Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Recovery Virus - Empty Files


  • This topic is locked This topic is locked
29 replies to this topic

#1 tgal0786

tgal0786

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 08 June 2011 - 12:25 AM

Having an issue with empty files left after removal (at least I think I removed it) of Windows XP Recovery Virus. I followed all steps to restore the files but am not having any positive results. I thought about just F Disking the system but I don't keep track of what I put on my system or backup very often so it is more of a pain than it ought to be. Please advise, thanks. Here are the logs from the Malwarebytes, DDS, and GMER. Disregard removal being redirected to scour sites and such...must still be infected. Please help.


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6804

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/7/2011 9:41:57 PM
mbam-log-2011-06-07 (21-41-57).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 304748
Time elapsed: 38 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 22
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Protection (Trojan.FakeAlert) -> Value: Malware Protection -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Hijack.Wallpaper) -> Value: OriginalWallpaper -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Hijack.Wallpaper) -> Value: ConvertedWallpaper -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\networkservice\application data\rhct1lj0ee6t (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\Autorun\startmenuallusers (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\Autorun\startmenucurrentuser (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\browserobjects (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\rhct1lj0ee6t\quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\Autorun\startmenuallusers (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\Autorun\startmenucurrentuser (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\browserobjects (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\application data\rhct1lj0ee6t\quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP895\A0068670.exe (Trojan.Agent.GD) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP895\A0068672.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP895\A0068673.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


2nd Scan
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6804

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/7/2011 9:02:49 PM
mbam-log-2011-06-07 (21-02-49).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 78372
Time elapsed: 9 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\tanya gallant\local settings\Temp\8.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\tanya gallant\local settings\temporary internet files\Content.IE5\EH33K5WJ\contacts[1].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

DDS
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Tanya Gallant at 23:50:54 on 2011-06-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1127 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://msn.com/
uSearch Bar =
uInternet Settings,ProxyOverride = *.local;192.168.*.*
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\tanya gallant\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dPolicies-explorer: no folder option = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{CDFCDA99-B75B-4B7C-B72A-CAA8C36FEF3C} : DhcpNameServer = 68.87.71.230 68.87.73.246
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ASWLNDLL - ASWLNDLL.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tanya gallant\application data\mozilla\firefox\profiles\1ieql1sj.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\tanya gallant\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Video Codec Plugin: plugin@gameplaylabs.com - %profile%\extensions\plugin@gameplaylabs.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R1 APPSTREAM;APPSTREAM;c:\windows\system32\drivers\AppStream.sys [2007-5-13 115284]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-5-23 13400]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-8-10 202160]
R2 AppMgrService;AWE 5.1.0 Application Manager;c:\program files\appstream\windowsclient\bin\AppMgrService.exe [2006-9-27 1990656]
R2 MotoHelper.exe;Motorola Helper;c:\program files\motorola\moto helper service\MotoHelper.exe [2010-9-14 6656]
R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-4-26 223088]
R2 REGHOOK;REGHOOK;c:\windows\system32\drivers\RegHook.sys [2006-9-27 54879]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-5-23 69720]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-4-19 181584]
R2 VSPD;VSPD;c:\windows\system32\drivers\VSPD.sys [2006-9-27 31321]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-7 39984]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-7 366640]
S2 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-4-19 2726000]
S2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2011-5-15 6016]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2011-5-15 20480]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2011-5-15 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2011-5-15 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2011-5-15 9472]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-08 00:52:04 -------- d-----w- c:\documents and settings\tanya gallant\application data\Malwarebytes
2011-06-08 00:51:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-08 00:51:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-08 00:51:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-07 17:43:58 -------- d-----w- c:\windows\system32\Events
2011-05-30 22:28:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-30 22:28:40 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-30 21:37:14 388096 ----a-r- c:\documents and settings\tanya gallant\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-30 21:37:14 -------- d-----w- c:\program files\Trend Micro
2011-05-25 20:52:37 -------- d-----w- c:\documents and settings\all users\application data\PhotoStitch
2011-05-25 01:46:26 -------- d-----w- c:\documents and settings\tanya gallant\application data\ZoomBrowser EX
2011-05-25 01:27:30 -------- d-----w- c:\documents and settings\tanya gallant\application data\CANON INC
2011-05-25 01:24:01 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-25 01:24:00 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-25 00:11:53 -------- d-----w- c:\documents and settings\all users\application data\ZoomBrowser
2011-05-15 20:29:35 9472 ----a-w- c:\windows\system32\drivers\motusbdevice.sys
2011-05-15 20:29:34 6016 ----a-w- c:\windows\system32\drivers\motfilt.sys
2011-05-15 20:29:34 23424 ----a-w- c:\windows\system32\drivers\Motousbnet.sys
2011-05-15 20:29:33 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
2011-05-15 20:29:33 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
2011-05-15 20:29:33 24064 ----a-w- c:\windows\system32\drivers\motmodem.sys
2011-05-15 20:29:33 20480 ----a-w- c:\windows\system32\drivers\motccgp.sys
2011-05-15 19:55:24 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2011-05-15 19:51:08 -------- d-----w- c:\documents and settings\all users\application data\Motorola
.
==================== Find3M ====================
.
2008-01-17 01:35:37 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 23:52:36.56 ===============


GMER

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-08 06:55:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000067 ST3250820AS rev.3.ADG
Running: gmer.exe; Driver: C:\DOCUME~1\TANYAG~1\LOCALS~1\Temp\uxtdipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\System32\Drivers\REGHOOK.SYS (Appstream System Services/Appstream Inc.) ZwCreateKey [0xA4AA94B3]
SSDT \??\C:\WINDOWS\System32\Drivers\REGHOOK.SYS (Appstream System Services/Appstream Inc.) ZwDeleteValueKey [0xA4AA98DF]
SSDT \??\C:\WINDOWS\System32\Drivers\REGHOOK.SYS (Appstream System Services/Appstream Inc.) ZwEnumerateValueKey [0xA4AA99CF]
SSDT \??\C:\WINDOWS\System32\Drivers\REGHOOK.SYS (Appstream System Services/Appstream Inc.) ZwQueryValueKey [0xA4AA97BB]
SSDT \??\C:\WINDOWS\System32\Drivers\REGHOOK.SYS (Appstream System Services/Appstream Inc.) ZwSetValueKey [0xA4AA9668]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8E76360, 0x2F01B7, 0xE8000020]
? C:\DOCUME~1\TANYAG~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[260] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00DF6E80 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00DF8E40 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00DF5640 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!ReadFile 7C801812 5 Bytes JMP 00DF6FF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF9040 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00DF8A60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00DF7B70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!OpenFileMappingW 7C80BB7A 5 Bytes JMP 00DF8D20 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!DuplicateHandle 7C80DE9E 5 Bytes JMP 00DFA750 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00DF86B0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!FindClose 7C80EE77 5 Bytes JMP 00DF87C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 00DF85C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!FindNextFileW 7C80EFDA 5 Bytes JMP 00DF88A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF9560 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 00DF7900 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetFileSize 7C810B17 5 Bytes JMP 00DF7830 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!SetFilePointer 7C810C2E 5 Bytes JMP 00DF75A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 00DF7270 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetFileType 7C810EF1 5 Bytes JMP 00DF7EE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00DF7BF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetFileAttributesA 7C8115DC 5 Bytes JMP 00DF7AF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!FlushFileBuffers 7C8126E1 5 Bytes JMP 00DF7520 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 00DF84D0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00DF76F0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00DFA150 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00DF9AA0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00DF9CC0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetFileTime 7C831C4D 5 Bytes JMP 00DF7CE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!SetFileTime 7C831CC0 5 Bytes JMP 00DF7DE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 00DF8080 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00DF81C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00DF79D0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!UnlockFile 7C8322EC 1 Byte [E9]
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!UnlockFile 7C8322EC 5 Bytes JMP 00DF7FF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!LockFile 7C832391 5 Bytes JMP 00DF7F60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 00DF8830 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!_hread 7C8353FE 5 Bytes JMP 00DF8300 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!_llseek 7C835436 5 Bytes JMP 00DF8440 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00DFA3C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetShortPathNameA 7C835BE0 5 Bytes JMP 00DF8910 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00DF9EE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!ReplaceFile 7C836C6C 5 Bytes JMP 00DFA650 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!_hwrite 7C838B17 5 Bytes JMP 00DF83A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00DF6240 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00DF5CC0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 00DF6070 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 00DF5E70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00DF57A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00DF5980 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!CopyEnhMetaFileW 77F270CC 5 Bytes JMP 00DF6C70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!CopyMetaFileW 77F2C3ED 5 Bytes JMP 00DF6A60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!CopyMetaFileA 77F2C52B 5 Bytes JMP 00DF6630 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!GetMetaFileW 77F3853D 5 Bytes JMP 00DF6840 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!GetEnhMetaFileW 77F397A3 5 Bytes JMP 00DF6950 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!GetMetaFileA 77F44216 5 Bytes JMP 00DF6410 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 00DFD190 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!StartDocA 77F45E79 5 Bytes JMP 00DFC1E0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] GDI32.dll!GetEnhMetaFileA 77F4AE35 5 Bytes JMP 00DF6520 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00DF61B0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00DF5B60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00DF5C50 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] USER32.dll!PrintWindow 7E423810 5 Bytes JMP 00DF6340 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 00DF5BD0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[260] ole32.dll!DoDragDrop 775D0B6D 5 Bytes JMP 00DF8F40 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1232] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0164000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1232] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0161000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1232] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0160000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1232] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0162000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1232] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015F000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1232] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0163000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1232] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 015E000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2360] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00BF000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2360] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BC000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2360] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00BB000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2360] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BD000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2360] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BA000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2360] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00BE000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2360] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B9000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2588] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00C3000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C0000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00BF000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C1000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BE000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00C2000A
.text C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3924] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BD000A

