Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Hijack And Windows Recovery Virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 jimbo365

jimbo365

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 23 April 2011 - 11:21 AM

Hello,

I am using windows XP home.

Really hope you can help with this.

About 2 weeks ago I got a Google search virus that occasionally sent me to a different page than clicked
on in teh search results.

Yesterday I ran malwarebytes and ESET free online scan. Eset found 3 problems that it fixed. Today when
starting the computer again I noticed the google redirect virus was back and then after about 1 hour I got the
fake windows recovery virus. This also stopped me accessing task manager.

I ran RKill and it stopped the process.


I then ran malwarebytes and it found 9 problems and fixed.

But I cannot open Internet explorer or firefox (I am typing this from another computer)

I have done all recommended on the bleepingcomputer guide.

Hope you can help as soon as possible.

Thanks so much, James


EDIT - just went to the task manager and ended "explorer.exe" as it was using a lot of memory even though not open - this mad the computer shut down immediatley and is now rebooting.

Hello,

Really appreciate the help with this, and would be great if this can be looked at today as I am online all day.

Before I found your forum I ran Combofix (sorry! as I then read your post saying it should only be done when reguested)

I should also point out that at the current time:

I cannot open IE at all
In firefox I cannot see some websites - redirects to licosearch.com (I have rest my host file)
I normally like to run ESET online scanner but cannot get to the site. I am running Hitman Pro and will post results.

Here are all the logs:

DDS: (just run now)

-------------------------------------------
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2003-11-21 16:52:17
System Uptime: 2011-04-26 14:16:48 (1 hours ago)
.
Motherboard: Dell Computer Corp. | | 02Y832
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2660/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 0.818 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1325: 2011-03-18 16:44:56 - System Checkpoint
RP1326: 2011-03-19 17:44:55 - System Checkpoint
RP1327: 2011-03-20 18:44:55 - System Checkpoint
RP1328: 2011-03-22 08:08:51 - System Checkpoint
RP1329: 2011-03-23 08:44:40 - System Checkpoint
RP1330: 2011-03-24 12:06:41 - System Checkpoint
RP1331: 2011-03-25 14:17:30 - System Checkpoint
RP1332: 2011-03-26 14:44:58 - System Checkpoint
RP1333: 2011-03-28 08:08:40 - System Checkpoint
RP1334: 2011-03-29 08:08:48 - System Checkpoint
RP1335: 2011-03-30 08:44:41 - System Checkpoint
RP1336: 2011-03-31 09:44:43 - System Checkpoint
RP1337: 2011-04-01 14:25:35 - System Checkpoint
RP1338: 2011-04-04 08:08:41 - System Checkpoint
RP1339: 2011-04-05 08:44:46 - System Checkpoint
RP1340: 2011-04-06 14:11:18 - System Checkpoint
RP1341: 2011-04-07 09:58:59 - Installed Compatibility Pack for the 2007 Office system
RP1342: 2011-04-08 13:16:34 - System Checkpoint
RP1343: 2011-04-08 19:01:24 - Software Distribution Service 3.0
RP1344: 2011-04-11 08:09:41 - System Checkpoint
RP1345: 2011-04-13 08:08:50 - System Checkpoint
RP1346: 2011-04-14 08:09:51 - System Checkpoint
RP1347: 2011-04-15 08:10:48 - System Checkpoint
RP1348: 2011-04-15 19:27:34 - Software Distribution Service 3.0
RP1349: 2011-04-18 08:24:34 - System Checkpoint
RP1350: 2011-04-19 08:44:39 - System Checkpoint
RP1351: 2011-04-20 09:44:39 - System Checkpoint
RP1352: 2011-04-21 10:44:37 - System Checkpoint
RP1353: 2011-04-22 10:44:44 - System Checkpoint
RP1354: 2011-04-23 11:44:42 - System Checkpoint
RP1355: 2011-04-23 14:06:14 - Installed HiJackThis
RP1356: 2011-04-23 16:09:47 - Removed Opera 10.61.
RP1357: 2011-04-23 16:10:18 - Installed Opera 11.10.
.
==== Installed Programs ======================
.
1-abc.net Right Click Configurator (Remove only)
123Scan v2.7
Ad-Aware SE Personal
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.0
Adobe Photoshop CS2
Adobe Premiere Pro 2.0
Adobe Reader 7.0.5
Adobe Reader Chinese Simplified Fonts
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
AiO Flash Mixer 3.9
Apple Application Support
Apple Software Update
ASIO4ALL
AVIConverter Smart
Avidemux 2.4
Batch It! Pro v3.72a
Betfair Poker
BIMP Lite 1.61
Blaze Media Pro
Blue Squirrel Grab-a-Site
Brother MFC-465CN
bwin Poker (remove only)
CCleaner (remove only)
Cleaner 5 EZ
ClearView
Compatibility Pack for the 2007 Office system
Conexant SmartHSFi V92 56K Speakerphone PCI Modem
CorelDRAW Graphics Suite X4
CorelDRAW Graphics Suite X4 - Capture
CorelDRAW Graphics Suite X4 - Content
CorelDRAW Graphics Suite X4 - Draw
CorelDRAW Graphics Suite X4 - Filters
CorelDRAW Graphics Suite X4 - FontNav
CorelDRAW Graphics SUite X4 - ICA
CorelDRAW Graphics Suite X4 - IPM
CorelDRAW Graphics Suite X4 - Lang EN
CorelDRAW Graphics Suite X4 - PP
CorelDRAW Graphics Suite X4 - VBA
CorelDRAW® Graphics Suite X4
CorelDRAW® Graphics Suite X4 - Windows Shell Extension
Critical Update for Windows Media Player 11 (KB959772)
CuteFTP 8 Home
DAO
DB Viewer 7.2.0661
Dell Solution Center
Directory Printer 3.72
DropFolders
E.M. Youtube Video Download Tool 2.30
EasyCleaner
EPSON BX300F Series Printer Uninstall
ESET Online Scanner v3
ffdshow [rev 2033] [2008-07-05]
FMS
Fotosizer 1.12.0.190
GF Split & Merge 1.0
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GoToMyPC
GPSoftware Directory Opus
Handbrake 0.9.4
Help and Support Customization
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HTML Shrinker Light
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Java 2 Runtime Environment, SE v1.4.2_10
Java™ 6 Update 4
Java™ 6 Update 5
JGoodies JDiskReport 1.3.0
K-Lite Codec Pack 3.6.5 Standard
Karen's Directory Printer
Macromedia Dreamweaver 4
Macromedia Extension Manager
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Market Samurai
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Basic Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Monkey Merge
Movica
Moyea Flash Video MX Pro Version: 5.0.5.0
Moyea FLV Importer Pro for Adobe Premiere Pro version 2.0.0.0
Mozilla Firefox (3.6.16)
MP3 Player Utilities 5.02
MP4 Converter 3
MPEG Joiner
MPEG Video Wizard
MSN Toolbar
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
My MP4Box GUI 0.5.5.2
Nero - Burning Rom
Netscape (7.2)
NetWaiting
Norton Internet Security
Notepad++
Nuclear Coffee - VideoGet 2.0.2.28 Trial
NVIDIA Windows 2000/XP Display Drivers
OE Extractor 2.08
OpenOffice.org 2.4
Opera 11.10
Orbit Downloader
Outlook Express Attachment Extractor 1.61
Paint Shop Pro 6.02 EVAL
Paint Shop Pro 7
Photo Viewer
QuickTime
RSS Feeds Submit
Samsung ML-4500 Series Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Segoe UI
SEO SpyGlass
SkypeMate
Skype™ 5.1
Smart Defrag 1.10
Sorenson Squeeze 6.0
Sothink FLV Player
SoundSoap SM
Spybot - Search & Destroy
SpywareBlaster v3.5.1
STK02N 2.4
Switch Sound File Converter
Symantec Technical Support Web Controls
Tag&Rename 3.5.6
TextPipe Pro Evaluation 7.7.4
THE Rename 2.1.6
Throttle
Traffic Travis 3.3.10
Turbo Lister 2
Tweak Manager 2.1
Tweak UI
Uninstall Startup Inspector
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Video to Flash Converter PRO
VideoLAN VLC media player 0.8.6c
Visual Basic for Applications ® Core
Visual Basic for Applications ® Core - English
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinSCP 3.7.6
WirelessCamera
WorldCast 4.0
WUSBCamera
XML Paper Specification Shared Components Pack 1.0
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Zune Desktop Theme
.
==== Event Viewer Messages From Past Week ========
.
2011-04-26 14:21:32, error: System Error [1003] - Error code 100000d1, parameter1 0000000c, parameter2 00000005, parameter3 00000001, parameter4 f74c84f7.
2011-04-26 14:20:32, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Software Updater service to connect.
2011-04-26 14:20:32, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gusvc with arguments "" in order to run the server: {89DAE4CD-9F17-4980-902A-99BA84A8F5C8}
2011-04-23 19:14:51, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
2011-04-23 19:14:14, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
2011-04-23 16:27:34, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: Access is denied.
2011-04-23 15:34:35, error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\D.
2011-04-23 15:31:00, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2011-04-23 15:30:48, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IDSxpx86
.
==== End Of File ===========================


COMBOFIX:

