Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 mommyinzion

mommyinzion

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 25 April 2011 - 01:29 PM

I have the Google Redirect Virus. I've tried to remove it with Malware Bytes, but I'm still infected.

I followed the steps of what to do before posting, and was able to do everything except run DDS. DDS blue screens when I run it.

Is there a way to get DDS running or is there another program I can use?

Here is my GMER log:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-25 12:27:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev.
Running: gmer.exe; Driver: C:\DOCUME~1\BREAME~1\LOCALS~1\Temp\ugtdqpoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs tvtfilter.sys (Rescue and Recovery filter driver/Lenovo)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Fastfat \Fat A4733D20

AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- Files - GMER 1.0.15 ----

File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\css.dat 8192 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 6725 bytes
File C:\RRbackups\common\SAM 262144 bytes
File C:\RRbackups\common\seccache.dat 8192 bytes
File C:\RRbackups\common\secpolicy.dat 57344 bytes
File C:\RRbackups\common\settings.dat 32768 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\usersids.dat 18720 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\enroll.ini 32 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500\92fd1de2-300c-43b4-8ae1-854415d2cc4e 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500\59c36cf4-1add-4fda-9460-f057cbd8a479 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500\4cce7a96-7fd5-4658-a2bf-18326046c146 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a077ead69703e3bf1fd373a3c9376faa_fb8f0721-7167-4257-a3f8-fa746be2be15 901 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a5bac492b8a12a9b6bf4a5681cc06a21_fb8f0721-7167-4257-a3f8-fa746be2be15 888 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ae0fecb16efd8cc4e62a978d47949200_fb8f0721-7167-4257-a3f8-fa746be2be15 1305 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_fb8f0721-7167-4257-a3f8-fa746be2be15 52 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\45126916a1dc1f1aa674a33582efe69a_fb8f0721-7167-4257-a3f8-fa746be2be15 2517 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_fb8f0721-7167-4257-a3f8-fa746be2be15 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_fb8f0721-7167-4257-a3f8-fa746be2be15 893 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Lenovo\Client Security Solution\enroll.ini 32 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\6f98b868de8ac9d4c673a1a6ef02afea_fb8f0721-7167-4257-a3f8-fa746be2be15 53 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\03e73078de5643dddd91e9dacbf7e339_fb8f0721-7167-4257-a3f8-fa746be2be15 53 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\4dcb4636545a5d9fce8a633282f58517_fb8f0721-7167-4257-a3f8-fa746be2be15 1307 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\6070e08ba81df5183708be0dfa82a50e_fb8f0721-7167-4257-a3f8-fa746be2be15 54 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\65bbbe9698edc7194d114fdcd4576ced_fb8f0721-7167-4257-a3f8-fa746be2be15 48 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\6b29ae44e85efac3c72ff4d1865d73f1_fb8f0721-7167-4257-a3f8-fa746be2be15 53 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\6c90419c08a6f80c5f586c0e7d90c134_fb8f0721-7167-4257-a3f8-fa746be2be15 50 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\751098f5a9c93cf59579975602382f09_fb8f0721-7167-4257-a3f8-fa746be2be15 1302 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\83aa4cc77f591dfc2374580bbd95f6ba_fb8f0721-7167-4257-a3f8-fa746be2be15 45 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\89221250c14541898178b683a415ee30_fb8f0721-7167-4257-a3f8-fa746be2be15 1307 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\8f71098770f72c7a67cd8f1151619865_fb8f0721-7167-4257-a3f8-fa746be2be15 54 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\990c5666ad63d26309ea4a143ba42eeb_fb8f0721-7167-4257-a3f8-fa746be2be15 47 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\a077ead69703e3bf1fd373a3c9376faa_fb8f0721-7167-4257-a3f8-fa746be2be15 77 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\b445f6dcfe63f1e45420cdceffd6d23b_fb8f0721-7167-4257-a3f8-fa746be2be15 52 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\bdab766a7cd98cf8172dc7be3d1a2fb5_fb8f0721-7167-4257-a3f8-fa746be2be15 51 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\c1c8a1aca70c0205840ab952cdbfb34f_fb8f0721-7167-4257-a3f8-fa746be2be15 49 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\c8d11131129d1f9a05e675c089038772_fb8f0721-7167-4257-a3f8-fa746be2be15 45 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\cc2378adde1f5945dcb15029b65946b0_fb8f0721-7167-4257-a3f8-fa746be2be15 1265 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\cfb3d1d3007b2cb006268c33092bbdb9_fb8f0721-7167-4257-a3f8-fa746be2be15 55 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\ebc55722c94bddb399473165db0c0e33_fb8f0721-7167-4257-a3f8-fa746be2be15 56 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3623166237-955948660-2272938845-1005\f4708cff3aeac320552a295574f776c6_fb8f0721-7167-4257-a3f8-fa746be2be15 46 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\CREDHIST 296 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500\92fd1de2-300c-43b4-8ae1-854415d2cc4e 388 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500\59c36cf4-1add-4fda-9460-f057cbd8a479 388 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500\4cce7a96-7fd5-4658-a2bf-18326046c146 388 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-3623166237-955948660-2272938845-1005 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-3623166237-955948660-2272938845-1005\5768f631-c5cd-497e-8965-393fcde4fb3a 388 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-3623166237-955948660-2272938845-1005\584add5e-1dc8-42e8-ac45-824c91e49dbd 388 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-3623166237-955948660-2272938845-1005\c0a6c852-344d-49b1-9f36-55ac972fb9fa 388 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\Protect\S-1-5-21-3623166237-955948660-2272938845-1005\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My\Certificates\42C235183835DA4242A614A8DB083223ACDBC5F1 1234 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My\Certificates\C3CFF0289DFA3C204E3E0E1EFFB443E9CDCFA149 1263 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My\Keys 0 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My\Keys\A67684B30926BB3818D2BC99D10950E5938E6E3D 240 bytes
File C:\RRbackups\Documents and Settings\Brea Mefford\Application Data\Microsoft\SystemCertificates\My\Keys\FBF2DD0F7B83F2C2A9823E51172664CC8F42D1CC 240 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution\enroll.ini 32 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500\92fd1de2-300c-43b4-8ae1-854415d2cc4e 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1917770266-2661025247-3814047656-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500\59c36cf4-1add-4fda-9460-f057cbd8a479 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2512493995-1625557106-4002848085-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500\4cce7a96-7fd5-4658-a2bf-18326046c146 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2764328294-3121793826-1593470415-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  ark.txt   36.68KB   0 downloads