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:132] 8A4B4E7A
Thread System [4:136] 8A4B7008

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\40862B64B96555346987D0FDA6CDBFF0\Usage@~AS_F_Program_Executables 930414615
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Where in the World Is Carmen Sandiego? Treasures of Knowledge@~AS_NoModify 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Where in the World Is Carmen Sandiego? Treasures of Knowledge@~AS_NoRemove 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Where in the World Is Carmen Sandiego? Treasures of Knowledge@~AS_NoRepair 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG@~AS_~Ref~2090458831
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Carmen.exe@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Carmen.exe@~AS_~Ref~2090458831 ??Path
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Where in the World Is Carmen Sandiego? Treasures of Knowledge@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Where in the World Is Carmen Sandiego? Treasures of Knowledge@~AS_~Ref~2090458831 ?DisplayName?UninstallString
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company@~AS_~Ref~2090458831
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Products@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Products@~AS_~Ref~2090458831
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Products\380862@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Products\380862@~AS_~Ref~2090458831 ?Data
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge@~AS_~Ref~2090458831
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge\1.0@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge\1.0@~AS_~Ref~2090458831
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge\InstalledFile@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge\InstalledFile@~AS_~Ref~2090458831 ?
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge\InstalledPath@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge\InstalledPath@~AS_~Ref~2090458831 ?
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge\Version@~AS_~RemoveKeyFlag~ 1
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistryChangesRoot\MACHINE\SOFTWARE\The Learning Company\Treasures of Knowledge\Version@~AS_~Ref~2090458831 ?

---- EOF - GMER 1.0.15 ----

Edited by tgal0786, 08 June 2011 - 05:58 AM.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:35 AM

Posted 14 June 2011 - 03:12 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 tgal0786

tgal0786
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 14 June 2011 - 08:49 PM

Hi ST,

Thanks for taking the time to look at my issue. Here are the reports you requested.


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB812B000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6717440 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 100.99 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 5451776 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 100.99 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB7EAA000 C:\WINDOWS\system32\drivers\sthda.sys 1126400 bytes (SigmaTel, Inc., NDRC)
0xB9DDC000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB08BA000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB085C000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB7FCE000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB09F5000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA4671000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA40CD000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB802C000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB0977000 C:\WINDOWS\system32\drivers\sbtis.sys 196608 bytes (Sunbelt Software, Sunbelt TDI Inspection System)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB9DAF000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA2DA2000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB092A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8084000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB09A7000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA4775000 C:\WINDOWS\system32\DRIVERS\nwrdr.sys 163840 bytes (Microsoft Corporation, NetWare Redirector File System Driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB09CF000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB80F3000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 147456 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xB7E86000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB80CF000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB80AC000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB0955000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EBB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB1DCD000 C:\WINDOWS\System32\Drivers\APPSTREAM.SYS 118784 bytes (AppStream Inc, AppStream Driver)
0xA4EA3000 C:\WINDOWS\System32\Drivers\dump_nvatabus.sys 106496 bytes
0xB9D95000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9EDB000 nvatabus.sys 106496 bytes (NVIDIA Corporation, NVIDIA® nForce™ IDE Performance Driver)
0xB9EF5000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA47C9000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9E7C000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB806D000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA47E1000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xA47B3000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9E93000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0xB9F0D000 nvraid.sys 90112 bytes (NVIDIA Corporation, NVIDIA® nForce™ RAID Driver)
0xA479D000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xA43B4000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8117000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB0A4E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9E69000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xA46EB000 C:\WINDOWS\System32\Drivers\REGHOOK.SYS 73728 bytes (Appstream Inc., Appstream System Services)
0xB9EA9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB805C000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xABE3E000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB93B0000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA138000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xB87D3000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xBA108000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xABE9E000 C:\WINDOWS\system32\drivers\sbapifs.sys 65536 bytes (Sunbelt Software, Sunbelt ActiveProtection Filter)
0xB93D0000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB2CCD000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA2F8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB93A0000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA4561000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB07F4000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xB33AF000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA118000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xBA0C8000 C:\WINDOWS\system32\drivers\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA298000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0D8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB3F24000 C:\WINDOWS\System32\Drivers\VSPD.SYS 53248 bytes (Appstream Inc., Appstream communication driver)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB2CAD000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB93C0000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xABE7E000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA208000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xA41F6000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0E8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB2CFD000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB9410000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB2CBD000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB2CDD000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA438000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB3CD3000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB2C66000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA4B0000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xB3CEB000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB2C4E000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xB2C46000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB3CF3000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xBA418000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA440000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA448000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB076C000 C:\WINDOWS\system32\drivers\symlcbrd.sys 24576 bytes (Symantec Corporation, Symantec Core Component)
0xB3CE3000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB3CDB000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA428000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA430000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA420000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA408000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xA6F73000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB29C4000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xB0DBC000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA570000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB9D0A000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB40D3000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA4F4C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB0DD8000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB9D54000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB0DCC000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D06000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9D22000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB0713000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager)
0xBA668000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA60C000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0xBA616000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xAF040000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA666000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA66A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA66C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA610000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xBA66E000 C:\WINDOWS\system32\drivers\sbaphd.sys 8192 bytes (Sunbelt Software, Sunbelt ActiveProtection hook driver)
0xBA612000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA652000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7B6000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA79F000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xABE0D000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7BA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [ndisip.sys]
WARNING: Virus alike driver modification [bthpan.sys]
WARNING: Virus alike driver modification [adpu160m.sys]
WARNING: Virus alike driver modification [sffp_mmc.sys]
WARNING: Virus alike driver modification [hsfdpsp2.sys]
WARNING: Virus alike driver modification [atinrvxx.sys]
WARNING: Virus alike driver modification [slip.sys]
WARNING: Virus alike driver modification [sffp_sd.sys]
WARNING: Virus alike driver modification [irenum.sys]
WARNING: Virus alike driver modification [wadv08nt.sys]
WARNING: Virus alike driver modification [Hdaudio.sys]
WARNING: Virus alike driver modification [bdasup.sys]
WARNING: Virus alike driver modification [ati1mdxx.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [e100b325.sys]
WARNING: Virus alike driver modification [wadv07nt.sys]
WARNING: Virus alike driver modification [mdmxsdk.sys]
WARNING: Virus alike driver modification [wadv09nt.sys]
WARNING: Virus alike driver modification [sffdisk.sys]
WARNING: Virus alike driver modification [wadv11nt.sys]
WARNING: Virus alike driver modification [pcmcia.sys]
WARNING: Virus alike driver modification [amsint.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [tdpipe.sys]
WARNING: Virus alike driver modification [ati1pdxx.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [usbvideo.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [mtlmnt5.sys]
WARNING: Virus alike driver modification [mutohpen.sys]
WARNING: Virus alike driver modification [aha154x.sys]
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [usb8023x.sys]
WARNING: Virus alike driver modification [slnt7554.sys]
WARNING: Virus alike driver modification [mtlstrm.sys]
WARNING: Virus alike driver modification [slwdmsup.sys]
WARNING: Virus alike driver modification [recagent.sys]
WARNING: Virus alike driver modification [atinmdxx.sys]
WARNING: Virus alike driver modification [atinttxx.sys]
0x8A4B3A91 Unknown page with executable code, 1391 bytes
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [rdpwd.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [wacompen.sys]
WARNING: Virus alike driver modification [atinpdxx.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [dac960nt.sys]
WARNING: Virus alike driver modification [asc3550.sys]
WARNING: Virus alike driver modification [cpqarray.sys]
WARNING: Virus alike driver modification [streamip.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [mpe.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [ini910u.sys]
WARNING: Virus alike driver modification [symc810.sys]
WARNING: Virus alike driver modification [ccdecode.sys]
WARNING: Virus alike driver modification [s3gnbm.sys]
WARNING: Virus alike driver modification [bthenum.sys]
WARNING: Virus alike driver modification [mraid35x.sys]
WARNING: Virus alike driver modification [dac2w2k.sys]
WARNING: Virus alike driver modification [ntmtlfax.sys]
WARNING: Virus alike driver modification [mrxdav.sys]
WARNING: Virus alike driver modification [i2omp.sys]
WARNING: Virus alike driver modification [wstcodec.sys]
WARNING: Virus alike driver modification [bthusb.sys]
WARNING: Virus alike driver modification [sparrow.sys]
WARNING: Virus alike driver modification [hidir.sys]
WARNING: Virus alike driver modification [dpti2o.sys]
WARNING: Virus alike driver modification [flpydisk.sys]
WARNING: Virus alike driver modification [secdrv.sys]
WARNING: Virus alike driver modification [usbuhci.sys]
WARNING: Virus alike driver modification [ipinip.sys]
WARNING: Virus alike driver modification [ati1ttxx.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [SilvrLnk.sys]
WARNING: Virus alike driver modification [tdtcp.sys]
WARNING: Virus alike driver modification [hsfbs2s2.sys]
WARNING: Virus alike driver modification [watv06nt.sys]
WARNING: Virus alike driver modification [asc3350p.sys]
WARNING: Virus alike driver modification [ABP480N5.SYS]
WARNING: Virus alike driver modification [COH_Mon.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [watv10nt.sys]
WARNING: Virus alike driver modification [hidbth.sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [usbprint.sys]
WARNING: Virus alike driver modification [hpn.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [ati1snxx.sys]
WARNING: Virus alike driver modification [asc.sys]
WARNING: Virus alike driver modification [perc2.sys]
WARNING: Virus alike driver modification [fdc.sys]
WARNING: Virus alike driver modification [sym_hi.sys]
WARNING: Virus alike driver modification [atinsnxx.sys]
WARNING: Virus alike driver modification [ati1xbxx.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [rndismpx.sys]
WARNING: Virus alike driver modification [ati1raxx.sys]
WARNING: Virus alike driver modification [sym_u3.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [atinxbxx.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [symc8xx.sys]
WARNING: Virus alike driver modification [ati2mtaa.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
WARNING: Virus alike driver modification [ql10wnt.sys]
WARNING: Virus alike driver modification [rawwan.sys]
0x8A4B2288 Unknown page with executable code, 3448 bytes
WARNING: Virus alike driver modification [ati1xsxx.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [processr.sys]
WARNING: Virus alike driver modification [ati1tuxx.sys]
WARNING: Virus alike driver modification [bthprint.sys]
WARNING: Virus alike driver modification [ip6fw.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [ultra.sys]
0x8A4B4191 Unknown page with executable code, 3695 bytes
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [bthmodem.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [ql1080.sys]
WARNING: Virus alike driver modification [ql1240.sys]
WARNING: Virus alike driver modification [slntamr.sys]
0x8A4B702C Unknown page with executable code, 4052 bytes
WARNING: Virus alike driver modification [sisagp.sys]
WARNING: Virus alike driver modification [viaagp.sys]
WARNING: Virus alike driver modification [agp440.sys]
WARNING: Virus alike driver modification [alim1541.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [amdagp.sys]
WARNING: Virus alike driver modification [uagp35.sys]
WARNING: Virus alike driver modification [agpcpq.sys]
WARNING: Virus alike driver modification [mtxparhm.sys]
WARNING: Virus alike driver modification [ql12160.sys]
WARNING: Virus alike driver modification [gagp30kx.sys]
WARNING: Virus alike driver modification [irbus.sys]
WARNING: Virus alike driver modification [ql1280.sys]
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [mspqm.sys]
WARNING: Virus alike driver modification [toside.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [msdv.sys]
WARNING: Virus alike driver modification [atinraxx.sys]
WARNING: Virus alike driver modification [aliide.sys]
0xBA0D8000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
WARNING: Virus alike driver modification [mspclock.sys]
WARNING: Virus alike driver modification [viaide.sys]
WARNING: Virus alike driver modification [intelide.sys]
WARNING: Virus alike driver modification [mstee.sys]
WARNING: Virus alike driver modification [perc2hib.sys]
WARNING: Virus alike driver modification [aic78u2.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [ati1btxx.sys]
WARNING: Virus alike driver modification [aic78xx.sys]
WARNING: Virus alike driver modification [atinbtxx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [smbali.sys]
WARNING: Virus alike driver modification [rfcomm.sys]
WARNING: Virus alike driver modification [atmarpc.sys]
0x8A4B6E7A Unknown thread object [ ETHREAD 0x8A444B90 ] TID: 132, 600 bytes
0x8A4B9008 Unknown thread object [ ETHREAD 0x8A540020 ] TID: 136, 600 bytes
WARNING: Virus alike driver modification [usbaudio.sys]
WARNING: Virus alike driver modification [atinxsxx.sys]
WARNING: Virus alike driver modification [ati1rvxx.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [enum1394.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [cmdide.sys]
WARNING: Virus alike driver modification [parvdm.sys]
WARNING: Virus alike driver modification [hsfcxts2.sys]
WARNING: Virus alike driver modification [ati2mtag.sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [atintuxx.sys]
WARNING: Virus alike driver modification [mskssrv.sys]
WARNING: Virus alike driver modification [cd20xrnt.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [WudfPf.sys]
WARNING: Virus alike driver modification [sdbus.sys]
WARNING: Virus alike driver modification [parport.sys]
0x8A4B8CDC Unknown page with executable code, 804 bytes
WARNING: Virus alike driver modification [WudfRd.sys]
WARNING: Virus alike driver modification [nabtsfec.sys]
WARNING: Virus alike driver modification [mqac.sys]
WARNING: Virus alike driver modification [slnthal.sys]
WARNING: Virus alike driver modification [scsiport.sys]