ComboFix 11-04-22.03 - Gaby Cove 2011-04-23 18:03:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2073 [GMT 1:00]
Running from: c:\documents and settings\Gaby Cove\Start Menu\jmf.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gaby Cove\g2mdlhlpx.exe
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}\chrome.manifest
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}\chrome\content\_cfg.js
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}\chrome\content\overlay.xul
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}\install.rdf
c:\documents and settings\Gaby Cove\WINDOWS
c:\windows\.tmp
c:\windows\system32\gotomon.log
c:\windows\system32\restart.exe
c:\windows\system32\skinboxer43.dll
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
.
.
2011-04-23 14:07 . 2011-04-23 14:07 -------- d-----w- c:\program files\qrjkoiae
2011-04-23 13:06 . 2011-04-23 13:06 557939 ----a-r- c:\documents and settings\Gaby Cove\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-21 12:12 . 2011-04-21 12:12 -------- d-----w- c:\program files\ESET
2011-04-15 17:10 . 2011-03-06 13:21 687104 ----a-w- c:\documents and settings\Gaby Cove\Application Data\Microsoft\Internet Explorer\Quick Launch\textcopy.exe
2011-04-15 11:36 . 2011-04-15 11:36 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\SundryTools.com
2011-04-15 09:45 . 2011-04-15 09:45 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\Paludour
2011-04-13 15:05 . 2011-04-14 16:18 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-13 15:05 . 2011-04-14 16:18 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-12 10:34 . 2011-04-12 10:34 -------- d-----w- c:\program files\GF Split & Merge
2011-04-08 15:40 . 2011-04-08 15:41 -------- d-----w- c:\program files\SEO PowerSuite
2011-04-07 08:58 . 2011-04-07 08:58 -------- d-----w- c:\program files\MSECache
2011-03-31 13:12 . 2011-03-31 13:12 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
2011-03-31 13:12 . 2011-03-31 13:12 -------- d-----w- c:\program files\Market Samurai
2011-03-31 12:51 . 2011-03-31 12:51 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\Affilorama
2011-03-31 12:51 . 2011-03-31 12:51 -------- d-----w- c:\program files\Traffic Travis v3
2011-03-30 09:07 . 2011-04-11 06:41 0 ----a-w- c:\windows\Kcobiyuke.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-21 11:26 . 2005-07-21 11:26 2417464 ----a-w- c:\program files\BIMPLite.exe
2004-12-15 10:40 . 2005-02-06 12:14 203264 ----a-w- c:\program files\HijackThis.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-27 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Ffox"="c:\program files\Mozilla Firefox\firefox.exe" [2011-04-14 912344]
"outlookexp"="c:\program files\Outlook Express\msimn.exe" [2004-08-04 60416]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2009-01-20 280048]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
STK02N 2.4 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2010-6-29 163840]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2009-01-20 714224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 12:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gaby Cove^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Gaby Cove\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido anti-spyware 4.0 guard"=2 (0x2)
"Adobe LM Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20:TCP"= 20:TCP:cute
"5910:TCP"= 5910:TCP:vnc5910
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1008000.029\SymEFA.sys [2010-02-03 310320]
R1 bbcap;bbcap;c:\windows\SYSTEM32\DRIVERS\bbcap.sys [2006-10-24 2944]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1008000.029\BHDrvx86.sys [2010-02-03 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NIS\1008000.029\cchpx86.sys [2010-02-03 482432]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-02-03 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-01 102448]
R3 shwMirror;shwMirror;c:\windows\SYSTEM32\DRIVERS\shwMirror.sys [2006-08-23 3584]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [2010-06-09 331640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 135664]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\SYSTEM32\DRIVERS\STK02NW2.sys [2010-06-29 101520]
S3 LHSF_CNX;LHSF_CNX;\??\c:\docume~1\GABYCO~1\LOCALS~1\Temp\LHSF_CNX.sys --> c:\docume~1\GABYCO~1\LOCALS~1\Temp\LHSF_CNX.sys [?]
S3 mr8980;Digital Wireless Camera;c:\windows\SYSTEM32\DRIVERS\mr8980.sys [2009-07-16 105856]
S3 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [2008-01-02 44928]
S4 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\SYSTEM32\DRIVERS\PPJoyBus.sys [2004-01-23 13952]
S4 PPortJoystick;Parallel Port Joystick device driver;c:\windows\SYSTEM32\DRIVERS\PPortJoy.sys [2004-01-23 28800]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 10:54]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 10:54]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3272319160-1273012194-2206721117-1007Core.job
- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-02 10:04]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3272319160-1273012194-2206721117-1007UA.job
- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-02 10:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.13\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.13\MediaManager\grab.html
IE: AMV convert tool grab multimedia file - c:\program files\MP3 Player Utilities 5.02\AMVConverter\grab.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.co.uk | hxxp://www.paramountzone.com
FF - Ext: Aero Fox: aerofox@virtusdesigns.com - %profile%\extensions\aerofox@virtusdesigns.com
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: SQLite Manager: SQLiteManager@mrinalkant.blogspot.com - %profile%\extensions\SQLiteManager@mrinalkant.blogspot.com
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
FF - Ext: Font Finder: fontfinder@bendodson.com - %profile%\extensions\fontfinder@bendodson.com
FF - Ext: Dust-Me Selectors: {3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37} - %profile%\extensions\{3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37}
FF - Ext: Seo Toolbar: seotoolbar@seobook.com - %profile%\extensions\seotoolbar@seobook.com
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: LavaFox V1-Blue: djziggy@gmail.com - %profile%\extensions\djziggy@gmail.com
FF - Ext: Oxygen KDE: {C1F83B1E-D6EE-11DE-B441-1AD556D89593} - %profile%\extensions\{C1F83B1E-D6EE-11DE-B441-1AD556D89593}
FF - Ext: FoxLingo: {ef62e1ce-d2a4-4cdd-b7ec-92b120366b66} - %profile%\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Norton Toolbar: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-GoToMeeting - c:\program files\Citrix\GoToMeeting\190\g2mstart.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
AddRemove-Join (Merge, Combine) Multiple (or Two) Text Fil~226F390F_is1 - c:\program files\Join (Merge
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 18:18
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Gaby Cove\Start Menu\Programs\Startup\vxcibjqs.exe 166768 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):b7,19,b8,4e,15,36,f2,14,ce,dc,a1,ef,76,9c,22,02,4b,88,87,c7,01,
56,6c,38,a5,1d,61,ac,54,a2,04,d9,37,28,50,11,9f,37,4b,ce,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{dd7be4d8-af43-412d-b563-19368b09eefa}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:0000000a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2011-04-23 18:22:15
ComboFix-quarantined-files.txt 2011-04-23 17:21
.
Pre-Run: 974,770,176 bytes free
Post-Run: 2,530,897,920 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - E4646565F752FE15F2B0F0DC4D556C32


Hitman pro 3 log: (just run now)