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 AM

Posted 02 May 2011 - 10:31 AM

Hello mommyinzion and welcome to BC. :)

Sorry about the delay, do you still need help?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 mommyinzion

mommyinzion
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 02 May 2011 - 10:35 AM

Oh yes!! I've been surviving on the fact that I can copy and paste links and have them work when I do a Google Search, but it's nerve wracking knowing more damage could be continuing without me knowing it.


Thank you so much for the reply. Any idea on how I can get DDS to run? I'm assuming the sneaky virus is getting in the way.

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 AM

Posted 02 May 2011 - 10:47 AM

We will begin by generating logs for my review. Also note that we're in different time zone so it is possible to have some delays between responses.


1. Download OTL to your Desktop.
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Copy and Paste the following code into the Custom Scan/Fixes box.

    /md5start
    VolSnap.sys
    /md5stop
    
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them when you reply.


2. Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 mommyinzion

mommyinzion
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 02 May 2011 - 11:06 AM

OTL- only gave me 1 notepad doc OTL.Txt. I ran it twice to see if I accidentally ended the scan the first time before it generated the Extras.txt, but it was the same the second time.

With TDDSKiller- No infections were found and I didn't see an option to generate a report. Maybe that's just if it cures an infection?

OTL.txt:

OTL logfile created on: 5/2/2011 9:55:37 AM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Brea Mefford\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60.29 Gb Total Space | 23.60 Gb Free Space | 39.15% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 162.83 Gb Total Space | 68.11 Gb Free Space | 41.83% Space Free | Partition Type: NTFS