OTL logfile created on: 6/14/2011 9:36:41 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Tanya Gallant\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.30 Gb Available Physical Memory | 65.18% Memory free
5.84 Gb Paging File | 5.25 Gb Available in Paging File | 89.84% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.77 Gb Total Space | 60.90 Gb Free Space | 26.51% Space Free | Partition Type: NTFS

Computer Name: TANYA | User Name: Tanya Gallant | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/14 21:34:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tanya Gallant\My Documents\Downloads\OTL (1).exe
PRC - [2011/05/20 01:54:14 | 001,010,232 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/04/26 16:23:02 | 000,223,088 | ---- | M] () -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
PRC - [2011/04/26 16:22:44 | 000,681,840 | ---- | M] () -- C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
PRC - [2010/09/14 23:33:34 | 000,006,656 | ---- | M] (Motorola) -- C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe
PRC - [2010/04/19 13:51:52 | 001,291,600 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
PRC - [2010/04/19 13:48:54 | 002,726,000 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
PRC - [2010/04/19 13:47:50 | 000,181,584 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
PRC - [2009/09/08 17:25:52 | 000,096,334 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/05/21 04:37:36 | 000,124,512 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
PRC - [2006/09/27 19:49:26 | 001,990,656 | ---- | M] (AppStream Inc.) -- C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe


========== Modules (SafeList) ==========

MOD - [2011/06/14 21:34:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tanya Gallant\My Documents\Downloads\OTL (1).exe
MOD - [2008/04/13 20:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2007/11/06 18:08:30 | 000,106,496 | ---- | M] (Nektra S.A.) -- C:\Program Files\Sunbelt Software\VIPRE\oehook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (WudfSvc)
SRV - File not found [Auto | Stopped] -- -- (Symantec Core LC)
SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Service)
SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)
SRV - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/04/26 16:23:02 | 000,223,088 | ---- | M] () [Auto | Running] -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe -- (MotoHelper)
SRV - [2010/09/14 23:33:34 | 000,006,656 | ---- | M] (Motorola) [Auto | Running] -- C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe -- (MotoHelper.exe)
SRV - [2010/04/19 13:48:54 | 002,726,000 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
SRV - [2010/04/19 13:47:50 | 000,181,584 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe -- (SBPIMSvc)
SRV - [2009/09/08 17:25:52 | 000,096,334 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2006/09/27 19:49:26 | 001,990,656 | ---- | M] (AppStream Inc.) [Auto | Running] -- C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe -- (AppMgrService)
SRV - [2003/04/01 22:08:30 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\IcdSptSv.exe -- (ICDSPTSV)


========== Driver Services (SafeList) ==========

DRV - [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/04/04 14:55:38 | 000,020,480 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2011/03/31 14:53:22 | 000,024,064 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2010/07/15 09:13:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/25 12:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2010/04/01 14:31:50 | 000,023,424 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Motousbnet.sys -- (Motousbnet)
DRV - [2010/01/25 19:56:44 | 000,009,472 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motusbdevice.sys -- (motusbdevice)
DRV - [2010/01/04 06:29:42 | 000,069,720 | ---- | M] (Sunbelt Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2010/01/04 06:29:40 | 000,013,400 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbaphd.sys -- (sbaphd)
DRV - [2009/10/13 09:02:36 | 000,095,024 | ---- | M] (Sunbelt Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2009/01/29 17:18:00 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2009/01/29 17:11:20 | 000,006,016 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motfilt.sys -- (BTCFilterService)
DRV - [2008/04/28 14:48:54 | 000,202,160 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbtis.sys -- (sbtis)
DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/11/02 15:51:30 | 000,006,400 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motswch.sys -- (MotoSwitchService)
DRV - [2007/06/11 19:30:53 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2007/06/11 19:28:10 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2007/05/13 21:33:12 | 000,115,284 | ---- | M] (AppStream Inc) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\AppStream.sys -- (APPSTREAM)
DRV - [2007/03/14 22:46:26 | 000,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2006/09/27 19:27:22 | 000,031,321 | ---- | M] (Appstream Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\VSPD.sys -- (VSPD)
DRV - [2006/09/27 19:27:02 | 000,054,879 | ---- | M] (Appstream Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\RegHook.sys -- (REGHOOK)
DRV - [2006/07/27 07:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/03/09 07:25:00 | 000,143,872 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2004/08/04 06:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 06:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/02/04 11:27:56 | 000,049,536 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tiehdusb.sys -- (TIEHDUSB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
IE - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;192.168.*.*

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: plugin@gameplaylabs.com:1.0
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 23:24:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/01 23:24:36 | 000,000,000 | ---D | M]