<Log computer="JAMESPC" scan="Normal" version="3.5.8.119" date="2011-04-26T15:10:31" reboot="yes" timeSpentInSecs="1707" filesProcessed="29445"><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\13FAFF0F\74AD4AE7\lame_enc.dll" hash="92B2787F215566B932F2E1D38F4FDBC46D02E10FD030E9C9F773179984D7A57D" /></Item><Item type="Malware" malwareName="Malware" score="108.0" status="Deleted"><Scanners><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\1C419080\387EEA1E\IsDRM.dll" hash="16070E9B50F370CCCD21FA135F7E225D9C5BB4BA3D9DFB4676D3FE0467DF44B0" /></Item><Item type="Malware" malwareName="Malware" score="108.0" status="Deleted"><Scanners><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\1EB8D3D\5D8C36FC\AffCreatorDLL.dll" hash="8A6B32CE8582FF70B15BCFD58F6D207FCE8F65FB7698FF495C33591BB5901762" /></Item><Item type="Malware" malwareName="Malware" score="114.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\1F3C49AE\8FD17A8B\Faac.exe" hash="01FCE49263899FCAA2D9FC20336B99943DDCFC755014ACF6DCF170D85371E737" /></Item><Item type="Malware" malwareName="Malware" score="114.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\46DCAF14\431AE4FA\Lame.exe" hash="6CC1704C5A8A95CF5A5361977228CB3657713AA14A87F40FBEEEEFB46DABEAD7" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\4978668B\BE9F39B8\viscomwave.dll" hash="7DB8C60DDB7FD43B0F5F7C9B5A28699199CAC6188A50B2C13CD3923646D871D2" /></Item><Item type="Malware" malwareName="Malware" score="114.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\63E85F6B\431AE4FA\OggEnc.exe" hash="47EC9219757D3B479898C1307ADD2AE548B24FA40A03A17A2E15D72ECE1F49DD" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\7DC8CFBD\F4168408\Manipulate.dll" hash="E473DA8390A839C0F0FD66BFAC58758C38D6569230F23D83245F4C41C318E9E6" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\9844C3DB\1D442A03\lame_enc.dll" hash="09E3055AEB246A9B6995AB3978049A3FD833B798E3DC232F1239C4712F4F7978" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\99CA5061\BE9F39B8\lame_enc.dll" hash="E8E7BBF7C9682C0F88EA0C01642AA7CC09DDE42E61EA4684538118DFAAF8577B" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\CCE4E3A6\1AD538CD\comLyricGetter.dll" hash="0FB1DF93F82B4ED4E8B42756B5CDDF51EA285F89C1016A5CBE28C84CAD9A0C03" /></Item><Item type="Malware" malwareName="Malware" score="108.0" status="Deleted"><Scanners><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\D7552C32\B7886AB6\Uncommon.dll" hash="E4D77C5A7D958BD2B09D152B073791C97EC4B3B0BFDC33B51C935874221E3767" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\D97BCDE2\BE9F39B8\viscomgifenc.dll" hash="3E2E7BB73AA39400EB96A8F31DC6D57227F3C24874B9447801DFC0ACB46FECE5" /></Item><Item type="Malware" malwareName="Malware" score="112.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\E27A35DF\5104EFF1\NormalizeDSP.dll" hash="1B2D0AB48FA0D1DB8541CEED4267176C49E305BE9CBE510623BF441A3DC4A4ED" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\EF5CA551\1D442A03\viscomwave.dll" hash="334E5D4D2C644926BCEFE628BCC1BD426316B08EC5310D339AA96E673821F29F" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\OFFLINE\FF4AF513\1D442A03\viscommpgdecrip.dll" hash="987E75C0F8E5C9A93EC00E5EFC95F2A0C906681C7E141EECF2ADB8FC2025CFD7" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\All Users\Application Data\{436FF568-C03A-41B5-B97A-23CADCB7E6C9}\WinRun6-SP6\mVB.dll\W95INF32.DLL" hash="10356C1C62F96BBDF35D2AC62504F477CDE4A1F8B4743C8D92B946B30829F097" /></Item><Item type="Malware" malwareName="Malware" score="108.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\DPPI\EZSplit\EZSplit09.exe" hash="79BC8A10B0E51CBBC89A0ACB8D4CE6F2A787610AC5C45A232F6ADA9DA134313F" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Prevx" name="Medium Risk Malware" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\DPPI\EZSplit\EZSplitDel.exe" hash="8213F3204C49681E1B243A6EDD0721950F99896B58AFEEDFE7CF508599F61F73" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\DPPI\EZSplit\softtst.dll" hash="781ACE4822BAC616F8751F5B0A03F7F30DA0B99279D02113A58E61C55C4225F5" /></Item><Item type="Malware" malwareName="Malware" score="112.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\DPPI\EZSplit\softwrap.dll" hash="6665A3ED955037B352BA8CF600F8B8C6281C44E1EA62F849393DF33DBAA376C6" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\EZSplitDel.exe" hash="CF8A86702E3B59185F6339ED6FC7D9C2FBF3E1CCC07A964B4A0CF3D73791B83E" /><References><File path="C:\Documents and Settings\All Users\Start Menu\Programs\EZ-Excel Uninstall Programs\Uninstall EZ-Split.lnk" /></References></Item><Item type="Malware" malwareName="Malware" score="117.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\.housecall6.6\getMac.exe" hash="B267C480496A88C4903AE352EEC94F9BB54CC98BA1D99A67EF5366FEF2D809E3" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\.housecall6.6\jsapi.dll" hash="DD67923C6AD56A71358AAA87E9CAE58345292B957AA11FAE80563037A65CE0EB" /></Item><Item type="Malware" malwareName="Malware" score="114.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\.housecall6.6\jupdate.dll" hash="38511586EC11CA80C7CC756BE5DC3E48F7D4D7F225C358FCEEECE8B9BFEB62F5" /></Item><Item type="Malware" malwareName="Malware" score="108.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Application Data\Affilorama\TrafficTravisv3\temp\ACR4Convert.exe" hash="8E01A8309BEB8C66F4E20955F9AABFEC93FABDA6F9845BE69E7B043CC91C4390" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Application Data\EZSplitDel.exe" hash="2E5AA517DAE30F9F53847D398962F3844BD77572584FE2FAD70B89B367B6AED7" /></Item><Item type="Malware" malwareName="Malware" score="106.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Application Data\Real\Update\setup\data\gds\GOOGLE_DESKTOP\gdsapi.dll" hash="085F72E27F25BC63C0AA5000577A5C331BADE7EA28C90B6F316B2E53F0FD13EB" /></Item><Item type="Malware" malwareName="Malware" score="106.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Application Data\Real\Update\setup\data\RUP\inst_config\compat.dll" hash="F0F38829FE19726395ECCA50132BC20FB0834BF9A27E8B49BB35292EF80DD237" /></Item><Item type="Malware" malwareName="Malware" score="106.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Application Data\Real\Update\setup\data\RUP\inst_config\fftbapi.dll" hash="D6F8CD8BE05AEA04CD5E016574609F19B65C66E5E2286470654D3D0BDD47D6DD" /></Item><Item type="Malware" malwareName="Malware" score="106.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Application Data\Real\Update\setup\data\RUP\inst_config\gdsapi.dll" hash="23A8EE04082AF6BD23691AFF1D9FC86EAFF838955B9DAAE9F0382494D5A097BE" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Cookies\gaby cove@ad.yieldmanager[2].txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Cookies\gaby cove@bs.serving-sys[1].txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Cookies\gaby cove@tribalfusion[2].txt" /></Item><Item type="Malware" malwareName="Malware" score="112.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Desktop\Other\Startup.exe" hash="D1F4CCB828656DBEF5C04752DE545EABDC36F283F313CAFE9A0322008BC894B3" /><References><Key path="HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Gaby Cove\Desktop\Other\Startup.exe" /></References></Item><Item type="Malware" malwareName="Trojan" score="108.0" status="Deleted"><Scanners><Scanner id="G Data" name="Trojan.Generic.2027303 (Engine-A)" /><Scanner id="Ikarus" name="Trojan-Downloader.Win32.Adload.ay!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\DoctorWeb\Quarantine\kybrd_1.exe" hash="777002BFAF60B83BACA2A677CEDB9C1F4488BF8AD7A931D63814FA3CFA389A6C" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Prevx" name="Medium Risk Malware" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll" hash="EBC1DB66C04905029E67BF32C9CC7A0A7EDC48EF3EFF09C4C740D300075ADC77" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.zanox.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:adbrite.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:adtech.de" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:atdmt.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:content.yieldmanager.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:media6degrees.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:mm.chitika.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ru4.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:statcounter.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:track.effiliation.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:tradedoubler.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:tribalfusion.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:www.etracker.de" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\mdnslib\AACTAGREADER.EXE" hash="0109DBB41AE2176E304A73223BB6CBBC13598948F21A64A73DFD5FD3BE8E6CAA" /></Item><Item type="Malware" malwareName="Malware" score="114.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Trojan-Dropper.Agent!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\mdnslib\AP.EXE" hash="6F2F06A9EF1775BCD9C49DA14FDF4E1622511F9E3C055033A48952C03455A808" /></Item><Item type="Malware" malwareName="Malware" score="106.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\mdnslib\GENPUID.EXE" hash="FCA3523446CD5447CE0E13FF080F91AE2BEF3E85686228F4080240AE29762916" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\mdnslib\LIBEXPAT.DLL" hash="3E94447C13473A350DB998BD02A606A146EE455470BF84ABA1E3DECEAA557C68" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMGCECEOIETCIDCMESLFNSDRFFTF0\NCTVideoCompress.dll" hash="AF4A5B004A11065407CD22F8DD406C6DCD79B9F1417F408BE6E3E054F94CF128" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMGCECEOIETCIDTAFODLINSIFFTF0\NCTVideoTransform.dll" hash="3B8EDD091963E8E254DB6234CE1DF2F66ABBD3CD8E703B2AFCEDDD160B847A3B" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMGCECEOIETCUITMILLFNSDRFFTF0\NCTQuickTimeFile.dll" hash="85B69602B0B0559137EBD6D2672A17804B2081A4043AD7FFE393A85E57B0D664" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMGCECEOUIEDTCIDCRDLWNSDFFTT0\NCTVideoCoreM.dll" hash="B6EB96276A5DC5C02151E5EFAD149E941B5705DE6DBDED1BA0A9FF48937D9FF9" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMGCECEOUIEDTCIDFLLLISDIFFTF0\NCTVideoFile.dll" hash="3170537309AA115BA0BBD8958187409440C8C25A38440890D8F60229FAD78B50" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMGCECVEOUIEDTCMVLDFWSSRFFTF0\NCTWMVFile.dll" hash="FA06BC0792DA969A6B536AC50A6705CB71ADE64E73A167127AD97FBE12936B79" /></Item><Item type="Malware" malwareName="Malware" score="115.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMGCEMXDBRNGKIMSCSXEISDIFFFF0\NMSAccess.exe" hash="F16E519E6FEF5CA9ACFAC648B8B5D6584602BC5B31BC8C55AF64B7F74B4A047A" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMGCVECAIOUIRESLEEDLINSIFFFF0\lame_enc.dll" hash="9CA9BC11E1F80A4FA6261F72F40C97F74708D485A3EB3F97FF02EC18D898EB73" /></Item><Item type="Malware" malwareName="Malware" score="108.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFGMMGCVERPTEEFECCIRMLTGEIFFFF0\IsDRM.dll" hash="F65B4A8B661D2136B16798EF0A148DD94BDC78D4D1F2461F49BD2091B9D78F5C" /></Item><Item type="Malware" malwareName="Malware" score="114.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFIDOSSSTM3OGENEXFWNSSDRFFFFFF0\OggEnc.exe" hash="1439A34B01AAE5657A68DDA333A6C3E252679AA27B9E5FCF4954F25651182D7D" /></Item><Item type="Malware" malwareName="Malware" score="108.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFMIOLFIREAITCTAFLBFAOLLGEFFFF0\AffCreatorDLL.dll" hash="C9741B07C21D713CC6F4B0AE37EDF48B20575D9B52828A2484B24E03DD12C31F" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFRGMMGCVEIEDIRAPUTDFWSSRFFTFF0\Manipulate.dll" hash="2B735D87E4830C6266CD36739CE899214AB882E5A75DE25088B63D606FCF4784" /></Item><Item type="Malware" malwareName="Malware" score="108.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFRGMMGCVENOONAOUNMOLLISDIFFFF0\Uncommon.dll" hash="BEB91B2D563DB88E4155D714E81D7F8BE93645B4294BDAE588CBC6253BB533B5" /></Item><Item type="Malware" malwareName="Malware" score="114.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFRGMMGCVEV2KLENLLTAGEDIFFFFFF0\lame_enc.dll" hash="16A79AA11E6B674667A256558E1BCD17B3A71FDF5778A932034137C2BD4E790D" /></Item><Item type="Malware" malwareName="Malware" score="104.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFRGMMGCVEYICOYIETRLWIYDFFFFFF0\comLyricGetter.dll" hash="C0643D1E9BC9077506D71DC154F71788F9911C3307F3542FC2F905B7ABEBD970" /></Item><Item type="Malware" malwareName="Malware" score="114.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Local Settings\Application Data\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}\offline\IFWIDOSSSTM3LAEEEFINYSIRFFFFFF0\Lame.exe" hash="DB2C8B91399555E9726E03CAA7BB04D61B5C39117443526C09F56B5D659BA64B" /></Item><Item type="Malware" malwareName="Malware" score="116.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\My Documents\Norton_Removal_Tool.exe" hash="084DF2C81DD4AEE0F4D3A3847468981FE792F4269A787B322A0FF3239AA9782F" /></Item><Item type="Malware" malwareName="Malware" score="110.0" status="Deleted"><Scanners><Scanner id="G Data" name="Win32.Ramnit.N (Engine-A)" /><Scanner id="DrWeb" name=" Win32.Rmnet.7" /><Scanner id="Ikarus" name="Virus.Win32.Nimnul!IK" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Start Menu\gmer.exe" hash="530685DEA4D44B737B9384B84695DADE3BE5A60E3373C2AAA0F77DAB714FA775" /><References><Key path="HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Gaby Cove\Start Menu\gmer.exe" /></References></Item><Item type="Malware" malwareName="Malware" score="140.0" status="PendingDelete"><Scanners><Scanner id="G Data" name="Win32:Downloader-GTJ [Trj] (Engine-B)" /><Scanner id="Prevx" name="Medium Risk Malware" /><Scanner id="DrWeb" name="Trojan.DownLoader2.40670" /></Scanners><File path="C:\Documents and Settings\Gaby Cove\Start Menu\Programs\Startup\vxcibjqs.exe" hash="D808CEA19FA170D3CF73C4D877B7FEF0B3C20ADDEA83E53A94E7F4DF3FCC7D1E" /><Startup><File path="C:\Documents and Settings\Gaby Cove\Start Menu\Programs\Startup\vxcibjqs.exe" /></Startup><References><Key path="HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Gaby Cove\Start Menu\Programs\Startup\vxcibjqs.exe" /></References></Item><Item type="Malware" malwareName="Malware" score="143.0" status="PendingDelete"><Scanners><Scanner id="G Data" name="Win32:Downloader-GTJ [Trj] (Engine-B)" /><Scanner id="Prevx" name="Medium Risk Malware" /><Scanner id="DrWeb" name="Trojan.DownLoader2.40670" /></Scanners><File path="C:\Program Files\qrjkoiae\vxcibjqs.exe" hash="D808CEA19FA170D3CF73C4D877B7FEF0B3C20ADDEA83E53A94E7F4DF3FCC7D1E" /><Startup><Key path="HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit" /></Startup></Item></Log>

--------------------------------------------

Combofix log: (run 2 days ago):