Computer Name: BREA | User Name: Brea Mefford | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/02 09:48:15 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brea Mefford\Desktop\OTL.exe
PRC - [2011/05/01 17:00:52 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/02 16:19:10 | 000,351,384 | ---- | M] (The Neat Company) -- C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe
PRC - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2011/02/07 15:39:48 | 000,822,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
PRC - [2010/10/20 09:57:52 | 000,048,618 | ---- | M] (The Pidgin developer community) -- C:\Program Files\Pidgin\pidgin.exe
PRC - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
PRC - [2010/05/14 12:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2009/10/22 10:04:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
PRC - [2009/09/28 01:27:20 | 000,144,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2009/08/19 18:38:30 | 000,062,752 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
PRC - [2009/07/14 19:18:02 | 000,062,320 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
PRC - [2009/07/10 18:25:42 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- c:\Program Files\Lenovo\System Update\SUService.exe
PRC - [2009/05/08 16:09:42 | 001,451,384 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\BTStackServer.exe
PRC - [2009/05/08 16:09:42 | 000,607,584 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
PRC - [2009/05/08 16:09:42 | 000,349,528 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
PRC - [2009/05/01 09:49:04 | 000,316,672 | ---- | M] (C-motech Co.,Ltd) -- C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe
PRC - [2009/04/23 06:29:18 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/04/23 06:29:14 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2009/03/13 02:32:48 | 000,068,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2009/03/04 22:54:34 | 000,750,904 | ---- | M] (Lenovo Group Limited) -- c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2009/02/25 18:06:42 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/02/19 04:05:52 | 000,128,296 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/02/02 03:04:10 | 000,067,432 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2008/11/24 16:34:02 | 000,520,192 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
PRC - [2008/09/29 11:35:08 | 000,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/04/14 06:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 20:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2005/09/09 20:09:28 | 002,066,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe
PRC - [2005/09/09 20:09:24 | 001,537,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\GhostTray.exe
PRC - [2005/09/09 20:09:10 | 000,053,248 | ---- | M] (GEAR Software) -- C:\WINDOWS\system32\gearsec.exe
PRC - [2004/12/13 16:30:10 | 000,165,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/12/13 16:30:04 | 000,198,256 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2004/12/13 16:30:00 | 000,058,992 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe


========== Modules (SafeList) ==========

MOD - [2011/05/02 09:48:15 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brea Mefford\Desktop\OTL.exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/05/08 16:08:34 | 000,094,273 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
MOD - [2009/05/08 16:06:38 | 000,069,697 | ---- | M] () -- C:\Program Files\ThinkPad\Bluetooth Software\BTKeyInd.dll
MOD - [2008/03/13 03:46:24 | 000,079,224 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\HKVOLKEY.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/03/02 16:19:10 | 000,351,384 | ---- | M] (The Neat Company) [Auto | Running] -- C:\Program Files\NeatWorks\exec\NeatWorksDatabaseController.exe -- (NeatWorksDatabaseController)
SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2011/02/07 15:39:48 | 000,822,424 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2010/09/13 12:48:12 | 000,025,704 | R--- | M] (Amazon.com) [Auto | Running] -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService)
SRV - [2009/10/23 12:31:44 | 000,401,920 | ---- | M] (Amazon.com) [On_Demand | Stopped] -- C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe -- (Amazon Download Agent)
SRV - [2009/10/22 10:04:00 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
SRV - [2009/07/14 19:18:02 | 000,062,320 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC)
SRV - [2009/07/10 18:25:42 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- c:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
SRV - [2009/07/03 03:47:10 | 000,045,424 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE)
SRV - [2009/05/08 16:09:42 | 000,349,528 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2009/05/01 09:49:04 | 000,120,064 | ---- | M] (SmithMicro Inc.) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe -- (SprintRcAppSvc)
SRV - [2009/03/04 22:54:34 | 000,750,904 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2009/02/25 18:06:42 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/11/24 16:34:02 | 000,520,192 | ---- | M] () [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2008/10/09 03:05:16 | 000,360,448 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe -- (TVT_UpdateMonitor)
SRV - [2008/09/29 11:35:08 | 000,467,028 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (acs)
SRV - [2008/04/15 09:47:58 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2007/01/04 20:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2005/09/09 20:09:28 | 002,066,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost)
SRV - [2005/09/09 20:09:10 | 000,053,248 | ---- | M] (GEAR Software) [Auto | Running] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)
SRV - [2004/12/13 16:30:10 | 000,165,488 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2004/12/13 16:30:08 | 000,079,472 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2004/12/13 16:30:04 | 000,198,256 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)