[2008/08/30 21:04:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Extensions
[2011/06/13 09:12:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\extensions
[2010/05/10 16:03:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/13 09:12:24 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/02/10 17:05:08 | 000,000,000 | ---D | M] (Video Codec Plugin) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\extensions\plugin@gameplaylabs.com
[2011/06/13 09:12:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/03 08:33:32 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/07/24 15:35:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/24 15:35:05 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/05/23 03:22:26 | 000,395,339 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.123fporn.info
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 127.0.0.1 17concepts.info
O1 - Hosts: 127.0.0.1 www.17concepts.info
O1 - Hosts: 127.0.0.1 247fxxx.info
O1 - Hosts: 127.0.0.1 www.247fxxx.info
O1 - Hosts: 127.0.0.1 31columns.com
O1 - Hosts: 127.0.0.1 www.31columns.com
O1 - Hosts: 127.0.0.1 www.365fporn.info
O1 - Hosts: 127.0.0.1 365fporn.info
O1 - Hosts: 127.0.0.1 www.365sites.info
O1 - Hosts: 127.0.0.1 365sites.info
O1 - Hosts: 127.0.0.1 4-open-davinci.com
O1 - Hosts: 127.0.0.1 www.4-open-davinci.com
O1 - Hosts: 127.0.0.1 500sex.info
O1 - Hosts: 127.0.0.1 www.500sex.info
O1 - Hosts: 127.0.0.1 www.555royalclub.net
O1 - Hosts: 127.0.0.1 555royalclub.net
O1 - Hosts: 127.0.0.1 www.6hporn.info
O1 - Hosts: 127.0.0.1 6hporn.info
O1 - Hosts: 127.0.0.1 www.777casinoroyal.net
O1 - Hosts: 127.0.0.1 777casinoroyal.net
O1 - Hosts: 127.0.0.1 www.777casinozbest.net
O1 - Hosts: 127.0.0.1 777casinozbest.net
O1 - Hosts: 13653 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: no folder option = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: no folder option = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab (TTestGenXInstallObject)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab (Pearson Installation Assistant 2)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} http://asp.mathxl.com/books/_Players/MathPlayer.cab (Pearson MathXL Player)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ASWLNDLL: DllName - ASWLNDLL.dll - C:\WINDOWS\System32\ASWLNDLL.dll (Appstream Inc.)
O24 - Desktop Components:0 () - http://by121w.bay121.mail.live.com/mail/head
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell - "" = AutoRun
O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell\AutoRun\command - "" = E:\setup.exe -a
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/09 23:45:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\.realobjects
[2011/06/08 21:27:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\MINITAB 14
[2011/06/08 21:26:58 | 000,000,000 | ---D | C] -- C:\Program Files\MINITAB 14 Student
[2011/06/07 23:49:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tanya Gallant\My Documents\My Videos
[2011/06/07 23:49:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tanya Gallant\Start Menu\Programs\Administrative Tools
[2011/06/07 20:52:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Application Data\Malwarebytes
[2011/06/07 20:51:59 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/07 20:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/07 20:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/06/07 20:51:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/07 13:43:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Events
[2011/05/30 23:33:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tanya Gallant\Recent
[2011/05/30 17:37:14 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/05/25 16:52:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2011/05/24 21:46:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Application Data\ZoomBrowser EX
[2011/05/24 21:27:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Application Data\CANON INC
[2011/05/24 21:24:01 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2011/05/24 21:24:00 |

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:35 AM

Posted 15 June 2011 - 01:54 PM

Hi!

No problem! Glad to be able to help!

Looks like we maybe dealing with a rootkit infection here.

It seems the OTL.txt log got cut off.

Would you mind re-posting it for me? If you're experiencing issues posting it, please go ahead and attach it for me.

Edited by SweetTech, 15 June 2011 - 01:54 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 tgal0786

tgal0786
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 15 June 2011 - 02:05 PM

Sorry about that, I am copying both the txt and extra log into the post. Thanks.




OTL logfile created on: 6/14/2011 9:36:41 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Tanya Gallant\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.30 Gb Available Physical Memory | 65.18% Memory free
5.84 Gb Paging File | 5.25 Gb Available in Paging File | 89.84% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.77 Gb Total Space | 60.90 Gb Free Space | 26.51% Space Free | Partition Type: NTFS

Computer Name: TANYA | User Name: Tanya Gallant | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/06/14 21:34:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tanya Gallant\My Documents\Downloads\OTL (1).exe
PRC - [2011/05/20 01:54:14 | 001,010,232 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/04/26 16:23:02 | 000,223,088 | ---- | M] () -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
PRC - [2011/04/26 16:22:44 | 000,681,840 | ---- | M] () -- C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
PRC - [2010/09/14 23:33:34 | 000,006,656 | ---- | M] (Motorola) -- C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe
PRC - [2010/04/19 13:51:52 | 001,291,600 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
PRC - [2010/04/19 13:48:54 | 002,726,000 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
PRC - [2010/04/19 13:47:50 | 000,181,584 | ---- | M] (Sunbelt Software) -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
PRC - [2009/09/08 17:25:52 | 000,096,334 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/05/21 04:37:36 | 000,124,512 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
PRC - [2006/09/27 19:49:26 | 001,990,656 | ---- | M] (AppStream Inc.) -- C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe


========== Modules (SafeList) ==========

MOD - [2011/06/14 21:34:31 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tanya Gallant\My Documents\Downloads\OTL (1).exe
MOD - [2008/04/13 20:12:51 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2007/11/06 18:08:30 | 000,106,496 | ---- | M] (Nektra S.A.) -- C:\Program Files\Sunbelt Software\VIPRE\oehook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (WudfSvc)
SRV - File not found [Auto | Stopped] -- -- (Symantec Core LC)
SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Service)
SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)
SRV - [2011/05/29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/04/26 16:23:02 | 000,223,088 | ---- | M] () [Auto | Running] -- C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe -- (MotoHelper)
SRV - [2010/09/14 23:33:34 | 000,006,656 | ---- | M] (Motorola) [Auto | Running] -- C:\Program Files\Motorola\Moto Helper Service\MotoHelper.exe -- (MotoHelper.exe)
SRV - [2010/04/19 13:48:54 | 002,726,000 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe -- (SBAMSvc)
SRV - [2010/04/19 13:47:50 | 000,181,584 | ---- | M] (Sunbelt Software) [Auto | Running] -- C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe -- (SBPIMSvc)
SRV - [2009/09/08 17:25:52 | 000,096,334 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2006/09/27 19:49:26 | 001,990,656 | ---- | M] (AppStream Inc.) [Auto | Running] -- C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe -- (AppMgrService)
SRV - [2003/04/01 22:08:30 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\IcdSptSv.exe -- (ICDSPTSV)


========== Driver Services (SafeList) ==========

DRV - [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/04/04 14:55:38 | 000,020,480 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgp.sys -- (motccgp)
DRV - [2011/03/31 14:53:22 | 000,024,064 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2010/07/15 09:13:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/25 12:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2010/04/01 14:31:50 | 000,023,424 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Motousbnet.sys -- (Motousbnet)
DRV - [2010/01/25 19:56:44 | 000,009,472 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motusbdevice.sys -- (motusbdevice)
DRV - [2010/01/04 06:29:42 | 000,069,720 | ---- | M] (Sunbelt Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2010/01/04 06:29:40 | 000,013,400 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbaphd.sys -- (sbaphd)
DRV - [2009/10/13 09:02:36 | 000,095,024 | ---- | M] (Sunbelt Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2009/01/29 17:18:00 | 000,008,320 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motccgpfl.sys -- (motccgpfl)
DRV - [2009/01/29 17:11:20 | 000,006,016 | ---- | M] (Motorola Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motfilt.sys -- (BTCFilterService)
DRV - [2008/04/28 14:48:54 | 000,202,160 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sbtis.sys -- (sbtis)
DRV - [2008/04/13 14:56:06 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2007/11/02 15:51:30 | 000,006,400 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motswch.sys -- (MotoSwitchService)
DRV - [2007/06/11 19:30:53 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2007/06/11 19:28:10 | 000,008,552 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2007/05/13 21:33:12 | 000,115,284 | ---- | M] (AppStream Inc) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\AppStream.sys -- (APPSTREAM)
DRV - [2007/03/14 22:46:26 | 000,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2006/09/27 19:27:22 | 000,031,321 | ---- | M] (Appstream Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\VSPD.sys -- (VSPD)
DRV - [2006/09/27 19:27:02 | 000,054,879 | ---- | M] (Appstream Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\RegHook.sys -- (REGHOOK)
DRV - [2006/07/27 07:24:28 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/03/09 07:25:00 | 000,143,872 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2004/08/04 06:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 06:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/02/04 11:27:56 | 000,049,536 | ---- | M] (Texas Instruments Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tiehdusb.sys -- (TIEHDUSB)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070611
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
IE - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;192.168.*.*

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: plugin@gameplaylabs.com:1.0
FF - prefs.js..keyword.URL: "http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q="


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/01 23:24:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/01 23:24:36 | 000,000,000 | ---D | M]