ComboFix 11-04-22.03 - Gaby Cove 2011-04-23 18:03:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2559.2073 [GMT 1:00]
Running from: c:\documents and settings\Gaby Cove\Start Menu\jmf.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gaby Cove\g2mdlhlpx.exe
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}\chrome.manifest
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}\chrome\content\_cfg.js
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}\chrome\content\overlay.xul
c:\documents and settings\Gaby Cove\Local Settings\Application Data\{A065F24B-5F25-4851-AA51-8E8D0295496B}\install.rdf
c:\documents and settings\Gaby Cove\WINDOWS
c:\windows\.tmp
c:\windows\system32\gotomon.log
c:\windows\system32\restart.exe
c:\windows\system32\skinboxer43.dll
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
.
.
2011-04-23 14:07 . 2011-04-23 14:07 -------- d-----w- c:\program files\qrjkoiae
2011-04-23 13:06 . 2011-04-23 13:06 557939 ----a-r- c:\documents and settings\Gaby Cove\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-21 12:12 . 2011-04-21 12:12 -------- d-----w- c:\program files\ESET
2011-04-15 17:10 . 2011-03-06 13:21 687104 ----a-w- c:\documents and settings\Gaby Cove\Application Data\Microsoft\Internet Explorer\Quick Launch\textcopy.exe
2011-04-15 11:36 . 2011-04-15 11:36 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\SundryTools.com
2011-04-15 09:45 . 2011-04-15 09:45 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\Paludour
2011-04-13 15:05 . 2011-04-14 16:18 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-13 15:05 . 2011-04-14 16:18 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-12 10:34 . 2011-04-12 10:34 -------- d-----w- c:\program files\GF Split & Merge
2011-04-08 15:40 . 2011-04-08 15:41 -------- d-----w- c:\program files\SEO PowerSuite
2011-04-07 08:58 . 2011-04-07 08:58 -------- d-----w- c:\program files\MSECache
2011-03-31 13:12 . 2011-03-31 13:12 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
2011-03-31 13:12 . 2011-03-31 13:12 -------- d-----w- c:\program files\Market Samurai
2011-03-31 12:51 . 2011-03-31 12:51 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\Affilorama
2011-03-31 12:51 . 2011-03-31 12:51 -------- d-----w- c:\program files\Traffic Travis v3
2011-03-30 09:07 . 2011-04-11 06:41 0 ----a-w- c:\windows\Kcobiyuke.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-21 11:26 . 2005-07-21 11:26 2417464 ----a-w- c:\program files\BIMPLite.exe
2004-12-15 10:40 . 2005-02-06 12:14 203264 ----a-w- c:\program files\HijackThis.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-27 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Ffox"="c:\program files\Mozilla Firefox\firefox.exe" [2011-04-14 912344]
"outlookexp"="c:\program files\Outlook Express\msimn.exe" [2004-08-04 60416]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2009-01-20 280048]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
STK02N 2.4 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2010-6-29 163840]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2009-01-20 714224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 12:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gaby Cove^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Gaby Cove\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido anti-spyware 4.0 guard"=2 (0x2)
"Adobe LM Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20:TCP"= 20:TCP:cute
"5910:TCP"= 5910:TCP:vnc5910
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1008000.029\SymEFA.sys [2010-02-03 310320]
R1 bbcap;bbcap;c:\windows\SYSTEM32\DRIVERS\bbcap.sys [2006-10-24 2944]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1008000.029\BHDrvx86.sys [2010-02-03 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NIS\1008000.029\cchpx86.sys [2010-02-03 482432]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-02-03 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-01 102448]
R3 shwMirror;shwMirror;c:\windows\SYSTEM32\DRIVERS\shwMirror.sys [2006-08-23 3584]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100604.004\IDSXpx86.sys [2010-06-09 331640]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 135664]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\SYSTEM32\DRIVERS\STK02NW2.sys [2010-06-29 101520]
S3 LHSF_CNX;LHSF_CNX;\??\c:\docume~1\GABYCO~1\LOCALS~1\Temp\LHSF_CNX.sys --> c:\docume~1\GABYCO~1\LOCALS~1\Temp\LHSF_CNX.sys [?]
S3 mr8980;Digital Wireless Camera;c:\windows\SYSTEM32\DRIVERS\mr8980.sys [2009-07-16 105856]
S3 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [2008-01-02 44928]
S4 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\SYSTEM32\DRIVERS\PPJoyBus.sys [2004-01-23 13952]
S4 PPortJoystick;Parallel Port Joystick device driver;c:\windows\SYSTEM32\DRIVERS\PPortJoy.sys [2004-01-23 28800]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 10:54]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 10:54]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3272319160-1273012194-2206721117-1007Core.job
- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-02 10:04]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3272319160-1273012194-2206721117-1007UA.job
- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-02 10:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.13\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.13\MediaManager\grab.html
IE: AMV convert tool grab multimedia file - c:\program files\MP3 Player Utilities 5.02\AMVConverter\grab.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.co.uk | hxxp://www.paramountzone.com
FF - Ext: Aero Fox: aerofox@virtusdesigns.com - %profile%\extensions\aerofox@virtusdesigns.com
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: SQLite Manager: SQLiteManager@mrinalkant.blogspot.com - %profile%\extensions\SQLiteManager@mrinalkant.blogspot.com
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
FF - Ext: Font Finder: fontfinder@bendodson.com - %profile%\extensions\fontfinder@bendodson.com
FF - Ext: Dust-Me Selectors: {3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37} - %profile%\extensions\{3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37}
FF - Ext: Seo Toolbar: seotoolbar@seobook.com - %profile%\extensions\seotoolbar@seobook.com
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: LavaFox V1-Blue: djziggy@gmail.com - %profile%\extensions\djziggy@gmail.com
FF - Ext: Oxygen KDE: {C1F83B1E-D6EE-11DE-B441-1AD556D89593} - %profile%\extensions\{C1F83B1E-D6EE-11DE-B441-1AD556D89593}
FF - Ext: FoxLingo: {ef62e1ce-d2a4-4cdd-b7ec-92b120366b66} - %profile%\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Norton Toolbar: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC} - c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-GoToMeeting - c:\program files\Citrix\GoToMeeting\190\g2mstart.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
AddRemove-Join (Merge, Combine) Multiple (or Two) Text Fil~226F390F_is1 - c:\program files\Join (Merge
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-23 18:18
Windows 5.1.2600 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Gaby Cove\Start Menu\Programs\Startup\vxcibjqs.exe 166768 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):b7,19,b8,4e,15,36,f2,14,ce,dc,a1,ef,76,9c,22,02,4b,88,87,c7,01,
56,6c,38,a5,1d,61,ac,54,a2,04,d9,37,28,50,11,9f,37,4b,ce,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{dd7be4d8-af43-412d-b563-19368b09eefa}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:0000000a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
Completion time: 2011-04-23 18:22:15
ComboFix-quarantined-files.txt 2011-04-23 17:21
.
Pre-Run: 974,770,176 bytes free
Post-Run: 2,530,897,920 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - E4646565F752FE15F2B0F0DC4D556C32

---------------------------------------------------------------------

GMER scan is just finishing so will post in a few mins.

Thanks, James

GMER scan was just about to finish, and I tried to open Google Chrome to see if that would work.

Got the windows blue screen immediatley and computer has restarted.

I ran the hitman 3 virus program and it detected many problems and after scanning it deleted a file on reboot. I then scanned again with
hitman 3, and it found no problems. I can now also open IE fine, and the search results redirect problem seems to have gone.

But...

I am just running the ESET online scan and it has so far found 176 infections - almost all of them are Win32/Ramnit.A virus

After this finishes I will run combofix again and post results.

Once I get a reply from you telling me what to do I will just follow your instructions and not do anything else in between.

Thanks so much.

Merged 4 posts. ~ OB

Edited by Orange Blossom, 27 April 2011 - 12:07 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 01 May 2011 - 08:38 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 jimbo365

jimbo365
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 02 May 2011 - 12:01 PM

Hello Myrti,

Thanks for helping with this issue - much apprecaited.

I will be online 9am-5pm GMT (london time) every day this week so can get back to you quickly with responses.

I have run Eset full scan twice now and found nothing. Also ran malwarebytes, and found nothing. PC seems to be operating normally, but do want to be sure the Ramnit virus has gone as well as any other nasty stuff :)

My PC is XP service pack 3 (just installed updates) - 32 bit.

Here is the OTL output you requested:

OTL Extras logfile created on: 2011-05-02 17:40:51 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\_AA PZ\Dlds
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: yyyy-MM-dd

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1700 2500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 10.55 Gb Free Space | 14.16% Space Free | Partition Type: NTFS

Computer Name: JAMESPC | User Name: Gaby Cove | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [THE Rename] -- "C:\Program Files\THE Rename\rename.exe" "%1" (Hervé Thouzard)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"20:TCP" = 20:TCP:*:Enabled:cute
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"5910:TCP" = 5910:TCP:*:Enabled:vnc5910