========== Driver Services (SafeList) ==========

DRV - [2011/02/07 15:39:48 | 000,004,608 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2010/10/21 11:52:07 | 000,030,144 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2010/07/18 15:58:34 | 000,822,400 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService)
DRV - [2009/10/22 10:04:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2009/05/13 21:26:40 | 000,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2009/05/13 21:26:38 | 000,991,136 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2009/05/01 09:43:30 | 000,026,888 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2009/05/01 09:43:24 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2009/05/01 09:43:22 | 000,018,816 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2009/05/01 09:43:20 | 000,038,680 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pctnullport.sys -- (Nmea)
DRV - [2009/05/01 09:42:04 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2009/01/28 18:58:46 | 000,117,800 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2009/01/28 18:57:12 | 000,020,520 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2008/11/24 18:04:10 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2008/09/19 01:29:54 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel®
DRV - [2008/09/18 20:44:38 | 001,326,528 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/05/12 03:04:04 | 000,013,480 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smiif32.sys -- (lenovo.smi)
DRV - [2008/04/09 04:16:48 | 000,985,472 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2008/04/09 04:16:48 | 000,731,264 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2008/04/09 04:16:48 | 000,210,560 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2008/03/25 22:21:06 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm)
DRV - [2008/03/25 22:12:56 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2008/02/22 16:54:40 | 000,037,312 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2008/02/15 03:01:00 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/02/08 10:46:36 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/07/29 20:54:00 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/29 19:42:00 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/09/09 20:09:20 | 000,144,832 | ---- | M] (StorageCraft) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\SymSnap.sys -- (SymSnap)
DRV - [2005/09/09 20:09:20 | 000,056,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\V2iMount.sys -- (V2IMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: support@ancestry.com:1.0.0.1
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6


FF - HKLM\software\mozilla\Firefox\extensions\\{9D46A0BF-E7FF-433C-BD00-007359CF68F8}: C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\{9D46A0BF-E7FF-433C-BD00-007359CF68F8} [2011/04/14 09:59:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{13FFBE46-572F-4F6D-8E76-A4A993522066}: C:\Documents and Settings\TEMP\Local Settings\Application Data\{13FFBE46-572F-4F6D-8E76-A4A993522066}
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 17:00:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/01 17:00:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/04/01 13:46:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.9\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/11/26 15:19:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brea Mefford\Application Data\Mozilla\Extensions
[2010/11/26 15:19:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brea Mefford\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/04/25 19:33:34 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Brea Mefford\Application Data\Mozilla\Firefox\Profiles\odvlh52y.default\extensions
[2010/12/12 06:27:40 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Brea Mefford\Application Data\Mozilla\Firefox\Profiles\odvlh52y.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/24 15:11:06 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Brea Mefford\Application Data\Mozilla\Firefox\Profiles\odvlh52y.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/12/26 15:33:29 | 000,000,000 | ---D | M] (Ancestry.com Advanced Image Viewer) -- C:\Documents and Settings\Brea Mefford\Application Data\Mozilla\Firefox\Profiles\odvlh52y.default\extensions\support@ancestry.com
[2011/04/24 15:11:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/21 11:50:11 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/11/14 22:58:33 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
[2010/11/14 22:58:34 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol500.dll
[2009/11/19 15:16:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/11/19 15:16:29 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2011/04/23 23:31:32 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe (Amazon.com)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [HotSync] File not found
O4 - HKLM..\Run: [LENOVO.TPFNF6R] C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [Norton Ghost 10.0] C:\Program Files\Norton Ghost\Agent\GhostTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [RDVCHG] C:\Program Files\Sprint\Sprint SmartView\RDVCHG.exe (C-motech Co.,Ltd)
O4 - HKLM..\Run: [Sprint SmartView] C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe (Sprint)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [Xxocerocohuvilit] File not found
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10l_Plugin.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Pidgin (2).lnk = C:\Program Files\Pidgin\pidgin.exe (The Pidgin developer community)
O4 - Startup: C:\Documents and Settings\Brea Mefford\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Evernote 4.0 - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {74F4F118-91E6-4AFC-B8D2-04066781F239} https://webdeposit.ensenta.com/eztwainx.cab (EZTwainX by Dosadi)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150 0.0.0.0
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/21 16:02:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/02 09:48:15 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brea Mefford\Desktop\OTL.exe
[2011/04/25 09:53:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brea Mefford\Desktop\gmer
[2011/04/23 21:13:41 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/04/23 18:16:28 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/04/23 12:04:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Cygwin
[2011/04/23 12:00:26 | 000,000,000 | ---D | C] -- C:\cygwin
[2011/04/14 09:59:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\{9D46A0BF-E7FF-433C-BD00-007359CF68F8}
[2011/04/14 09:58:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brea Mefford\Application Data\BBE36686449889630D39CD426DDCD6A3
[2011/04/12 23:27:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brea Mefford\Desktop\app_sales.2010
[2011/04/12 11:19:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brea Mefford\Desktop\2010 dreamers of zion
[2011/04/05 13:33:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\AlawarWrapper
[2011/04/05 13:33:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AlawarWrapper
[2011/04/05 13:33:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brea Mefford\Start Menu\Programs\Alawar Games
[2011/04/05 13:33:06 | 000,000,000 | ---D | C] -- C:\Program Files\Alawar
[2011/04/03 13:19:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Neat Mobile Scanner
[2011/04/03 13:19:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Neat ADF Scanner 2008 Calibration Data
[2011/04/03 13:18:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Neat Mobile Scanner 2008 Calibration Data
[2011/04/03 13:02:17 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC

========== Files - Modified Within 30 Days ==========

[2011/05/02 09:48:15 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brea Mefford\Desktop\OTL.exe
[2011/05/02 07:06:54 | 007,134,360 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\George_Sells_1901_Canadian_Census.zip
[2011/05/01 20:22:18 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2011/04/27 12:24:20 | 000,000,036 | -H-- | M] () -- C:\WINDOWS\System32\f9t.dat
[2011/04/25 10:55:34 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/25 10:53:54 | 000,000,318 | -HS- | M] () -- C:\WINDOWS\tasks\OVYGB.job
[2011/04/25 10:53:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/25 10:53:39 | 2088,787,968 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/25 09:53:04 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\gmer.zip
[2011/04/25 09:27:05 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\dds.scr
[2011/04/25 09:25:56 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Defogger.exe
[2011/04/24 00:26:33 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\defogger_reenable
[2011/04/23 23:31:32 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/23 23:13:55 | 001,263,721 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\tdsskiller.zip
[2011/04/23 18:17:06 | 000,001,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/04/23 18:04:53 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Wfocowov.dat
[2011/04/23 11:57:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Bzofatoxolib.bin
[2011/04/22 09:31:17 | 000,258,910 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Sam's 1099 from Palm.pdf
[2011/04/21 07:34:45 | 000,000,560 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Application Data\AutoGK.ini
[2011/04/17 15:45:05 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/04/17 15:45:05 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/04/14 20:22:09 | 000,015,462 | -HS- | M] () -- C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\407238423
[2011/04/14 20:22:09 | 000,015,462 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\407238423
[2011/04/14 10:13:54 | 000,192,184 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/14 09:58:12 | 000,200,704 | RHS- | M] () -- C:\WINDOWS\System32\EqnClass4.dll
[2011/04/14 08:19:50 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/14 08:19:08 | 000,489,478 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/14 08:19:08 | 000,089,942 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/12 20:29:29 | 000,004,175 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\app_sales.2010.zip
[2011/04/12 11:17:05 | 001,148,330 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\2010 dreamers of zion.zip
[2011/04/08 14:55:40 | 000,392,749 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Sam's 2010 Roth IRA Deposit.pdf
[2011/04/08 08:38:45 | 000,352,253 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Brea's Youth Protection Training.JPG
[2011/04/08 08:36:17 | 000,000,041 | ---- | M] () -- C:\WINDOWS\System32\SK Image Printer Port
[2011/04/05 13:33:16 | 000,001,582 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Alawar Games.lnk
[2011/04/05 13:33:16 | 000,000,823 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Farm Frenzy 2.lnk
[2011/04/03 15:12:52 | 006,196,119 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Eagle Application- Jake Burton.pdf
[2011/04/03 14:03:08 | 006,084,407 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Eagle Application- Brennon Brimhall.pdf
[2011/04/03 12:17:18 | 007,600,136 | ---- | M] () -- C:\Documents and Settings\Brea Mefford\Desktop\Eagle Project.pdf