[2008/08/30 21:04:48 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Extensions
[2011/06/13 09:12:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\extensions
[2010/05/10 16:03:01 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/13 09:12:24 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2011/02/10 17:05:08 | 000,000,000 | ---D | M] (Video Codec Plugin) -- C:\Documents and Settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\extensions\plugin@gameplaylabs.com
[2011/06/13 09:12:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/03 08:33:32 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/07/24 15:35:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/24 15:35:05 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/05/23 03:22:26 | 000,395,339 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.123fporn.info
O1 - Hosts: 127.0.0.1 123fporn.info
O1 - Hosts: 127.0.0.1 17concepts.info
O1 - Hosts: 127.0.0.1 www.17concepts.info
O1 - Hosts: 127.0.0.1 247fxxx.info
O1 - Hosts: 127.0.0.1 www.247fxxx.info
O1 - Hosts: 127.0.0.1 31columns.com
O1 - Hosts: 127.0.0.1 www.31columns.com
O1 - Hosts: 127.0.0.1 www.365fporn.info
O1 - Hosts: 127.0.0.1 365fporn.info
O1 - Hosts: 127.0.0.1 www.365sites.info
O1 - Hosts: 127.0.0.1 365sites.info
O1 - Hosts: 127.0.0.1 4-open-davinci.com
O1 - Hosts: 127.0.0.1 www.4-open-davinci.com
O1 - Hosts: 127.0.0.1 500sex.info
O1 - Hosts: 127.0.0.1 www.500sex.info
O1 - Hosts: 127.0.0.1 www.555royalclub.net
O1 - Hosts: 127.0.0.1 555royalclub.net
O1 - Hosts: 127.0.0.1 www.6hporn.info
O1 - Hosts: 127.0.0.1 6hporn.info
O1 - Hosts: 127.0.0.1 www.777casinoroyal.net
O1 - Hosts: 127.0.0.1 777casinoroyal.net
O1 - Hosts: 127.0.0.1 www.777casinozbest.net
O1 - Hosts: 127.0.0.1 777casinozbest.net
O1 - Hosts: 13653 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE (CANON INC.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe (Sunbelt Software)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: no folder option = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: no folder option = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab (TTestGenXInstallObject)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab (Pearson Installation Assistant 2)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} http://asp.mathxl.com/books/_Players/MathPlayer.cab (Pearson MathXL Player)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.71.230 68.87.73.246
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ASWLNDLL: DllName - ASWLNDLL.dll - C:\WINDOWS\System32\ASWLNDLL.dll (Appstream Inc.)
O24 - Desktop Components:0 () - http://by121w.bay121.mail.live.com/mail/head
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell - "" = AutoRun
O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell\AutoRun\command - "" = E:\setup.exe -a
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/06/09 23:45:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\.realobjects
[2011/06/08 21:27:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\MINITAB 14
[2011/06/08 21:26:58 | 000,000,000 | ---D | C] -- C:\Program Files\MINITAB 14 Student
[2011/06/07 23:49:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tanya Gallant\My Documents\My Videos
[2011/06/07 23:49:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tanya Gallant\Start Menu\Programs\Administrative Tools
[2011/06/07 20:52:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Application Data\Malwarebytes
[2011/06/07 20:51:59 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/06/07 20:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/06/07 20:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/06/07 20:51:56 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/06/07 13:43:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Events
[2011/05/30 23:33:07 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Tanya Gallant\Recent
[2011/05/30 17:37:14 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/05/25 16:52:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PhotoStitch
[2011/05/24 21:46:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Application Data\ZoomBrowser EX
[2011/05/24 21:27:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Application Data\CANON INC
[2011/05/24 21:24:01 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2011/05/24 21:24:00 | 000,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2011/05/24 20:20:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Desktop\Programs
[2011/05/24 20:19:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Desktop\House
[2011/05/24 20:19:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Desktop\Kayla Camera
[2011/05/24 20:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Desktop\Kayla Progress Reports
[2011/05/24 20:17:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tanya Gallant\Desktop\Eel Study
[2011/05/24 20:11:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2008/01/16 21:35:42 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/06/14 21:39:20 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{15C37953-52A5-4EB2-B55D-7A307F22F2E8}.job
[2011/06/14 21:33:00 | 000,054,224 | ---- | M] () -- C:\Documents and Settings\Tanya Gallant\Desktop\Rootkit Unhooker Report
[2011/06/14 21:22:19 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/14 21:21:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/14 09:16:05 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3177177374-1629357795-3403320260-1005UA.job
[2011/06/13 16:30:01 | 000,000,354 | ---- | M] () -- C:\WINDOWS\tasks\MotoHelper Routing.job
[2011/06/12 22:07:47 | 000,000,133 | ---- | M] () -- C:\Documents and Settings\Tanya Gallant\webct_upload_applet.properties
[2011/06/12 19:55:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3177177374-1629357795-3403320260-1005Core.job
[2011/06/09 01:09:40 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\NEWSOFT
[2011/06/08 21:27:32 | 000,001,631 | ---- | M] () -- C:\Documents and Settings\Tanya Gallant\Desktop\MINITAB 14 Student.lnk
[2011/06/07 23:49:30 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Tanya Gallant\defogger_reenable
[2011/06/07 13:43:58 | 000,002,388 | ---- | M] () -- C:\WINDOWS\System32\APConfig.xml
[2011/06/07 13:43:58 | 000,001,610 | ---- | M] () -- C:\WINDOWS\System32\EmailAVConfig.xml
[2011/06/07 13:43:58 | 000,001,110 | ---- | M] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2011/06/07 13:43:58 | 000,000,772 | ---- | M] () -- C:\WINDOWS\System32\RegistrationConfig.xml
[2011/06/07 13:43:58 | 000,000,624 | ---- | M] () -- C:\WINDOWS\System32\ThreatDefinitionsConfig.xml
[2011/06/07 13:43:58 | 000,000,616 | ---- | M] () -- C:\WINDOWS\System32\SoftwareUpdateConfig.xml
[2011/06/07 13:43:58 | 000,000,506 | ---- | M] () -- C:\WINDOWS\System32\HIPSConfig.xml
[2011/06/07 13:43:58 | 000,000,438 | ---- | M] () -- C:\WINDOWS\System32\WSCConfig.xml
[2011/05/30 17:28:49 | 000,000,211 | ---- | M] () -- C:\boot.ini
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/26 20:50:00 | 000,000,191 | ---- | M] () -- C:\WINDOWS\QTW.INI
[2011/05/26 16:50:45 | 000,002,322 | ---- | M] () -- C:\Documents and Settings\Tanya Gallant\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/05/25 17:40:25 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/24 22:55:20 | 000,307,126 | ---- | M] () -- C:\Documents and Settings\Tanya Gallant\Desktop\Undergraduate-Aid.pdf
[2011/05/17 19:37:32 | 000,533,770 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/17 19:37:32 | 000,099,432 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/06/14 21:31:52 | 000,054,224 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Desktop\Rootkit Unhooker Report
[2011/06/14 01:00:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\SBRC.dat
[2011/06/08 21:27:32 | 000,001,631 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Desktop\MINITAB 14 Student.lnk
[2011/06/07 23:49:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\defogger_reenable
[2011/06/07 23:37:20 | 000,002,353 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2011/06/07 23:37:20 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/06/07 23:37:19 | 000,002,322 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/06/07 23:37:19 | 000,001,475 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay Turbo Lister 2.lnk
[2011/06/07 23:37:19 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/06/07 23:37:19 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/06/07 13:43:58 | 000,002,388 | ---- | C] () -- C:\WINDOWS\System32\APConfig.xml
[2011/06/07 13:43:58 | 000,001,610 | ---- | C] () -- C:\WINDOWS\System32\EmailAVConfig.xml
[2011/06/07 13:43:58 | 000,001,110 | ---- | C] () -- C:\WINDOWS\System32\ServiceConfig.xml
[2011/06/07 13:43:58 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\RegistrationConfig.xml
[2011/06/07 13:43:58 | 000,000,624 | ---- | C] () -- C:\WINDOWS\System32\ThreatDefinitionsConfig.xml
[2011/06/07 13:43:58 | 000,000,616 | ---- | C] () -- C:\WINDOWS\System32\SoftwareUpdateConfig.xml
[2011/06/07 13:43:58 | 000,000,506 | ---- | C] () -- C:\WINDOWS\System32\HIPSConfig.xml
[2011/06/07 13:43:58 | 000,000,438 | ---- | C] () -- C:\WINDOWS\System32\WSCConfig.xml
[2011/05/30 16:42:29 | 000,190,280 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/05/24 22:55:20 | 000,307,126 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Desktop\Undergraduate-Aid.pdf
[2011/05/24 20:13:59 | 000,314,978 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/03/07 14:48:45 | 000,000,025 | ---- | C] () -- C:\WINDOWS\sasf.dat
[2011/03/07 14:37:52 | 000,000,308 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\emopts.dat
[2011/01/16 16:29:09 | 000,068,800 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/10/09 14:18:58 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\fusioncache.dat
[2010/09/14 22:49:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2010/08/06 01:33:04 | 000,047,616 | ---- | C] () -- C:\WINDOWS\sassr.dat
[2010/07/12 19:24:23 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2010/07/12 19:24:22 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2010/06/25 12:03:12 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2010/06/10 17:54:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\bartend.INI
[2010/05/09 21:02:12 | 000,018,944 | ---- | C] () -- C:\WINDOWS\System32\xrxscnui.dll
[2010/02/26 22:22:50 | 000,001,316 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\saopts.dat
[2010/02/26 22:22:37 | 000,000,440 | ---- | C] () -- C:\WINDOWS\sadefs.dat
[2010/02/26 21:29:06 | 000,026,931 | ---- | C] () -- C:\WINDOWS\jimglib.dll
[2009/08/06 14:24:01 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/06/13 14:53:23 | 000,000,191 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2009/04/26 17:20:21 | 000,000,056 | ---- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/03/15 20:55:02 | 000,000,115 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\netstat.bat
[2008/10/25 15:05:10 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/15 22:03:11 | 000,000,035 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\Statdisk.prefs
[2008/07/15 22:02:21 | 000,131,584 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall.exe
[2008/07/15 22:02:21 | 000,017,692 | ---- | C] () -- C:\WINDOWS\System32\SpoonUninstall-DDXL.dat
[2008/05/16 17:27:22 | 000,000,384 | ---- | C] () -- C:\WINDOWS\pixcache.ini
[2007/11/21 15:12:50 | 000,001,782 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/16 12:27:55 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2007/09/16 14:46:40 | 000,000,035 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2007/09/16 14:27:38 | 000,000,136 | ---- | C] () -- C:\WINDOWS\ka.ini
[2007/08/31 10:08:31 | 000,000,164 | ---- | C] () -- C:\Documents and Settings\Tanya Gallant\Application Data\wklnhst.dat
[2007/07/31 20:59:47 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2007/07/31 20:59:21 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2007/07/31 20:57:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2007/07/09 14:57:11 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/06/11 19:38:25 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/06/11 19:28:29 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/06/11 19:27:39 | 000,000,335 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/06/11 19:10:34 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2007/06/11 19:10:32 | 000,001,117 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 09:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 18:24:19 | 000,000,831 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 18:19:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/11 18:12:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/11 18:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 18:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/11 18:06:43 | 000,321,928 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/11 18:00:30 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/11 18:00:28 | 000,533,770 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/11 18:00:28 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/11 18:00:28 | 000,099,432 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/11 18:00:28 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/11 18:00:27 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/11 18:00:26 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/11 18:00:24 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/11 18:00:19 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/11 18:00:19 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/11 18:00:12 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/11 18:00:04 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/06/24 08:07:28 | 000,111,338 | ---- | C] () -- C:\WINDOWS\CheckForNewInstall.EXE
[2003/06/24 08:06:58 | 000,111,457 | ---- | C] () -- C:\WINDOWS\ParseUninstallPath.EXE
[2003/06/20 13:03:08 | 000,111,069 | ---- | C] () -- C:\WINDOWS\RunMSIEXEC.EXE
[2003/03/11 11:53:26 | 000,112,043 | ---- | C] () -- C:\WINDOWS\FixTalkTIRegistry.EXE
[2002/04/29 12:36:22 | 000,111,390 | ---- | C] () -- C:\WINDOWS\parseuninstallpath1.EXE
[2002/04/01 16:14:52 | 000,111,328 | ---- | C] () -- C:\WINDOWS\CheckForOldInstall.EXE
[2002/04/01 14:16:48 | 000,111,282 | ---- | C] () -- C:\WINDOWS\SetTrademark.EXE
[2000/10/30 11:04:00 | 000,000,209 | ---- | C] () -- C:\WINDOWS\Ic32.ini