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zSA95.tmp\SymNRT.exe" = C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zSA95.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- (Symantec Corporation)
"C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zSBB7.tmp\SymNRT.exe" = C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zSBB7.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool
"C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zSBB8.tmp\SymNRT.exe" = C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zSBB8.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool
"C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zSBB9.tmp\SymNRT.exe" = C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zSBB9.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool
"C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zS7E.tmp\SymNRT.exe" = C:\Documents and Settings\Gaby Cove\Local Settings\temp\7zS7E.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW® Graphics Suite X4
"_{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1990D39B-CB35-48B1-9C7B-C3433F794DB2}" = WUSBCamera
"{1BD07DF4-FB06-41BA-B896-B2DA59000C96}" = Windows Live Toolbar
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{25EEBED4-8CA8-412D-9B5E-690359EEE630}" = SoundSoap SM
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 24
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
"{2E662CAE-E856-4BFA-854C-727ED4271139}" = ClearView
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{44A27085-0616-4181-A0C3-81C7ECA17F73}" = CorelDRAW Graphics Suite X4
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5335DADB-34BA-4AE8-A519-648D78498846}" = Skype™ 5.3
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{556DF27F-5B74-11D5-B876-004005E12EF1}" = GPSoftware Directory Opus
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{58F4D4FD-1814-4068-B316-C28FC776C6DD}" = GoToMyPC
"{64116298-93C5-401D-B06C-39D8E3338508}" = DAO
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{68ED7C7F-6F0A-4467-81F3-FA5899A15D16}_is1" = Moyea Flash Video MX Pro Version: 5.0.5.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142100}" = Java 2 Runtime Environment, SE v1.4.2_10
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7724A8E6-DA58-425B-A0CF-826164602798}" = 123Scan v2.7
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{786C5747-1437-443D-B06E-79A00FE45110}" = Adobe Stock Photos 1.0
"{7BE99992-1B34-432D-8325-FFC3FF877E9D}" = Movica
"{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}" = Zune Desktop Theme
"{7F05E704-30A6-421A-97A7-8EEB1C7FF010}" = CorelDRAW Graphics SUite X4 - ICA
"{7F05E704-30A6-421A-97A7-8EEB1C7FF012}" = CorelDRAW Graphics Suite X4 - Capture
"{7F05E704-30A6-421A-97A7-8EEB1C7FF013}" = CorelDRAW Graphics Suite X4 - Draw
"{7F05E704-30A6-421A-97A7-8EEB1C7FF014}" = CorelDRAW Graphics Suite X4 - PP
"{7F05E704-30A6-421A-97A7-8EEB1C7FF016}" = CorelDRAW Graphics Suite X4 - Content
"{7F05E704-30A6-421A-97A7-8EEB1C7FF017}" = CorelDRAW Graphics Suite X4 - Filters
"{7F05E704-30A6-421A-97A7-8EEB1C7FF019}" = CorelDRAW Graphics Suite X4 - FontNav
"{7F05E704-30A6-421A-97A7-8EEB1C7FF100}" = CorelDRAW Graphics Suite X4 - Lang EN
"{7F0E4311-D46D-456E-97CC-44F7E331DE66}" = Sorenson Squeeze 6.0
"{8927E07C-97F7-4A54-88FB-D976F50DD46E}" = Turbo Lister 2
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{8E79F5DD-4A0A-452B-B3F8-0651E4D24854}" = MP3 Player Utilities 5.02
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{8FFC924C-ED06-44CB-8867-3CA778ECE903}" = Adobe Help Center 2.0
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{919D97FB-83D5-40DB-B31F-3803F0B5DBCE}_is1" = My MP4Box GUI 0.5.5.2
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{949DBB22-2FB7-4de1-804C-23D495A988D8}" = CuteFTP 8 Home
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{977CCCA9-B420-405A-9A4A-2A610F28D10F}" = Opera 11.10
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{9D0798D0-AF6C-4E62-94B1-AEBF1A43E00A}" = CorelDRAW Graphics Suite X4 - IPM
"{A0E27BA8-353A-4288-AB60-5DE8EDA18E16}" = Symantec Technical Support Web Controls
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A66242A1-9101-425D-9BE5-D19A50E1D0D8}" = ESET NOD32 Antivirus
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{ABDA9912-5D00-11D4-BAE7-9367CA097955}" = Macromedia Dreamweaver 4
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AC76BA86-7AD7-2447-0000-705000000001}" = Adobe Reader Chinese Simplified Fonts
"{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}" = Adobe Bridge 1.0
"{AF44F86E-9544-4F7C-AFBE-E007F3EF10A0}" = WirelessCamera
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B61D21B6-469D-4423-B161-62DB20B8A70E}" = Visual Basic for Applications ® Core - English
"{B8A3B90C-9FD3-484E-B81E-0F3EC4EEEBB9}" = WirelessCamera
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BF439B41-0252-48DE-8B8B-0430CB26A181}" = CorelDRAW Graphics Suite X4 - VBA
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA}" = Blaze Media Pro
"{CAAB0192-5704-469F-A0BE-2D842D70E93B}_is1" = Sothink FLV Player
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE2DA11A-917F-4CF5-AB55-755EC115DD10}" = CorelDRAW® Graphics Suite X4 - Windows Shell Extension
"{D4A6F05B-D32D-4EA3-B288-05894E803225}" = Betfair Poker
"{D5C83EAC-E45B-45FE-9CA8-90EB5217F12B}" = Brother MFC-465CN
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{DB81779E-7CC5-4630-BCFC-754004956444}" = Visual Basic for Applications ® Core
"{DE114695-AE58-4B66-8E0F-2505188602FB}_is1" = Uninstall Startup Inspector
"{E42E07F5-5A90-4BA9-B55A-79FCF9EAF9B5}" = STK02N 2.4
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E7033AD8-90C8-09D8-B019-6EC712958B8F}" = DropFolders
"{E98B3130-804A-DAD8-E83C-3733DFB0B3AF}" = Market Samurai
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{F6B2ED65-7378-4065-802D-F2E5689F3A4E}" = Photo Viewer
"{FA17A726-B229-4116-B793-A2AB1A4EAE2E}" = Adobe Premiere Pro 2.0
"{FD8E178D-8B4E-42DA-B434-EFF270329B1C}" = COMODO Internet Security
"1-abc.net Right Click Configurator" = 1-abc.net Right Click Configurator (Remove only)
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Adobe Premiere Pro 2.0" = Adobe Premiere Pro 2.0
"AIOFLASHMixer_is1" = AiO Flash Mixer 3.9
"ASIO4ALL" = ASIO4ALL
"AVIConverter" = AVIConverter Smart
"Avidemux 2.4" = Avidemux 2.4
"Batch It! Pro_is1" = Batch It! Pro v3.72a
"BIMPLite" = BIMP Lite 1.61
"Blue Squirrel Grab-a-Site" = Blue Squirrel Grab-a-Site
"bwin" = bwin Poker (remove only)
"CCleaner" = CCleaner
"Cleaner 5 EZ" = Cleaner 5 EZ
"CNXT_MODEM_PCI_VEN_14F1&DEV_2702" = Conexant SmartHSFi V92 56K Speakerphone PCI Modem
"DB Viewer" = DB Viewer 7.2.0661
"Directory Printer_is1" = Directory Printer 3.72
"E.M. Youtube Video Download Tool_is1" = E.M. Youtube Video Download Tool 2.30
"edu.du.ctl.DropFolders" = DropFolders
"EPSON BX300F Series" = EPSON BX300F Series Printer Uninstall
"ESET Online Scanner" = ESET Online Scanner v3
"ffdshow_is1" = ffdshow [rev 2033] [2008-07-05]
"Fotosizer" = Fotosizer 1.12.0.190
"GF Split & Merge_is1" = GF Split & Merge 1.0
"Handbrake" = Handbrake 0.9.4
"HTML Shrinker Light" = HTML Shrinker Light
"ie8" = Windows Internet Explorer 8
"InstallShield_{1990D39B-CB35-48B1-9C7B-C3433F794DB2}" = WUSBCamera
"InstallShield_{7724A8E6-DA58-425B-A0CF-826164602798}" = 123Scan v2.7
"JDiskReport 1.3.0" = JGoodies JDiskReport 1.3.0
"Karen's Directory Printer" = Karen's Directory Printer
"KLiteCodecPack_is1" = K-Lite Codec Pack 3.6.5 Standard
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1" = Market Samurai
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Monkey Merge_is1" = Monkey Merge
"Moyea FLV Importer Pro for Adobe Premiere Pro_is1" = Moyea FLV Importer Pro for Adobe Premiere Pro version 2.0.0.0
"Mozilla Firefox (3.6.17)" = Mozilla Firefox (3.6.17)
"MP4 Converter 3" = MP4 Converter 3
"MPEG Joiner_is1" = MPEG Joiner
"MPEG Video Wizard" = MPEG Video Wizard
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Toolbar" = MSN Toolbar
"Netscape (7.2)" = Netscape (7.2)
"Notepad++" = Notepad++
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"OE Extractor_is1" = OE Extractor 2.08
"Orbit_is1" = Orbit Downloader
"Outlook Express Attachment Extractor_is1" = Outlook Express Attachment Extractor 1.61
"Paint Shop Pro 6" = Paint Shop Pro 6.02 EVAL
"PROSet" = Intel® PRO Network Adapters and Drivers
"RNCompiler 6.0" = Advanced RealMedia Export Plug-in for Premiere 6.0
"RSS Feeds Submit_is1" = RSS Feeds Submit
"Samsung ML-4500 Series" = Samsung ML-4500 Series Driver
"seopowersuite" = SEO SpyGlass
"SkypeMate" = SkypeMate
"Smart Defrag 2_is1" = Smart Defrag 2
"Smart Defrag_is1" = Smart Defrag 1.10
"SpywareBlaster_is1" = SpywareBlaster v3.5.1
"Switch" = Switch Sound File Converter
"Tag&Rename_is1" = Tag&Rename 3.5.6
"TextPipe_is1" = TextPipe Pro Evaluation 7.7.4
"THE Rename_is1" = THE Rename 2.1.6
"Throttle_is1" = Throttle
"Traffic Travis_is1" = Traffic Travis 3.3.10
"Tweak Manager_is1" = Tweak Manager 2.1
"Tweak UI 2.10" = Tweak UI
"Video to Flash Converter PRO_is1" = Video to Flash Converter PRO
"VideoGet" = Nuclear Coffee - VideoGet 2.0.2.28 Trial
"VLC media player" = VideoLAN VLC media player 0.8.6c
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 3.7.6
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WorldCast_is1" = WorldCast 4.0
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Blaze Media Pro" = Blaze Media Pro

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2011-04-28 05:45:33 | Computer Name = JAMESPC | Source = Application Error | ID = 1000
Description = Faulting application msimn.exe, version 6.0.2900.5512, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 2011-04-28 07:00:47 | Computer Name = JAMESPC | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 2011-04-28 07:00:47 | Computer Name = JAMESPC | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 2011-04-28 10:34:54 | Computer Name = JAMESPC | Source = MsiInstaller | ID = 10005
Description = Product: Windows Live Communications Platform -- The installer has
encountered an unexpected error installing this package. This may indicate a problem
with this package. The error code is 2762. The arguments are: , ,

Error - 2011-04-28 10:34:54 | Computer Name = JAMESPC | Source = MsiInstaller | ID = 10005
Description = Product: Windows Live Communications Platform -- The installer has
encountered an unexpected error installing this package. This may indicate a problem
with this package. The error code is 2762. The arguments are: , ,

Error - 2011-05-01 12:06:02 | Computer Name = JAMESPC | Source = Application Error | ID = 1000
Description = Faulting application msimn.exe, version 6.0.2900.5512, faulting module
ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.

Error - 2011-05-01 15:09:11 | Computer Name = JAMESPC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.4127, faulting module
snapshot.dll, version 1.1.0.2, fault address 0x0001a2ea.

Error - 2011-05-01 15:16:13 | Computer Name = JAMESPC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.4127, faulting module
snapshot.dll, version 1.1.0.2, fault address 0x0001a2ea.

Error - 2011-05-01 15:18:24 | Computer Name = JAMESPC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.2.4127, faulting module
snapshot.dll, version 1.1.0.2, fault address 0x0001a2ea.

Error - 2011-05-01 15:21:46 | Computer Name = JAMESPC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module snapshot.dll, version 1.1.0.2, fault address 0x0001a2ea.

[ System Events ]
Error - 2011-04-29 02:45:08 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1058

Error - 2011-04-29 14:32:47 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1058

Error - 2011-04-29 14:32:49 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Protexis Licensing V2
service to connect.

Error - 2011-04-29 14:32:49 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7000
Description = The Protexis Licensing V2 service failed to start due to the following
error: %%1053

Error - 2011-04-29 14:33:31 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1058

Error - 2011-05-01 11:58:33 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1058

Error - 2011-05-01 12:01:41 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1058

Error - 2011-05-01 12:54:03 | Computer Name = JAMESPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service SeaPort with
arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}

Error - 2011-05-02 02:42:21 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1058

Error - 2011-05-02 02:44:58 | Computer Name = JAMESPC | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Workstation service which
failed to start because of the following error: %%1058


< End of report >


AND:



OTL logfile created on: 2011-05-02 17:40:51 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\_AA PZ\Dlds
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: yyyy-MM-dd

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 64.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1700 2500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.45 Gb Total Space | 10.55 Gb Free Space | 14.16% Space Free | Partition Type: NTFS

Computer Name: JAMESPC | User Name: Gaby Cove | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011-05-01 17:02:55 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011-04-26 18:03:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\java.exe
PRC - [2011-04-10 17:29:14 | 001,646,936 | ---- | M] (IObit) -- C:\Program Files\IObit\Smart Defrag 2\SmartDefrag.exe
PRC - [2011-03-06 19:01:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\_AA PZ\Dlds\OTL.exe
PRC - [2011-01-17 23:30:46 | 001,803,224 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2011-01-17 23:30:16 | 002,548,552 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2011-01-12 16:41:42 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2011-01-12 16:41:24 | 002,219,184 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2010-07-26 13:42:38 | 001,955,696 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2010-07-26 13:42:36 | 000,557,424 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2010-07-26 13:42:34 | 001,466,224 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2printh.exe
PRC - [2010-07-26 13:42:32 | 000,575,344 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2010-07-26 13:42:30 | 001,535,344 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2mainh.exe
PRC - [2010-07-26 13:42:28 | 001,715,568 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2host.exe
PRC - [2010-07-26 13:42:26 | 000,564,592 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2audioh.exe
PRC - [2010-07-26 13:42:24 | 001,089,392 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2009-01-20 13:09:08 | 000,280,048 | ---- | M] (GP Software) -- C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
PRC - [2009-01-20 13:09:06 | 007,169,520 | ---- | M] (GP Software) -- C:\Program Files\GPSoftware\Directory Opus\dopus.exe
PRC - [2008-04-14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007-07-24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007-03-21 18:50:00 | 000,163,840 | ---- | M] (Syntek Ltd.) -- C:\WINDOWS\STK02N\STK02NM.exe


========== Modules (SafeList) ==========

MOD - [2011-03-06 19:01:58 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\_AA PZ\Dlds\OTL.exe
MOD - [2010-12-29 01:42:04 | 000,285,480 | ---- | M] (COMODO) -- C:\WINDOWS\SYSTEM32\guard32.dll
MOD - [2010-08-23 17:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009-01-20 13:09:10 | 000,308,720 | ---- | M] (GP Software) -- C:\Program Files\GPSoftware\Directory Opus\dopushlp.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Disabled | Stopped] -- -- (AppMgmt)
SRV - [2011-01-17 23:30:46 | 001,803,224 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2011-01-12 16:44:02 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2011-01-12 16:41:42 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2010-07-26 13:42:36 | 000,557,424 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2007-07-24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2003-03-03 14:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2002-10-25 03:17:54 | 000,065,536 | ---- | M] (Kenonic Controls Ltd.) [Disabled | Stopped] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)