========== Files Created - No Company Name ==========

[2011/05/02 07:06:25 | 007,134,360 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\George_Sells_1901_Canadian_Census.zip
[2011/04/25 09:53:03 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\gmer.zip
[2011/04/25 09:27:05 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\dds.scr
[2011/04/25 09:25:55 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Defogger.exe
[2011/04/24 00:26:33 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\defogger_reenable
[2011/04/23 23:13:47 | 001,263,721 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\tdsskiller.zip
[2011/04/22 09:31:08 | 000,258,910 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Sam's 1099 from Palm.pdf
[2011/04/17 15:36:47 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Wfocowov.dat
[2011/04/17 15:36:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Bzofatoxolib.bin
[2011/04/14 21:23:15 | 2088,787,968 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/14 10:02:04 | 000,015,462 | -HS- | C] () -- C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\407238423
[2011/04/14 10:02:04 | 000,015,462 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\407238423
[2011/04/14 09:58:12 | 000,200,704 | RHS- | C] () -- C:\WINDOWS\System32\EqnClass4.dll
[2011/04/14 09:58:12 | 000,000,318 | -HS- | C] () -- C:\WINDOWS\tasks\OVYGB.job
[2011/04/12 20:29:28 | 000,004,175 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\app_sales.2010.zip
[2011/04/12 11:17:05 | 001,148,330 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\2010 dreamers of zion.zip
[2011/04/08 14:55:28 | 000,392,749 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Sam's 2010 Roth IRA Deposit.pdf
[2011/04/08 08:38:45 | 000,352,253 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Brea's Youth Protection Training.JPG
[2011/04/05 13:33:16 | 000,001,582 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Alawar Games.lnk
[2011/04/05 13:33:16 | 000,000,823 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Farm Frenzy 2.lnk
[2011/04/03 15:00:26 | 006,196,119 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Eagle Application- Jake Burton.pdf
[2011/04/03 12:35:27 | 006,084,407 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Eagle Application- Brennon Brimhall.pdf
[2011/04/03 12:17:08 | 007,600,136 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Desktop\Eagle Project.pdf
[2011/02/07 16:07:13 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\fusioncache.dat
[2010/12/27 12:10:25 | 000,000,560 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Application Data\AutoGK.ini
[2010/12/27 11:18:03 | 000,043,602 | ---- | C] () -- C:\WINDOWS\System32\xvid-uninstall.exe
[2010/12/21 12:23:49 | 000,000,036 | -H-- | C] () -- C:\WINDOWS\System32\f9t.dat
[2010/11/25 07:28:38 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2010/11/02 15:28:58 | 000,625,848 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/10/30 15:07:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/24 08:03:56 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2010/10/24 08:03:55 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2010/10/21 23:28:31 | 000,015,360 | ---- | C] () -- C:\WINDOWS\System32\GetInst32.dll
[2010/10/21 23:14:28 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/21 22:03:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/10/21 12:05:30 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/10/21 11:55:07 | 000,150,080 | ---- | C] () -- C:\WINDOWS\desktopset.exe
[2010/10/21 11:54:42 | 000,028,672 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2010/10/21 11:54:42 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2010/10/21 11:52:04 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/10/21 11:49:49 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2010/10/21 11:49:49 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2010/10/21 11:49:49 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2010/10/21 11:49:49 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2010/10/21 11:49:49 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2010/10/21 11:49:49 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2010/10/21 11:43:18 | 000,982,196 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2010/10/21 11:43:18 | 000,417,344 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2010/10/21 11:41:35 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2010/10/21 11:41:35 | 000,262,216 | ---- | C] () -- C:\WINDOWS\System32\IPTests.dll
[2010/10/21 11:41:35 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2010/10/21 11:39:32 | 000,000,102 | ---- | C] () -- C:\WINDOWS\System32\softkbd.exe.config
[2009/05/08 16:08:42 | 002,854,976 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2009/05/01 09:43:30 | 000,026,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2008/07/22 09:22:09 | 000,004,670 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/07/21 16:50:02 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/07/21 16:50:00 | 000,489,478 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/07/21 16:50:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/07/21 16:50:00 | 000,089,942 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/07/21 16:50:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/07/21 16:49:59 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/07/21 16:49:59 | 000,004,547 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/07/21 16:49:58 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/07/21 16:49:55 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/07/21 16:49:55 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/07/21 16:49:50 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/07/21 16:49:48 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/07/21 16:04:47 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/07/21 16:00:30 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/07/21 08:55:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/21 08:55:02 | 000,192,184 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/12/08 06:50:14 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006/12/08 06:47:54 | 001,159,168 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2002/10/15 16:54:04 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Custom Scans ==========