< End of report >




OTL Extras logfile created on: 6/14/2011 9:36:41 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Tanya Gallant\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.30 Gb Available Physical Memory | 65.18% Memory free
5.84 Gb Paging File | 5.25 Gb Available in Paging File | 89.84% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.77 Gb Total Space | 60.90 Gb Free Space | 26.51% Space Free | Partition Type: NTFS

Computer Name: TANYA | User Name: Tanya Gallant | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]


#6 tgal0786

tgal0786
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 15 June 2011 - 02:09 PM

It looks like it cut off again, here is just the extra log. Thank you


OTL Extras logfile created on: 6/14/2011 9:36:41 PM - Run 1
OTL by OldTimer - Version 3.2.24.0 Folder = C:\Documents and Settings\Tanya Gallant\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.30 Gb Available Physical Memory | 65.18% Memory free
5.84 Gb Paging File | 5.25 Gb Available in Paging File | 89.84% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 229.77 Gb Total Space | 60.90 Gb Free Space | 26.51% Space Free | Partition Type: NTFS

Computer Name: TANYA | User Name: Tanya Gallant | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"12345:TCP" = 12345:TCP:*:Enabled:Motorola Helper

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Curse\CurseClient.exe" = C:\Program Files\Curse\CurseClient.exe:*:Enabled:Curse Client
"C:\Program Files\World of Warcraft\Repair.exe" = C:\Program Files\World of Warcraft\Repair.exe:*:Enabled:Blizzard Repair Utility -- (Blizzard Entertainment, Inc.)
"C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Documents and Settings\Tanya Gallant\Local Settings\Temp\ElectronicArts_Patcher_000.exe" = C:\Documents and Settings\Tanya Gallant\Local Settings\Temp\ElectronicArts_Patcher_000.exe:*:Enabled:Command and Conquer 3 Tiberium Wars™ Launcher
"C:\Program Files\Electronic Arts\Command & Conquer 3\RetailExe\1.9\cnc3game.dat" = C:\Program Files\Electronic Arts\Command & Conquer 3\RetailExe\1.9\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars -- (Electronic Arts Inc.)
"C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe" = C:\Program Files\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\xerox\nwwia\XrxFTPLt.exe" = C:\Program Files\xerox\nwwia\XrxFTPLt.exe:*:Enabled:XrxFTPLt -- ()
"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows
"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java™ Platform SE binary -- (Oracle)
"C:\Program Files\Steam\steamapps\common\spelunx\Spelunx.exe" = C:\Program Files\Steam\steamapps\common\spelunx\Spelunx.exe:*:Enabled:Spelunx
"C:\Program Files\Steam\steamapps\common\manhole\MANHOLE.EXE" = C:\Program Files\Steam\steamapps\common\manhole\MANHOLE.EXE:*:Enabled:Manhole
"C:\Program Files\Steam\steamapps\common\real myst\RealMYST.exe" = C:\Program Files\Steam\steamapps\common\real myst\RealMYST.exe:*:Enabled:Real Myst
"C:\Program Files\Steam\steamapps\common\uru cc\UruExplorer.exe" = C:\Program Files\Steam\steamapps\common\uru cc\UruExplorer.exe:*:Enabled:Uru CC
"C:\Program Files\Steam\steamapps\common\riven\Riven.exe" = C:\Program Files\Steam\steamapps\common\riven\Riven.exe:*:Enabled:Riven
"C:\Program Files\Steam\steamapps\common\amnesia the dark descent\Launcher.exe" = C:\Program Files\Steam\steamapps\common\amnesia the dark descent\Launcher.exe:*:Enabled:Amnesia: The Dark Descent
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\World of Warcraft\WoW-x.x.x.x-4.0.0.12911-Downloader.exe" = C:\Program Files\World of Warcraft\WoW-x.x.x.x-4.0.0.12911-Downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\WINDOWS\system32\fxsclnt.exe" = C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX860_series" = Canon MX860 series MP Drivers
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353D20CC-719B-4A60-AD33-D03F88C10330}" = Microsoft Office Accounting PayPal Addin
"{366E24C6-9097-4F63-BF42-3F3EF356A960}" = Photosynth 2.0.1519.16
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{3C0C88F5-72EE-464C-AC78-A118367FB322}" = VOIP321
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{46614A49-222A-48EF-87A9-BFD603E608E1}" = Microsoft Office Accounting Fixed Asset Manager
"{46B26804-569B-4355-9678-0DDF6ADCFB0F}" = AppStream Technology Windows Edition Client
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{51E43DA1-CAEA-4264-9BB8-3F47ED57E2A4}" = TI InterActive!™
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5B2DCBB0-5D6C-4EA5-AF75-657D6A204E4C}" = Mototools Software Update
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5C7DF2CB-0DE0-40F5-B24F-8E59B81FFF78}" = VIPRE Antivirus
"{5FA793A6-0071-42C1-9355-8F69A428C44F}" = Microsoft Office Accounting ADP Payroll Addin
"{60C7374C-B546-45DE-A578-2E29BA8C3F1C}" = Moto Helper Service
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{66D6F3BD-CA23-41A4-9FA3-96B26B32528C}" = Command & Conquer The First Decade
"{68658FCB-01BB-4980-A7C3-6ADB1E4E0C66}" = Browntech Image Plugin 1.99
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C82BEFA-21A9-4CC0-9F73-93BD0F406E33}" = College Algebra Solved!
"{6CCC133E-9A2F-4CAA-8866-75D029CD3AB3}" = Digital Voice Editor 3
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8471021C-F529-43DE-84DF-3612E10F58C4}" = Remote Control USB Driver
"{868EC22E-7E82-4760-9265-3F2E705BF24B}" = League of Legends
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{8927E07C-97F7-4A54-88FB-D976F50DD46E}" = Turbo Lister 2
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A6B2F1E-6CC8-4C32-8655-8555268C5380}" = TI Package Explorer
"{8C711818-076E-475C-B95B-DF11CD9D8DBE}" = Microsoft Office Accounting Equifax Addin
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{94CAC2F1-C856-47F4-AF24-65A1E75AEDB9}" = MotoHelper MergeModules
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A0F591C-6ACB-225D-7CEE-4C5F9BEFEB7D}" = Amazon MP3 Uploader
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A33D4D1A-6577-47EB-94B8-CAF0FE2E5A26}" = TI CellSheet Converter
"{A8B94669-8654-4126-BD28-D0D2412CDED6}" = TI Connect 1.6
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B0717D5A-1976-482B-9ADF-F19631A541A4}" = Microsoft Office Accounting 2007
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP1
"{B3B2CC77-13A5-43E3-ABB3-73E6B64EC700}" = TI StudyCards Creator
"{B3B662EB-4C08-4BA2-90F2-D7CA9AB5F4E4}" = Oracle IRM Desktop 5.5.19 10gR3 PR5
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1E693A4-B1D5-4DCD-B68D-2087835B7184}" = ScanSoft OmniPage SE 4.0
"{C35CCBEB-5A54-4DD8-9EC8-110F2A8154B3}" = Motorola Mobile Drivers Installation 5.1.0
"{C894366E-51C4-4162-BA82-ECBEFC1C2C61}" = PayPal Plug-In
"{C9DC6CC2-C60B-465E-92D6-64070D3E1AB5}" = TI LearningCheck Creator
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{D17111CB-C992-42A9-9D56-C19395102AAA}" = Garmin WebUpdater
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.14
"{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
"{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}" = Dragon NaturallySpeaking 9 Recorder Edition
"{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}" = Command & Conquer 3
"{DE057B84-3977-4107-AA5C-BD0600CDC8DF}" = MINITAB 14 Student
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{E7C97E98-4C2D-BEAF-5D2F-CC45A2F95D90}" = Acrobat.com
"{E9046809-36B2-4A99-AD7F-C0C16AD773EC}" = TImeSpan Creator
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F596C356-BF35-4ED7-981C-CC791461A8F0}" = Empire Earth II: The Art of Supremacy
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"360Share Pro" = 360Share Pro(remove only)
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.12
"Animations_is1" = OfficeOne Animations (Pack 1) 2.3
"Barbie™ Beauty Boutique™ CD-ROM" = Barbie™ Beauty Boutique™ CD-ROM
"BarUPCs-efi_is1" = UPC Bar Code Trial, Version 5.1
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP1
"CAL" = Canon Camera Access Library
"CameraUserGuide-PSSD1400IS_IXUS130" = Canon PowerShot SD1400 IS_IXUS 130 Camera User Guide
"CameraWindowDC8" = Canon Utilities CameraWindow DC 8
"CameraWindowLauncher" = Canon Utilities CameraWindow
"CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
"Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"Canon MP830 User Registration" = Canon MP830 User Registration
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"com.amazon.music.uploader" = Amazon MP3 Uploader
"DDXL" = DDXL
"DRPU Barcode Label Maker (Professional)" = DRPU Barcode Label Maker (Professional)
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ie8" = Windows Internet Explorer 8
"InstallShield_{DE057B84-3977-4107-AA5C-BD0600CDC8DF}" = MINITAB 14 Student
"Law & Order Justice is Served" = Law & Order Justice is Served
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Office Accounting 2007" = Microsoft Office Accounting 2007
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MotoHelper" = MotoHelper 2.0.51 Driver 5.1.0
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"MovieUploaderForYouTube" = Canon Utilities Movie Uploader for YouTube
"Mozilla Firefox (3.5.19)" = Mozilla Firefox (3.5.19)
"MP Navigator EX 2.1" = Canon MP Navigator EX 2.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"MyCamera" = Canon Utilities MyCamera
"NVIDIA Drivers" = NVIDIA Drivers
"Personal Printing Guide" = Canon Personal Printing Guide
"PhotoStitch" = Canon Utilities PhotoStitch
"PROR" = Microsoft Office Professional 2007
"RealPlayer 6.0" = RealPlayer Basic
"Schizm - mysterious journey" = Schizm - mysterious journey
"SCRABBLE Plus" = SCRABBLE Plus (remove only)
"Software Guide" = Canon DIGITAL CAMERA Solution Disk Software Guide
"tv_enua" = Lernout & Hauspie TruVoice American English TTS Engine
"TypeFaster" = TypeFaster Typing Tutor
"Video Journal_is1" = Video Journal Version 1.4
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WET7Cable" = Windows Easy Transfer for Windows 7
"Where in the World Is Carmen Sandiego? Treasures of Knowledge" = Where in the World Is Carmen Sandiego? Treasures of Knowledge
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"43D873A11E3E6E1C1E31A5977B81928A57E00AD6" = eBay Excel Add-in
"Google Chrome" = Google Chrome
"Oregon Trail 5th Edition" = Oregon Trail 5th Edition