========== Driver Services (SafeList) ==========

DRV - [2011-02-23 17:04:32 | 000,013,496 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys -- (SmartDefragDriver)
DRV - [2011-01-06 17:37:04 | 000,094,784 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2011-01-06 17:37:04 | 000,027,576 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys -- (cmdHlp)
DRV - [2011-01-06 17:37:02 | 000,239,368 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\cmdGuard.sys -- (cmdGuard)
DRV - [2010-12-21 15:04:06 | 000,141,264 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\eamon.sys -- (eamon)
DRV - [2010-12-21 15:04:06 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ehdrv.sys -- (ehdrv)
DRV - [2010-12-21 13:47:38 | 000,094,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\epfwtdir.sys -- (epfwtdir)
DRV - [2010-05-10 19:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Gaby Cove\Local Settings\temp\SAS_SelfExtract\saskutil.sys -- (SASKUTIL)
DRV - [2010-04-28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\fssfltr_tdi.sys -- (fssfltr)
DRV - [2010-02-17 19:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Documents and Settings\Gaby Cove\Local Settings\temp\SAS_SelfExtract\sasdifsv.sys -- (SASDIFSV)
DRV - [2009-07-16 17:35:06 | 000,105,856 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mr8980.sys -- (mr8980)
DRV - [2009-06-30 10:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008-04-13 19:46:08 | 000,049,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\mstape.sys -- (MSTAPE)
DRV - [2008-04-13 19:46:07 | 000,013,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\avcstrm.sys -- (AVCSTRM)
DRV - [2007-06-05 11:56:40 | 000,044,928 | ---- | M] (Panda Software) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS -- (SDTHOOK)
DRV - [2007-03-12 14:25:00 | 000,101,520 | ---- | M] (Syntek Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\STK02NW2.sys -- (DCamUSBSTK02N)
DRV - [2006-10-24 15:33:27 | 000,002,944 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\bbcap.sys -- (bbcap)
DRV - [2006-08-23 11:33:46 | 000,003,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\shwMirror.sys -- (shwMirror)
DRV - [2004-10-24 09:11:00 | 000,028,800 | ---- | M] (Deon van der Westhuysen) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\PPortJoy.sys -- (PPortJoystick)
DRV - [2004-10-24 09:11:00 | 000,013,952 | ---- | M] (Deon van der Westhuysen) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\PPJoyBus.sys -- (PPJoyBus)
DRV - [2004-08-04 06:29:49 | 000,019,455 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys -- (iAimFP4)
DRV - [2004-08-04 06:29:47 | 000,012,063 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys -- (iAimFP3)
DRV - [2004-08-04 06:29:45 | 000,023,615 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys -- (iAimTV4)
DRV - [2004-08-04 06:29:43 | 000,033,599 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys -- (iAimTV3)
DRV - [2004-08-04 06:29:42 | 000,019,551 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys -- (iAimTV1)
DRV - [2004-08-04 06:29:41 | 000,029,311 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys -- (iAimTV0)
DRV - [2004-08-04 06:29:37 | 000,012,415 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys -- (iAimFP0)
DRV - [2004-08-04 06:29:37 | 000,012,127 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys -- (iAimFP1)
DRV - [2004-08-04 06:29:37 | 000,011,775 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys -- (iAimFP2)
DRV - [2004-08-04 06:29:36 | 000,161,020 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys -- (i81x)
DRV - [2002-11-08 14:45:06 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2002-10-29 17:38:10 | 000,170,499 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2002-10-29 17:37:36 | 001,175,536 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2002-10-29 17:31:28 | 000,604,240 | ---- | M] (Conexant Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2002-10-25 03:17:38 | 000,029,414 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)
DRV - [2001-08-17 13:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)
DRV - [2000-10-24 00:00:00 | 000,040,448 | ---- | M] (DeviceGuys, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\DGIVECP.SYS -- (DgiVecp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = prosearching.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = prosearching.com
IE - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "www.google.co.uk | http://www.paramountzone.com"
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.8
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.8.6
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:2.0.2
FF - prefs.js..extensions.enabledItems: {3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37}:2.2
FF - prefs.js..extensions.enabledItems: {4BBDD651-70CF-4821-84F8-2B918CF89CA3}:6.3.3.2
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.6.2
FF - prefs.js..extensions.enabledItems: fontfinder@bendodson.com:1.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.9.9
FF - prefs.js..extensions.enabledItems: {aff87fa2-a58e-4edd-b852-0a20203c1e17}:0.8
FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.5
FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.36
FF - prefs.js..extensions.enabledItems: seotoolbar@seobook.com:1.1.5
FF - prefs.js..extensions.enabledItems: {1280606b-2510-4fe0-97ef-9b5a22eafe30}:0.7.5
FF - prefs.js..extensions.enabledItems: SQLiteManager@mrinalkant.blogspot.com:0.6.8
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.5
FF - prefs.js..extensions.enabledItems: {4D144BC3-23FB-47de-90C5-63CCB0139CCF}:1.0
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.6
FF - prefs.js..extensions.enabledItems: {ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}:2.7.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.91
FF - prefs.js..extensions.enabledItems: {5c8bfb7c-9a54-11dc-8314-0800200c9a66}:3.6.7
FF - prefs.js..extensions.enabledItems: aerofox@virtusdesigns.com:3.6.2
FF - prefs.js..extensions.enabledItems: djziggy@gmail.com:1.3.1
FF - prefs.js..extensions.enabledItems: {C1F83B1E-D6EE-11DE-B441-1AD556D89593}:1.15


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011-05-01 17:05:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011-05-01 17:05:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2010-07-30 14:57:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2011-04-26 18:12:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2011-04-26 21:57:34 | 000,000,000 | ---D | M]

[2009-01-15 13:23:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Extensions
[2011-05-01 19:58:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions
[2011-04-13 16:09:13 | 000,000,000 | ---D | M] (Session Manager) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
[2009-09-03 14:10:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011-04-26 15:00:59 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010-08-10 15:59:08 | 000,000,000 | ---D | M] (Dust-Me Selectors) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37}
[2011-04-13 16:08:36 | 000,000,000 | ---D | M] (FEBE) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
[2010-04-14 15:01:01 | 000,000,000 | ---D | M] (TradeManager-Plugin) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
[2011-04-13 16:08:02 | 000,000,000 | ---D | M] (Aero Fox XL) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
[2009-07-06 18:14:44 | 000,000,000 | ---D | M] ("OutWit Kernel") -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}
[2009-01-19 11:12:04 | 000,000,000 | ---D | M] (Sage) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{a6ca9b3b-5e52-4f47-85d8-cca35bb57596}
[2011-04-13 16:08:57 | 000,000,000 | ---D | M] (gTranslate) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
[2011-04-13 16:08:23 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011-04-14 11:18:22 | 000,000,000 | ---D | M] (Oxygen KDE) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{C1F83B1E-D6EE-11DE-B441-1AD556D89593}
[2009-01-19 16:52:14 | 000,000,000 | ---D | M] (Fasterfox) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{c36177c0-224a-11da-8cd6-0800200c9a99}
[2009-01-19 11:14:38 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2009-01-30 13:48:31 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2011-04-13 16:08:17 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2011-04-07 13:15:04 | 000,000,000 | ---D | M] (SearchStatus) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2011-04-14 11:27:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2011-04-13 16:08:08 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2011-05-01 19:58:28 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2011-05-02 17:34:13 | 000,000,000 | ---D | M] (FoxLingo) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
[2011-04-13 16:08:29 | 000,000,000 | ---D | M] (Aero Fox) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\aerofox@virtusdesigns.com
[2009-07-06 18:14:44 | 000,000,000 | ---D | M] ("OutWit Hub") -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\base-outfit@outwit.com
[2010-02-16 11:04:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\browserhighlighter@ebay.com
[2009-01-29 12:47:32 | 000,000,000 | ---D | M] (ChromEdit Plus) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\chromeditplus@webdesigns.ms11.net
[2011-04-14 11:11:47 | 000,000,000 | ---D | M] (LavaFox V1-Blue) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\djziggy@gmail.com
[2008-03-11 21:42:15 | 000,000,000 | ---D | M] (Download Embedded) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\dlembed@aeruder.net
[2011-04-13 16:08:49 | 000,000,000 | ---D | M] (Firebug) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\firebug@software.joehewitt.com
[2010-07-27 09:17:28 | 000,000,000 | ---D | M] (Font Finder) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\fontfinder@bendodson.com
[2011-04-13 16:09:04 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\foxmarks@kei.com
[2009-01-19 11:14:18 | 000,000,000 | ---D | M] (Launchy) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\launchy@gemal.dk
[2009-03-11 13:38:10 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\LogMeInClient@logmein.com
[2011-04-06 07:42:25 | 000,000,000 | ---D | M] ("Seo Toolbar") -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\seotoolbar@seobook.com
[2011-04-13 16:09:17 | 000,000,000 | ---D | M] (SQLite Manager) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\SQLiteManager@mrinalkant.blogspot.com
[2011-04-13 16:09:25 | 000,000,000 | ---D | M] ("Undo Closed Tabs Button") -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\undoclosedtabsbutton@supernova00.biz
[2011-04-13 16:08:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}\chrome\win\mozapps\extensions
[2011-04-14 11:18:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{C1F83B1E-D6EE-11DE-B441-1AD556D89593}\chrome\mozapps\extensions
[2011-04-14 11:27:42 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\{dc572301-7619-498c-a57d-39143191b318}\modules\extensions
[2011-04-13 16:08:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\aerofox@virtusdesigns.com\chrome\win\browser\extensions
[2011-04-13 16:08:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\extensions\aerofox@virtusdesigns.com\chrome\win\mozapps\extensions
[2011-05-01 19:58:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011-04-26 18:04:23 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011-04-26 18:03:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010-05-24 10:04:08 | 000,000,000 | ---D | M] (OneClick YouTube Downloader) -- C:\PROGRAM FILES\ORBITDOWNLOADER\ADDONS\ONECLICKYOUTUBEDOWNLOADER
[2011-04-26 18:03:27 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2011-04-14 17:18:37 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2011-04-14 17:18:37 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2011-04-14 17:18:37 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2011-04-14 17:18:37 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2011-04-26 14:59:46 | 000,000,732 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O3 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007..\Run: [Directory Opus Desktop Dblclk] C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe (GP Software)
O4 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007..\Run: [Ffox] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
O4 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007..\Run: [outlookexp] C:\Program Files\Outlook Express\msimn.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\STK02N 2.4 PNP Monitor.lnk = C:\WINDOWS\STK02N\STK02NM.exe (Syntek Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3272319160-1273012194-2206721117-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll (Google Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A1145



---------

Look forward to your reply

Thanks, James

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 02 May 2011 - 03:30 PM

Hi,

Ramnit is usually an infection, where we admit defeat. It will infect dll, exe, php and html files and making sure that you a) found all files infected and b that the cleaning doesn't corrupt the file itself is extremely hard.

If you have a functioning, ramnit free PC at the moment, we can try. Just don't be surprised if it returns later on.

Please run a scan with gmer next:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 jimbo365

jimbo365
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 04 May 2011 - 02:48 AM

Hello Myrti,

When I tried to post the GMER results it said it was too long, so
I have attached the log instead. Hope that is ok. Thanks, James

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 04 May 2011 - 04:13 AM

Hi,

this is looking good. The lComboFix show some left overs, could you please rerun it and post the log here. Let it update if it requests to do so.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 jimbo365

jimbo365
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 04 May 2011 - 01:56 PM

Hi Myrti,

Would be great if you can clear out any final problems to speed up the computer fully.

I should mention that I installed a program this morning that uses a program called Ubot.