< MD5 for: VOLSNAP.SYS >
[2008/04/14 06:00:00 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys

< End of report >

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 AM

Posted 02 May 2011 - 11:22 AM

Do the following please.


1. Please reopen OTL on your desktop.
  • Copy and Paste the following code into the Custom Scan/Fixes text box.

    :OTL
    FF - HKLM\software\mozilla\Firefox\extensions\\{9D46A0BF-E7FF-433C-BD00-007359CF68F8}: C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\{9D46A0BF-E7FF-433C-BD00-007359CF68F8} [2011/04/14 09:59:48 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\extensions\\{13FFBE46-572F-4F6D-8E76-A4A993522066}: C:\Documents and Settings\TEMP\Local Settings\Application Data\{13FFBE46-572F-4F6D-8E76-A4A993522066}
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O4 - HKLM..\Run: [Xxocerocohuvilit] File not found
    [2011/04/23 18:04:53 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Wfocowov.dat
    [2011/04/23 11:57:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Bzofatoxolib.bin
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP] 
    
  • Push the Run Fix button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • A massage box "Fix complete! Click OK to open the fix log." will pop-up.
  • Click the OK button and a report will open.
  • Copy and Paste that report in your next reply.



2. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 mommyinzion

mommyinzion
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 02 May 2011 - 12:13 PM

OTL Log-

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{9D46A0BF-E7FF-433C-BD00-007359CF68F8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D46A0BF-E7FF-433C-BD00-007359CF68F8}\ not found.
C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\{9D46A0BF-E7FF-433C-BD00-007359CF68F8}\chrome\content folder moved successfully.
C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\{9D46A0BF-E7FF-433C-BD00-007359CF68F8}\chrome folder moved successfully.
C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\{9D46A0BF-E7FF-433C-BD00-007359CF68F8} folder moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{13FFBE46-572F-4F6D-8E76-A4A993522066} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13FFBE46-572F-4F6D-8E76-A4A993522066}\ not found.
File C:\Documents and Settings\TEMP\Local Settings\Application Data\{13FFBE46-572F-4F6D-8E76-A4A993522066} not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Xxocerocohuvilit deleted successfully.
C:\WINDOWS\Wfocowov.dat moved successfully.
C:\WINDOWS\Bzofatoxolib.bin moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Brea Mefford\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Brea Mefford\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Brea Mefford
->Temp folder emptied: 15264055 bytes
->Temporary Internet Files folder emptied: 3769785 bytes
->Java cache emptied: 1412330 bytes
->FireFox cache emptied: 81373064 bytes
->Flash cache emptied: 2922 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: dorothy

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 196823 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 97.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 05022011_105600

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#8 mommyinzion

mommyinzion
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 02 May 2011 - 12:30 PM

Hopefully there aren't any big problems with Combo Fix. I got an error when trying to install the rescue point. It said I didn't have enough memory, which seems really unlikely.

I also got one other error. I think it was cmdcon? It sounded like it was saying something was interfering. I don't have any virus programs running to interfere, so I'm not sure what it was referring to.

But it ran combofix, and here's the log:


