25:29 | 000,040,856 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/01/14 15:57:33 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/09/13 12:15:22 | 000,015,880 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/02/02 12:21:52 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS4b.DLL
[2010/01/30 17:08:59 | 000,000,199 | ---- | C] () -- C:\WINDOWS\wstdUPSWSHIP.INI
[2010/01/27 21:23:10 | 000,001,515 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/27 21:15:31 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2010/01/27 21:15:31 | 000,040,129 | ---- | C] () -- C:\WINDOWS\iccsigs.dat
[2010/01/27 21:15:30 | 000,000,150 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2010/01/27 19:00:05 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2010/01/16 19:33:20 | 000,088,576 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/13 17:04:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/10/28 07:52:08 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\GetHostIP.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/02/17 10:18:58 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/24 16:55:20 | 000,004,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\WinIo.sys
[2006/09/24 16:53:02 | 000,000,798 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/07/28 10:34:06 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2006/07/28 10:16:22 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/07/28 10:10:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/07/28 03:04:06 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/07/28 03:03:01 | 000,228,000 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/10/28 19:58:38 | 028,828,672 | ---- | C] () -- C:\Program Files\Alderspring Ranch Grass Fed Beef Retail.QBW
[2004/08/12 06:36:06 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/12 06:36:06 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/12 06:28:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/12 06:26:08 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/12 06:26:07 | 000,463,200 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/12 06:26:06 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/12 06:26:05 | 000,080,260 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/12 06:24:57 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/12 06:22:08 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/12 06:22:01 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/12 06:18:55 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/12 06:18:32 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/08/30 15:08:52 | 013,621,248 | ---- | C] () -- C:\Program Files\Alderspring Grass Fed Beef.QBW
[2003/04/08 13:41:20 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\nssckbi.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/04/02 19:44:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CoreFTP
[2011/01/14 16:05:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Equestrian Challenge
[2010/01/17 22:51:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit
[2010/02/24 20:00:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Foxit Software
[2010/12/15 19:10:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GARMIN
[2011/04/05 11:52:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ImgBurn
[2011/03/30 14:23:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IObit
[2010/01/14 00:20:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org
[2010/01/17 22:57:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Softland
[2010/02/01 19:45:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Live Writer
[2010/05/13 13:23:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Carbonite
[2010/06/19 12:39:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Compass Web Designs LLC
[2010/01/29 21:06:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2011/03/30 14:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/09/12 21:16:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TGHomeSoft
[2011/01/24 20:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/09/13 09:13:33 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
[2011/04/07 17:25:21 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/04/07 18:27:37 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-04-01 05:26:15

< >

< >

< >

< >

< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users