I scanned the file before installing and all was ok, but I see maybe Combofix does not like Ubot.

Here is the Combofix report after scan just run:


ComboFix 11-05-03.08 - Gaby Cove 2011-05-04 18:47:49.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1770 [GMT 1:00]
Running from: c:\documents and settings\Gaby Cove\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gaby Cove\Application Data\ubot
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-04 08:41 . 2011-05-04 08:41 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Xenocode
2011-05-04 08:40 . 2011-05-04 08:41 -------- d-----w- C:\Bogan Marketing Tools
2011-05-01 19:06 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-05-01 18:59 . 2011-05-01 18:59 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\QuickScan
2011-04-29 09:15 . 2011-04-29 09:15 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\SUPERAntiSpyware.com
2011-04-29 09:15 . 2011-04-29 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 08:05 . 2011-02-23 15:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-29 08:05 . 2011-02-23 16:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-28 14:47 . 2011-04-28 14:47 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2011-04-28 14:46 . 2010-04-28 06:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2011-04-28 14:45 . 2011-04-28 14:45 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-04-28 14:45 . 2011-04-28 14:45 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-28 14:43 . 2011-04-28 14:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-28 14:36 . 2008-06-17 15:13 74520 ----a-w- c:\program files\Common Files\Windows Live\.cache\a84031521cc05b1\DSETUP.dll
2011-04-28 14:36 . 2008-06-17 15:13 484632 ----a-w- c:\program files\Common Files\Windows Live\.cache\a84031521cc05b1\DXSETUP.exe
2011-04-28 14:36 . 2008-06-17 15:13 1670936 ----a-w- c:\program files\Common Files\Windows Live\.cache\a84031521cc05b1\dsetup32.dll
2011-04-28 14:36 . 2008-07-11 03:50 1013800 ----a-w- c:\program files\Common Files\Windows Live\.cache\9ec5176e1cc05b1\WindowsXP-KB954708-x86-ENU.exe
2011-04-28 14:28 . 2011-04-28 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-04-28 14:28 . 2011-04-28 14:28 -------- d-----w- c:\program files\Common Files\Skype
2011-04-28 11:01 . 2011-04-28 11:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-28 10:59 . 2011-04-28 10:59 -------- d-----w- c:\program files\COMODO
2011-04-28 10:57 . 2011-04-28 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-04-27 19:39 . 2011-04-27 19:39 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-27 17:48 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-04-27 17:48 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-04-27 17:48 . 2011-02-08 13:33 978944 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-04-27 17:46 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-04-27 17:43 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-04-27 17:34 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-04-27 14:14 . 2011-04-27 14:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-27 13:21 . 2011-04-27 13:21 -------- d-----w- c:\windows\system32\scripting
2011-04-27 13:21 . 2011-04-27 13:21 -------- d-----w- c:\windows\l2schemas
2011-04-27 13:21 . 2011-04-27 13:21 -------- d-----w- c:\windows\system32\en
2011-04-27 12:34 . 2011-04-27 12:34 -------- d-sh--w- c:\documents and settings\Gaby Cove\PrivacIE
2011-04-27 12:17 . 2011-04-27 12:17 -------- d-sh--w- c:\documents and settings\Gaby Cove\IETldCache
2011-04-27 11:54 . 2011-04-27 11:58 -------- dc-h--w- c:\windows\ie8
2011-04-27 11:47 . 2011-02-22 23:06 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-27 11:47 . 2011-02-22 23:06 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-27 11:47 . 2011-02-22 23:06 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-04-27 11:47 . 2011-02-22 23:06 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-27 11:47 . 2011-02-22 23:06 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-27 11:47 . 2011-02-22 23:06 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-04-27 11:47 . 2011-02-22 23:06 11080704 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-04-27 05:49 . 2011-04-27 05:49 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Symantec
2011-04-26 21:16 . 2011-04-26 21:16 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\ESET
2011-04-26 20:57 . 2011-04-26 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-04-26 17:04 . 2011-04-26 17:03 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-26 17:04 . 2011-04-26 17:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-26 14:10 . 2011-04-26 16:51 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-26 14:10 . 2011-04-26 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-23 16:54 . 2011-04-26 18:09 -------- d-----w- C:\jmf
2011-04-23 13:06 . 2011-04-23 13:06 388096 ----a-r- c:\documents and settings\Gaby Cove\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-21 12:12 . 2011-04-26 20:57 -------- d-----w- c:\program files\ESET
2011-04-15 17:10 . 2011-03-06 13:21 687104 ----a-w- c:\documents and settings\Gaby Cove\Application Data\Microsoft\Internet Explorer\Quick Launch\textcopy.exe
2011-04-15 11:36 . 2011-04-15 11:36 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\SundryTools.com
2011-04-15 09:45 . 2011-04-15 09:45 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\Paludour
2011-04-13 15:05 . 2011-05-01 16:04 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-13 15:05 . 2011-05-01 16:03 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-12 10:34 . 2011-04-12 10:34 -------- d-----w- c:\program files\GF Split & Merge
2011-04-08 15:40 . 2011-04-08 15:41 -------- d-----w- c:\program files\SEO PowerSuite
2011-04-07 08:58 . 2011-04-07 08:58 -------- d-----w- c:\program files\MSECache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 17:03 . 2008-06-23 10:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-07 05:33 . 2002-08-29 05:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2002-08-29 05:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2002-08-29 05:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-23 19:32 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2002-08-29 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2002-08-29 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2002-08-29 05:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2002-08-29 05:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 08:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2002-08-29 05:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2002-08-29 05:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2002-08-29 05:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2002-08-29 05:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2002-08-29 05:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2005-07-21 11:26 . 2005-07-21 11:26 2417464 ----a-w- c:\program files\BIMPLite.exe
2004-12-15 10:40 . 2005-02-06 12:14 203264 ----a-w- c:\program files\HijackThis.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Ffox"="c:\program files\Mozilla Firefox\firefox.exe" [2011-05-01 912344]
"outlookexp"="c:\program files\Outlook Express\msimn.exe" [2008-04-14 60416]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2009-01-20 280048]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-18 15146376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-17 2548552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
STK02N 2.4 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2010-6-29 163840]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2009-01-20 714224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 12:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gaby Cove^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Gaby Cove\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido anti-spyware 4.0 guard"=2 (0x2)
"Adobe LM Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20:TCP"= 20:TCP:cute
"5910:TCP"= 5910:TCP:vnc5910
.
R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2011-05-01 28552]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\SYSTEM32\DRIVERS\SmartDefragDriver.sys [2011-04-29 13496]
R1 bbcap;bbcap;c:\windows\SYSTEM32\DRIVERS\bbcap.sys [2006-10-24 2944]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdGuard.sys [2011-01-06 239368]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [2011-01-06 27576]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [2010-12-21 115008]
R1 epfwtdir;epfwtdir;c:\windows\SYSTEM32\DRIVERS\epfwtdir.sys [2010-12-21 94872]
R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\GABYCO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\GABYCO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\GABYCO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\GABYCO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2011-01-12 810144]
R3 shwMirror;shwMirror;c:\windows\SYSTEM32\DRIVERS\shwMirror.sys [2006-08-23 3584]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\SYSTEM32\DRIVERS\STK02NW2.sys [2010-06-29 101520]
S3 LHSF_CNX;LHSF_CNX;\??\c:\docume~1\GABYCO~1\LOCALS~1\Temp\LHSF_CNX.sys --> c:\docume~1\GABYCO~1\LOCALS~1\Temp\LHSF_CNX.sys [?]
S3 mr8980;Digital Wireless Camera;c:\windows\SYSTEM32\DRIVERS\mr8980.sys [2009-07-16 105856]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 135664]
S4 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\SYSTEM32\DRIVERS\PPJoyBus.sys [2004-01-23 13952]
S4 PPortJoystick;Parallel Port Joystick device driver;c:\windows\SYSTEM32\DRIVERS\PPortJoy.sys [2004-01-23 28800]
S4 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [2008-01-02 44928]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - kxtdypow
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 10:54]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 10:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.13\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.13\MediaManager\grab.html
IE: AMV convert tool grab multimedia file - c:\program files\MP3 Player Utilities 5.02\AMVConverter\grab.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.co.uk | hxxp://www.paramountzone.com
FF - Ext: Aero Fox: aerofox@virtusdesigns.com - %profile%\extensions\aerofox@virtusdesigns.com
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: SQLite Manager: SQLiteManager@mrinalkant.blogspot.com - %profile%\extensions\SQLiteManager@mrinalkant.blogspot.com
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
FF - Ext: Font Finder: fontfinder@bendodson.com - %profile%\extensions\fontfinder@bendodson.com
FF - Ext: Dust-Me Selectors: {3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37} - %profile%\extensions\{3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37}
FF - Ext: Seo Toolbar: seotoolbar@seobook.com - %profile%\extensions\seotoolbar@seobook.com
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: LavaFox V1-Blue: djziggy@gmail.com - %profile%\extensions\djziggy@gmail.com
FF - Ext: Oxygen KDE: {C1F83B1E-D6EE-11DE-B441-1AD556D89593} - %profile%\extensions\{C1F83B1E-D6EE-11DE-B441-1AD556D89593}
FF - Ext: FoxLingo: {ef62e1ce-d2a4-4cdd-b7ec-92b120366b66} - %profile%\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ActiveScan 2.0 - c:\program files\Panda Security\ActiveScan 2.0\as2uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 19:19
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):b7,19,b8,4e,15,36,f2,14,ce,dc,a1,ef,76,9c,22,02,4b,88,87,c7,01,
56,6c,38,a5,1d,61,ac,54,a2,04,d9,37,28,50,11,9f,37,4b,ce,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{dd7be4d8-af43-412d-b563-19368b09eefa}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:0000000a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(740)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3764)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-04 19:44:26
ComboFix-quarantined-files.txt 2011-05-04 18:44
ComboFix2.txt 2011-04-23 17:22
.
Pre-Run: 11,066,802,176 bytes free
Post-Run: 11,511,885,824 bytes free
.
- - End Of File - - 622224D95C956EA90BA85989A6EAA8B4

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 06 May 2011 - 04:43 AM

Hi,

what does ubot do?

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
kxtdypow


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 jimbo365

jimbo365
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 07 May 2011 - 04:08 AM

Hello Myrti,

Can I ask what kxtdypow is?

I will run this as you asked when back at infected computer tomorrow or monday.

Best regards, James

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 07 May 2011 - 04:31 AM

It's a randomly named driver. Possibly a massmailer called bubnix.

Once it is disabled we should be able to see the file it belongs too and that'll help determine which it is exactly. It is not part of any legit application I know of and the way it is showing in the log makes me certain that it is trying to hide from view and therefore is most likely malicious.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 jimbo365

jimbo365
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 May 2011 - 01:53 PM

Hi Myrti,

I did as you requested in the last post regarding the combofix script file, and here is the new post.