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/21/2011 11:15:33 AM | Computer Name = TANYA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 4/21/2011 8:13:29 PM | Computer Name = TANYA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18928, fault address 0x000ec345.

Error - 4/25/2011 5:17:03 PM | Computer Name = TANYA | Source = MsiInstaller | ID = 1013
Description = Product: Adobe Reader 9.2 -- A process is running that cannot be shut
down by Setup. Please either close all applications and run Setup again, or restart
your computer and run Setup again.

Error - 5/5/2011 8:33:52 PM | Computer Name = TANYA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 5/15/2011 3:48:15 PM | Computer Name = TANYA | Source = Microsoft Fax | ID = 32027
Description = An error was encountered while sending a fax. This fax will not be
sent,
because the maximum number of retries has been exhausted. If you restart the transmission
and difficulties persist, please verify that the phone line, fax sending device,
and fax receiving device are working properly. Sender: Tanya Gallant. Billing code:
. Sender company: . Sender dept: . Recipient name: Allen Park Apartments. Recipient
number: 1 413 5365375. Device name: Motorola USB Modem.

Error - 5/30/2011 5:14:41 PM | Computer Name = TANYA | Source = Application Error | ID = 1000
Description = Faulting application services.exe, version 5.1.2600.5755, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00001f42.

Error - 5/30/2011 6:34:57 PM | Computer Name = TANYA | Source = Application Error | ID = 1000
Description = Faulting application services.exe, version 5.1.2600.5755, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00001de6.

Error - 5/30/2011 6:41:30 PM | Computer Name = TANYA | Source = Application Error | ID = 1000
Description = Faulting application services.exe, version 5.1.2600.5755, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00001de6.

Error - 5/30/2011 6:47:52 PM | Computer Name = TANYA | Source = Application Error | ID = 1000
Description = Faulting application services.exe, version 5.1.2600.5755, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00001f42.

Error - 6/7/2011 9:51:56 PM | Computer Name = TANYA | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 5.0.0.156, faulting module
skype.exe, version 5.0.0.156, fault address 0x0057d84e.

[ OSession Events ]
Error - 5/19/2008 10:20:13 PM | Computer Name = TANYA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6300.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 33
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/15/2009 12:30:03 PM | Computer Name = TANYA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 3
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 6/12/2011 6:57:01 AM | Computer Name = TANYA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 6/12/2011 6:57:01 AM | Computer Name = TANYA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 6/12/2011 6:57:01 AM | Computer Name = TANYA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 6/12/2011 6:57:01 AM | Computer Name = TANYA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 6/14/2011 1:47:51 AM | Computer Name = TANYA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 6/14/2011 2:08:49 AM | Computer Name = TANYA | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 6/14/2011 9:23:03 PM | Computer Name = TANYA | Source = Service Control Manager | ID = 7000
Description = The MBAMProtector service failed to start due to the following error:
%%2

Error - 6/14/2011 9:23:03 PM | Computer Name = TANYA | Source = Service Control Manager | ID = 7023
Description = The Windows Driver Foundation - User-mode Driver Framework service
terminated with the following error: %%126

Error - 6/14/2011 9:23:03 PM | Computer Name = TANYA | Source = Service Control Manager | ID = 7001
Description = The MBAMService service depends on the MBAMProtector service which
failed to start because of the following error: %%2

Error - 6/14/2011 9:23:03 PM | Computer Name = TANYA | Source = Service Control Manager | ID = 7000
Description = The Symantec Core LC service failed to start due to the following
error: %%3


< End of report >

#7 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:35 AM

Posted 15 June 2011 - 03:59 PM

Hi!

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    SRV - File not found [Auto | Stopped] -- -- (Symantec Core LC)
    SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Service)
    SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    [2010/07/24 15:35:18 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - File not found
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.
    O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
    O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found.
    O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O3 - HKU\S-1-5-21-3177177374-1629357795-3403320260-1005\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: no folder option = 0
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
    O24 - Desktop Components:0 () - http://by121w.bay121.mail.live.com/mail/head
    O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell - "" = AutoRun
    O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\Shell\AutoRun\command - "" = E:\setup.exe -a
    O33 - MountPoints2\D\Shell - "" = AutoRun
    O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\SETUP.EXE
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:


Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#8 tgal0786

tgal0786
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 15 June 2011 - 04:41 PM

Here is the OTL, the tdsskiller won't launch. I downloaded and extracted the contents but when I click on it to run nothing happens. Please advise. I already unchecked the box blocking it from running because it came from another computer.


========== SERVICES/DRIVERS ==========
========== OTL ==========
Service Symantec Core LC stopped successfully!
Service Symantec Core LC deleted successfully!
Service LiveUpdate Notice Service stopped successfully!
Service LiveUpdate Notice Service deleted successfully!
Service LiveUpdate Notice Ex stopped successfully!
Service LiveUpdate Notice Ex deleted successfully!
Prefs.js: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 removed from extensions.enabledItems
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CA3D70E-1895-11CF-8E15-001234567890}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5BED3930-2E9E-76D8-BACC-80DF2188D455} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\ not found.
Registry value HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{724D43A0-0D85-11D4-9908-00400523E39A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{724D43A0-0D85-11D4-9908-00400523E39A}\ not found.
Registry value HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}\ not found.
Registry value HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
Registry value HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\no folder option deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0\ deleted successfully.
File http://by121w.bay121.mail.live.com/mail/head not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42832b1f-1cdd-11e0-a921-0019b9328998}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42832b1f-1cdd-11e0-a921-0019b9328998}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{42832b1f-1cdd-11e0-a921-0019b9328998}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42832b1f-1cdd-11e0-a921-0019b9328998}\ not found.
File E:\setup.exe -a not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
File D:\SETUP.EXE not found.
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Tanya Gallant\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Tanya Gallant\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.24.0 log created on 06152011_172947

#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:35 AM

Posted 15 June 2011 - 04:48 PM

Hi!