ComboFix 11-05-02.02 - Brea Mefford 05/02/2011 11:19:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1992.1413 [GMT -6:00]
Running from: c:\documents and settings\Brea Mefford\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Brea Mefford\Application Data\Adobe\plugs
c:\documents and settings\Brea Mefford\Application Data\Adobe\shed
c:\documents and settings\Brea Mefford\WINDOWS
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-05-02 16:56 . 2011-05-02 16:56 -------- d-----w- C:\_OTL
2011-04-24 03:13 . 2011-04-24 03:13 -------- d-----w- c:\program files\ESET
2011-04-23 18:00 . 2011-04-23 18:04 -------- d-----w- C:\cygwin
2011-04-14 15:58 . 2011-04-24 03:23 -------- d-----w- c:\documents and settings\Brea Mefford\Application Data\BBE36686449889630D39CD426DDCD6A3
2011-04-14 15:58 . 2011-04-14 15:58 200704 --sha-r- c:\windows\system32\EqnClass4.dll
2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 09:39 . 2011-04-14 09:39 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-04-05 19:33 . 2011-04-05 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2011-04-05 19:33 . 2011-04-05 19:33 -------- d-----w- c:\program files\Alawar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2008-07-21 22:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-07-21 22:50 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2008-07-21 22:50 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-07-21 22:50 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-07-21 22:49 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-07-21 22:49 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-07-21 22:49 385024 ------w- c:\windows\system32\html.iec
2011-02-17 14:30 . 2010-10-22 16:31 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-17 13:18 . 2008-07-21 22:49 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-07-21 22:50 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-10-22 12:49 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-07-21 22:49 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2008-07-21 22:50 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-07-21 22:49 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-07-21 22:49 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-07-21 22:49 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-07 21:39 . 2011-02-07 21:39 4608 ----a-w- c:\windows\system32\drivers\symlcbrd.sys
2011-02-02 07:58 . 2008-07-21 21:59 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2009-02-03 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-08-20 62752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-19 1434920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-05-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-05-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-05-11 142872]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-11-24 487424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-10-22 421888]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2009-05-01 75008]
"RDVCHG"="c:\program files\Sprint\Sprint SmartView\RDVCHG.exe" [2009-05-01 316672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-10 1537648]
.
c:\documents and settings\Brea Mefford\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-5-8 607584]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-10-21 50688]
Pidgin (2).lnk - c:\program files\Pidgin\pidgin.exe [2010-10-20 48618]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [1/28/2009 6:57 PM 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [10/23/2008 2:15 AM 13480]
R2 NeatWorksDatabaseController;NeatWorks Database Controller;c:\program files\NeatWorks\exec\NeatWorksDatabaseController.exe [3/2/2011 4:19 PM 351384]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [10/21/2010 11:54 AM 53248]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [10/5/2009 8:21 PM 62320]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [11/24/2008 4:34 PM 520192]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/21/2010 11:30 AM 243856]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 4:54 PM 37312]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [10/5/2009 8:21 PM 45424]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 6:50 PM 360448]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [10/25/2010 2:24 PM 401920]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]
S3 MSSQL$NR2007;SQL Server (NR2007);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
S3 Normandy;Normandy SR2; [x]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/15/2008 9:47 AM 1120752]
.
Contents of the 'Scheduled Tasks' folder
.
2010-10-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]
.
2011-05-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-10-21 16:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
LSP: bmnet.dll
TCP: {20381103-6FBE-4931-ABCD-7068EAB91909} = 8.8.8.8,8.8.4.4
TCP: {43C65F78-E68D-40AE-BBD9-3E0C18F57CFF} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Brea Mefford\Application Data\Mozilla\Firefox\Profiles\odvlh52y.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Ancestry.com Advanced Image Viewer: support@ancestry.com - %profile%\extensions\support@ancestry.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - user.js: general.useragent.extra.brc - BRI/1
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
HKLM_ActiveSetup-Neat ADF Scanner 2008 - reg copy HKLM\Software\The Neat Company\Neat ADF Scanner 2008 HKCU\Software\The Neat Company\Neat ADF Scanner 2008
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 11:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1308)
c:\windows\system32\bmnet.dll
.
Completion time: 2011-05-02 11:24:07
ComboFix-quarantined-files.txt 2011-05-02 17:24
.
Pre-Run: 25,323,507,712 bytes free
Post-Run: 25,271,418,880 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
- - End Of File - - 21621E632A9179D9604AC66089CE045D

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 AM

Posted 03 May 2011 - 07:41 AM

We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-

DirLook::
C:\cygwin
C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\{9D46A0BF-E7FF-433C-BD00-007359CF68F8}
C:\Documents and Settings\Brea Mefford\Application Data\BBE36686449889630D39CD426DDCD6A3
C:\Documents and Settings\Brea Mefford\Local Settings\Application Data\407238423
C:\Documents and Settings\All Users\Application Data\407238423

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:05:16 AM

Posted 07 May 2011 - 09:06 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users