Thanks, James



ComboFix 11-05-03.08 - Gaby Cove 2011-05-10 18:20:09.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1965 [GMT 1:00]
Running from: c:\documents and settings\Gaby Cove\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gaby Cove\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gaby Cove\Application Data\ubot
.
.
((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
.
.
2011-05-05 08:15 . 2011-05-05 08:15 -------- d-----w- c:\program files\SeoQuake
2011-05-04 08:41 . 2011-05-04 08:41 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Xenocode
2011-05-04 08:40 . 2011-05-04 08:41 -------- d-----w- C:\Bogan Marketing Tools
2011-05-01 19:06 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-05-01 18:59 . 2011-05-01 18:59 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\QuickScan
2011-04-29 09:15 . 2011-04-29 09:15 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\SUPERAntiSpyware.com
2011-04-29 09:15 . 2011-04-29 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-29 08:05 . 2011-02-23 15:54 29520 ----a-w- c:\windows\system32\SmartDefragBootTime.exe
2011-04-29 08:05 . 2011-02-23 16:04 13496 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys
2011-04-28 14:47 . 2011-04-28 14:47 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2011-04-28 14:46 . 2010-04-28 06:44 54760 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2011-04-28 14:45 . 2011-04-28 14:45 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-04-28 14:45 . 2011-04-28 14:45 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-28 14:43 . 2011-04-28 14:43 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-28 14:36 . 2008-06-17 15:13 74520 ----a-w- c:\program files\Common Files\Windows Live\.cache\a84031521cc05b1\DSETUP.dll
2011-04-28 14:36 . 2008-06-17 15:13 484632 ----a-w- c:\program files\Common Files\Windows Live\.cache\a84031521cc05b1\DXSETUP.exe
2011-04-28 14:36 . 2008-06-17 15:13 1670936 ----a-w- c:\program files\Common Files\Windows Live\.cache\a84031521cc05b1\dsetup32.dll
2011-04-28 14:36 . 2008-07-11 03:50 1013800 ----a-w- c:\program files\Common Files\Windows Live\.cache\9ec5176e1cc05b1\WindowsXP-KB954708-x86-ENU.exe
2011-04-28 14:28 . 2011-04-28 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype Extras
2011-04-28 14:28 . 2011-04-28 14:28 -------- d-----w- c:\program files\Common Files\Skype
2011-04-28 11:01 . 2011-04-28 11:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-28 10:59 . 2011-04-28 10:59 -------- d-----w- c:\program files\COMODO
2011-04-28 10:57 . 2011-04-28 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2011-04-27 19:39 . 2011-04-27 19:39 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-27 17:48 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2011-04-27 17:48 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-04-27 17:48 . 2011-02-08 13:33 978944 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-04-27 17:46 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-04-27 17:43 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-04-27 17:34 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-04-27 14:14 . 2011-04-27 14:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-04-27 13:21 . 2011-04-27 13:21 -------- d-----w- c:\windows\system32\scripting
2011-04-27 13:21 . 2011-04-27 13:21 -------- d-----w- c:\windows\l2schemas
2011-04-27 13:21 . 2011-04-27 13:21 -------- d-----w- c:\windows\system32\en
2011-04-27 12:34 . 2011-04-27 12:34 -------- d-sh--w- c:\documents and settings\Gaby Cove\PrivacIE
2011-04-27 12:17 . 2011-04-27 12:17 -------- d-sh--w- c:\documents and settings\Gaby Cove\IETldCache
2011-04-27 11:54 . 2011-04-27 11:58 -------- dc-h--w- c:\windows\ie8
2011-04-27 11:47 . 2011-02-22 23:06 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-04-27 11:47 . 2011-02-22 23:06 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-04-27 11:47 . 2011-02-22 23:06 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-04-27 11:47 . 2011-02-22 23:06 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-04-27 11:47 . 2011-02-22 23:06 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-04-27 11:47 . 2011-02-22 23:06 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-04-27 11:47 . 2011-02-22 23:06 11080704 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-04-27 05:49 . 2011-04-27 05:49 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Symantec
2011-04-26 21:16 . 2011-04-26 21:16 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\ESET
2011-04-26 20:57 . 2011-04-26 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2011-04-26 17:04 . 2011-04-26 17:03 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-26 17:04 . 2011-04-26 17:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-26 14:10 . 2011-04-26 16:51 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-26 14:10 . 2011-04-26 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-23 16:54 . 2011-04-26 18:09 -------- d-----w- C:\jmf
2011-04-23 13:06 . 2011-04-23 13:06 388096 ----a-r- c:\documents and settings\Gaby Cove\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-21 12:12 . 2011-04-26 20:57 -------- d-----w- c:\program files\ESET
2011-04-15 17:10 . 2011-03-06 13:21 687104 ----a-w- c:\documents and settings\Gaby Cove\Application Data\Microsoft\Internet Explorer\Quick Launch\textcopy.exe
2011-04-15 11:36 . 2011-04-15 11:36 -------- d-----w- c:\documents and settings\Gaby Cove\Local Settings\Application Data\SundryTools.com
2011-04-15 09:45 . 2011-04-15 09:45 -------- d-----w- c:\documents and settings\Gaby Cove\Application Data\Paludour
2011-04-13 15:05 . 2011-05-01 16:04 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-04-13 15:05 . 2011-05-01 16:03 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-04-12 10:34 . 2011-04-12 10:34 -------- d-----w- c:\program files\GF Split & Merge
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-09 07:48 . 2006-11-03 13:48 563712 ----a-w- c:\documents and settings\Gaby Cove\gotomypc_370.exe
2011-05-05 16:42 . 2011-01-06 16:37 96608 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-05-05 16:42 . 2010-12-29 00:42 284744 ----a-w- c:\windows\system32\guard32.dll
2011-05-05 16:42 . 2011-01-06 16:37 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-05-05 16:42 . 2011-01-06 16:37 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-05-05 16:42 . 2011-01-06 16:37 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-04-26 17:03 . 2008-06-23 10:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-07 05:33 . 2002-08-29 05:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2002-08-29 05:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2002-08-29 05:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-23 19:32 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2002-08-29 05:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2002-08-29 05:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2002-08-29 05:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2002-08-29 05:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 08:15 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2002-08-29 05:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2005-07-21 11:26 . 2005-07-21 11:26 2417464 ----a-w- c:\program files\BIMPLite.exe
2004-12-15 10:40 . 2005-02-06 12:14 203264 ----a-w- c:\program files\HijackThis.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Ffox"="c:\program files\Mozilla Firefox\firefox.exe" [2011-05-01 912344]
"outlookexp"="c:\program files\Outlook Express\msimn.exe" [2008-04-14 60416]
"Directory Opus Desktop Dblclk"="c:\program files\GPSoftware\Directory Opus\dopusrt.exe" [2009-01-20 280048]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-18 15146376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-05 2560840]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
STK02N 2.4 PNP Monitor.lnk - c:\windows\STK02N\STK02NM.exe [2010-6-29 163840]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2009-01-20 714224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2010-07-26 12:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\guard32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Gaby Cove^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Gaby Cove\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido anti-spyware 4.0 guard"=2 (0x2)
"Adobe LM Service"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20:TCP"= 20:TCP:cute
"5910:TCP"= 5910:TCP:vnc5910
.
R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [2011-05-01 28552]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\SYSTEM32\DRIVERS\SmartDefragDriver.sys [2011-04-29 13496]
R1 bbcap;bbcap;c:\windows\SYSTEM32\DRIVERS\bbcap.sys [2006-10-24 2944]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdGuard.sys [2011-01-06 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [2011-01-06 29400]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [2010-12-21 115008]
R1 epfwtdir;epfwtdir;c:\windows\SYSTEM32\DRIVERS\epfwtdir.sys [2010-12-21 94872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2011-01-12 810144]
R3 shwMirror;shwMirror;c:\windows\SYSTEM32\DRIVERS\shwMirror.sys [2006-08-23 3584]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\GABYCO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\GABYCO~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\GABYCO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\GABYCO~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\SYSTEM32\DRIVERS\STK02NW2.sys [2010-06-29 101520]
S3 LHSF_CNX;LHSF_CNX;\??\c:\docume~1\GABYCO~1\LOCALS~1\Temp\LHSF_CNX.sys --> c:\docume~1\GABYCO~1\LOCALS~1\Temp\LHSF_CNX.sys [?]
S3 mr8980;Digital Wireless Camera;c:\windows\SYSTEM32\DRIVERS\mr8980.sys [2009-07-16 105856]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 135664]
S4 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\SYSTEM32\DRIVERS\PPJoyBus.sys [2004-01-23 13952]
S4 PPortJoystick;Parallel Port Joystick device driver;c:\windows\SYSTEM32\DRIVERS\PPortJoy.sys [2004-01-23 28800]
S4 SDTHOOK;SDTHOOK;c:\windows\SYSTEM32\DRIVERS\SDTHOOK.SYS [2008-01-02 44928]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 10:54]
.
2011-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 10:54]
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3272319160-1273012194-2206721117-1007Core.job
- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-05 19:14]
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3272319160-1273012194-2206721117-1007UA.job
- c:\documents and settings\Gaby Cove\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-05 19:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.13\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.13\MediaManager\grab.html
IE: AMV convert tool grab multimedia file - c:\program files\MP3 Player Utilities 5.02\AMVConverter\grab.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Gaby Cove\Application Data\Mozilla\Firefox\Profiles\mcmtkclu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.co.uk | hxxp://www.paramountzone.com
FF - Ext: Aero Fox: aerofox@virtusdesigns.com - %profile%\extensions\aerofox@virtusdesigns.com
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: SQLite Manager: SQLiteManager@mrinalkant.blogspot.com - %profile%\extensions\SQLiteManager@mrinalkant.blogspot.com
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Aero Fox XL: {5c8bfb7c-9a54-11dc-8314-0800200c9a66} - %profile%\extensions\{5c8bfb7c-9a54-11dc-8314-0800200c9a66}
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: Adobe DLM (powered by getPlus®): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: TradeManager-Plugin: {4D144BC3-23FB-47de-90C5-63CCB0139CCF} - %profile%\extensions\{4D144BC3-23FB-47de-90C5-63CCB0139CCF}
FF - Ext: Font Finder: fontfinder@bendodson.com - %profile%\extensions\fontfinder@bendodson.com
FF - Ext: Dust-Me Selectors: {3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37} - %profile%\extensions\{3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37}
FF - Ext: Seo Toolbar: seotoolbar@seobook.com - %profile%\extensions\seotoolbar@seobook.com
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: LavaFox V1-Blue: djziggy@gmail.com - %profile%\extensions\djziggy@gmail.com
FF - Ext: Oxygen KDE: {C1F83B1E-D6EE-11DE-B441-1AD556D89593} - %profile%\extensions\{C1F83B1E-D6EE-11DE-B441-1AD556D89593}
FF - Ext: FoxLingo: {ef62e1ce-d2a4-4cdd-b7ec-92b120366b66} - %profile%\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 18:23
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):b7,19,b8,4e,15,36,f2,14,ce,dc,a1,ef,76,9c,22,02,4b,88,87,c7,01,
56,6c,38,a5,1d,61,ac,54,a2,04,d9,37,28,50,11,9f,37,4b,ce,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{dd7be4d8-af43-412d-b563-19368b09eefa}]
@Denied: (Full) (Everyone)
"Model"=dword:00000042
"Therad"=dword:0000000a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\guard32.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'lsass.exe'(816)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\program files\GPSoftware\Directory Opus\dopushlp.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-10 18:32:00
ComboFix-quarantined-files.txt 2011-05-10 17:31
ComboFix2.txt 2011-05-04 18:44
ComboFix3.txt 2011-04-23 17:22
.
Pre-Run: 11,707,322,368 bytes free
Post-Run: 11,677,777,920 bytes free
.
- - End Of File - - 2FF586703E71C5ACA80EB5941842867A

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 11 May 2011 - 11:35 AM

Hi,

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    kxtdypow.*
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:14 PM

Posted 22 May 2011 - 03:26 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users