Run this tool instead:

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#10 tgal0786

tgal0786
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 15 June 2011 - 07:24 PM

Hello, Here is the combofix log you requested.


ComboFix 11-06-15.02 - Tanya Gallant 06/15/2011 18:34:05.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1600 [GMT -4:00]
Running from: c:\documents and settings\Tanya Gallant\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\emopts.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Tanya Gallant\WINDOWS
c:\windows\SNMPAPI.DLL
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
----- BITS: Possible infected sites -----
.
hxxp://au.download.windowsupdate.c
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-15 21:29 . 2011-06-15 21:29 -------- d-----w- C:\_OTL
2011-06-10 03:45 . 2011-06-10 03:45 -------- d-----w- c:\documents and settings\Tanya Gallant\.realobjects
2011-06-09 01:26 . 2011-06-09 01:29 -------- d-----w- c:\program files\MINITAB 14 Student
2011-06-08 00:52 . 2011-06-08 00:52 -------- d-----w- c:\documents and settings\Tanya Gallant\Application Data\Malwarebytes
2011-06-08 00:51 . 2011-06-08 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-08 00:51 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-08 00:51 . 2011-06-08 00:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-07 17:43 . 2011-06-07 17:43 -------- d-----w- c:\windows\system32\Events
2011-05-30 22:28 . 2011-05-30 22:28 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-30 21:37 . 2011-05-30 21:37 388096 ----a-r- c:\documents and settings\Tanya Gallant\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-30 21:37 . 2011-05-30 21:37 -------- d-----w- c:\program files\Trend Micro
2011-05-25 20:52 . 2011-05-25 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PhotoStitch
2011-05-25 01:46 . 2011-05-26 11:27 -------- d-----w- c:\documents and settings\Tanya Gallant\Application Data\ZoomBrowser EX
2011-05-25 01:27 . 2011-05-25 01:27 -------- d-----w- c:\documents and settings\Tanya Gallant\Application Data\CANON INC
2011-05-25 01:24 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-05-25 01:24 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-05-25 00:11 . 2011-05-25 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-12 02:15 . 2009-08-18 15:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-04-12 02:15 . 2009-08-18 15:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-04-04 18:55 . 2011-05-15 20:29 20480 ----a-w- c:\windows\system32\drivers\motccgp.sys
2011-03-31 18:53 . 2011-05-15 20:29 24064 ----a-w- c:\windows\system32\drivers\motmodem.sys
2008-01-17 01:35 . 2008-01-17 01:35 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-04-19 1291600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-30 8425472]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ASWLNDLL]
2007-05-14 01:45 6656 ----a-w- c:\windows\system32\ASWLNDLL.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VOIP321.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VOIP321.lnk
backup=c:\windows\pss\VOIP321.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-12-03 21:46 14944136 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.9\\cnc3game.dat"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\xerox\\nwwia\\XrxFTPLt.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"12345:TCP"= 12345:TCP:Motorola Helper
.
R1 APPSTREAM;APPSTREAM;c:\windows\system32\drivers\AppStream.sys [5/13/2007 9:33 PM 115284]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [5/23/2010 4:01 AM 13400]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [8/10/2008 3:09 PM 202160]
R2 AppMgrService;AWE 5.1.0 Application Manager;c:\program files\AppStream\WindowsClient\bin\AppMgrService.exe [9/27/2006 7:49 PM 1990656]
R2 MotoHelper.exe;Motorola Helper;c:\program files\Motorola\Moto Helper Service\MotoHelper.exe [9/14/2010 11:33 PM 6656]
R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [4/26/2011 4:23 PM 223088]
R2 REGHOOK;REGHOOK;c:\windows\system32\drivers\RegHook.sys [9/27/2006 7:27 PM 54879]
R2 SBAMSvc;VIPRE Antivirus;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [4/19/2010 1:48 PM 2726000]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [5/23/2010 4:02 AM 69720]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe [4/19/2010 1:47 PM 181584]
R2 VSPD;VSPD;c:\windows\system32\drivers\VSPD.sys [9/27/2006 7:27 PM 31321]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/7/2011 8:51 PM 366640]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [5/15/2011 4:29 PM 6016]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/7/2011 8:51 PM 39984]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/15/2011 4:29 PM 20480]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/15/2011 4:29 PM 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [5/15/2011 4:29 PM 23424]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [5/15/2011 4:29 PM 9472]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:02 AM 95024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3177177374-1629357795-3403320260-1005Core.job
- c:\documents and settings\Tanya Gallant\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-29 18:40]
.
2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3177177374-1629357795-3403320260-1005UA.job
- c:\documents and settings\Tanya Gallant\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-29 18:40]
.
2011-05-15 c:\windows\Tasks\MotoHelper MUM.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-04-26 20:23]
.
2011-06-15 c:\windows\Tasks\MotoHelper Routing.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-04-26 20:23]
.
2011-05-15 c:\windows\Tasks\MotoHelper Update.job
- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-04-26 20:23]
.
2011-06-15 c:\windows\Tasks\User_Feed_Synchronization-{15C37953-52A5-4EB2-B55D-7A307F22F2E8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uInternet Settings,ProxyOverride = *.local;192.168.*.*
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
FF - ProfilePath - c:\documents and settings\Tanya Gallant\Application Data\Mozilla\Firefox\Profiles\1ieql1sj.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Video Codec Plugin: plugin@gameplaylabs.com - %profile%\extensions\plugin@gameplaylabs.com
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-360Share Pro - c:\program files\360Share Pro\bt-uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-15 20:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3177177374-1629357795-3403320260-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1f,48,af,db,5d,d5,0b,0e,09,3c,57,7d,b5,98,85,4b,41,ea,83,68,af,15,3c,
5a,d0,b7,44,05,38,ba,38,41,24,d9,c0,0b,ce,4f,3c,b4,a1,62,a9,da,f3,37,83,44,\
"??"=hex:98,92,76,c1,aa,88,4f,41,49,86,ff,73,28,c6,e6,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1068)
c:\windows\system32\ASWLNDLL.dll
.
- - - - - - - > 'explorer.exe'(2516)
c:\windows\system32\WININET.dll
c:\program files\Sunbelt Software\VIPRE\oehook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\fxssvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Motorola\MotoHelper\MotoHelperAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2011-06-15 20:21:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-16 00:21
.
Pre-Run: 65,324,752,896 bytes free
Post-Run: 65,619,943,424 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - FDEDBE7073293AC10233F19C81967B9C

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:35 AM

Posted 15 June 2011 - 07:29 PM

Hi!

Looks like ComboFix has found the main culprit!

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Lets see what these scans find, and see where we stand then.

Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 tgal0786

tgal0786
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 15 June 2011 - 07:35 PM

Hi, which option would you recommend? This is a private home computer that is used for online banking. Is it reasonably likely that the system would be secure after cleaning? Thanks.

Edited by tgal0786, 15 June 2011 - 07:43 PM.


#13 tgal0786

tgal0786
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 15 June 2011 - 07:36 PM

Is it possible to see how long these virus' have been on my PC? Thanks




#14 tgal0786

tgal0786
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 15 June 2011 - 09:54 PM

Sorry for the delay. I misread the steps and thought they were only if I wanted to reformat. Here are the scans.


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6865

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/15/2011 9:40:26 PM
mbam-log-2011-06-15 (21-40-26).txt

Scan type: Quick scan
Objects scanned: 186528
Time elapsed: 6 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Log


C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\volsnap.sys.vir Win32/Olmasco.E trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP901\A0072727.exe a variant of Win32/Kryptik.OUF trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP910\A0079090.sys Win32/Olmasco.E trojan




Results of screen317's Security Check version 0.99.13
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ESET Online Scanner v3
VIPRE Antivirus
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 21
Java™ 6 Update 3
Out of date Java installed!
Flash Player Out of Date!
Adobe Flash Player 10.0.42.34
Adobe Reader 9.1.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.5.19) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````End of Log````````````



#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:35 AM

Posted 16 June 2011 - 09:53 AM

Hi!

Is it reasonably likely that the system would be secure after cleaning?

The only way to ensure that the computer would be 100% secure would be to reformat and re-install.

Is it possible to see how long these virus' have been on my PC?

The best answer I can give to you is probably right around the same time you started experiencing issues with your computer.


These threat(s) below are currently in Quarantine/System Restore and shall be removed when we clean up our tools later on.

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\volsnap.sys.vir Win32/Olmasco.E trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP901\A0072727.exe a variant of Win32/Kryptik.OUF trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP910\A0079090.sys Win32/Olmasco.E trojan



____________________________________________________

From the looks of your SecurityCheck log, I can see that we have some outdated programs that need to be updated.

Lets address those programs that need updating now!

Your SecurityCheck log indicates that your version of Flash Player is outdated. This is a vulnerability that needs to be addressed. Please remove the outdated version of Flash Player and then install the latest version.

I can also see that your Anti-Virus program is out of date. I suggest you update it to the latest version.


Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform.
    • 32-bit Select: Windows x86 Offline.
    • 64-bit Select: Windows x64.
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


NEXT



Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



Update FireFox
You're currently using an outdated version of Firefox. The latest version of Firefox is 3.6.17.

You can get the latest version of Firefox by accessing the Posted Image menu in Firefox and then selecting Posted Image.

Please make sure that you Posted Image again after updating to the latest version to make sure that you have in fact received the latest version.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users