Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect virus


  • This topic is locked This topic is locked
37 replies to this topic

#1 Austin77

Austin77

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 09 November 2011 - 11:50 PM

I believe it is a system restore virus. When I first ran MBAM, it cleared PUM Hijack. Thought it was fixed but random music and random ads popped up. Unable to run DDS or but have attached GMER log.

Attached Files

  • Attached File  ark.txt   62.7KB   7 downloads


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:14 PM

Posted 14 November 2011 - 11:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427190 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:14 PM

Posted 15 November 2011 - 02:54 PM

Hi,

Welcome to Bleeping Computer. My name is oneof4 and I will be helping you with your log.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic box to the right of your topic title and selecting Immediate Notification.


Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:

Best Regards,
oneof4.


#4 Austin77

Austin77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 15 November 2011 - 05:56 PM

I am here. GMER log posted in previous note. Unable to complete a DDS log.

#5 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:14 PM

Posted 15 November 2011 - 07:02 PM

Hello Austin77, and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Watch Topic. If you click on this, another page will open. Please choose Immediate Notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. :heart: Please be courteous and appreciative for the assistance provided!
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

We need to create an OTL Report

  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

If OTL does not want to run, try renaming OTL.exe to OTL.com, by right-clicking on the OTL icon and choosing Rename.

Best Regards,
oneof4.


#6 Austin77

Austin77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 15 November 2011 - 07:11 PM

OTL logfile created on: 11/15/2011 7:04:05 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Matt Tow\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 55.94% Memory free
3.72 Gb Paging File | 2.99 Gb Available in Paging File | 80.29% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 56.58 Gb Free Space | 75.91% Space Free | Partition Type: NTFS
Drive S: | 186.30 Gb Total Space | 162.68 Gb Free Space | 87.32% Space Free | Partition Type: NTFS

Computer Name: MATTTOW | User Name: Matt Tow | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/15 19:03:57 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Matt Tow\Desktop\OTL.exe
PRC - [2011/11/08 19:59:39 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2011/08/22 05:39:44 | 002,995,568 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe
PRC - [2011/08/22 05:39:42 | 000,946,032 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe
PRC - [2011/08/22 05:39:36 | 002,120,048 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe
PRC - [2011/08/22 05:39:28 | 001,686,384 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe
PRC - [2011/08/11 18:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
PRC - [2009/12/18 10:25:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2008/08/16 16:44:56 | 000,308,536 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2008/08/16 16:44:50 | 001,127,736 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfica32.exe
PRC - [2008/04/14 07:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/06/23 18:27:18 | 000,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/06/02 08:21:46 | 000,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/06/02 08:21:40 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe


========== Modules (No Company Name) ==========

MOD - [2010/02/05 13:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/08/16 16:42:12 | 000,091,448 | ---- | M] () -- C:\Program Files\Citrix\ICA Client\confmgr.dll
MOD - [2008/08/16 16:42:08 | 000,020,800 | ---- | M] () -- C:\Program Files\Citrix\ICA Client\ctxlogging.dll
MOD - [2008/08/01 13:48:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2008/07/24 21:26:39 | 000,291,840 | ---- | M] () -- C:\WINDOWS\system32\sbe.dll
MOD - [2008/04/14 07:42:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 07:41:52 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2006/10/26 12:56:46 | 000,757,008 | ---- | M] () -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (WinVNC4)
SRV - File not found [Auto | Stopped] -- -- (HidServ)
SRV - [2011/11/08 19:59:39 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/08/22 05:39:42 | 000,946,032 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [Auto | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)
SRV - [2011/08/11 18:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2010/07/15 15:57:46 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
SRV - [2009/12/18 10:25:16 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2005/06/23 18:27:30 | 000,124,608 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/06/23 18:27:28 | 001,715,904 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/06/23 18:27:18 | 000,019,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/06/02 08:21:46 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/06/02 08:21:46 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/06/02 08:21:40 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/04/22 11:03:28 | 000,206,552 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/03/30 20:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/04/18 03:00:00 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110428.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/04/18 03:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110428.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/06/02 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2008/08/01 10:36:00 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/08/01 10:36:00 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/05/08 20:23:00 | 000,238,080 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2008/05/06 15:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/02/14 13:12:00 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\monfilt.sys -- (monfilt)
DRV - [2005/05/13 18:50:10 | 000,123,488 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/04/22 11:03:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/04/22 11:03:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/03/30 20:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/03/16 01:23:54 | 000,013,696 | ---- | M] (BIOSTAR Group) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BIOS.sys -- (BIOS)
DRV - [2005/02/04 19:14:32 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/02/04 19:14:30 | 000,324,232 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 42 03 E9 76 91 F7 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: facebookfilter@chocolatesoftware.com:2.2.12
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: firefox@ghostery.com:2.5.3
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.0.5


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/10 18:35:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/23 11:11:17 | 000,000,000 | ---D | M]

[2011/01/02 18:51:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Matt Tow\Application Data\Mozilla\Extensions
[2011/01/02 18:51:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Matt Tow\Application Data\Mozilla\Extensions\{CE7C5936-039A-4e5e-9D37-F68E22137A2A}
[2011/11/10 18:35:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Matt Tow\Application Data\Mozilla\Firefox\Profiles\2fah3qzd.default\extensions
[2010/08/25 14:19:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Matt Tow\Application Data\Mozilla\Firefox\Profiles\2fah3qzd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/11/07 17:19:08 | 000,000,000 | ---D | M] (Ghostery) -- C:\Documents and Settings\Matt Tow\Application Data\Mozilla\Firefox\Profiles\2fah3qzd.default\extensions\firefox@ghostery.com
[2011/11/08 20:00:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/08 20:00:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MATT TOW\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\2FAH3QZD.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MATT TOW\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\2FAH3QZD.DEFAULT\EXTENSIONS\FACEBOOKFILTER@CHOCOLATESOFTWARE.COM.XPI
[2011/11/10 18:35:10 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2008/08/16 16:42:02 | 000,070,456 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
[2008/08/16 16:42:12 | 000,091,448 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
[2008/08/16 16:42:08 | 000,020,800 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
[2008/05/21 07:41:08 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcm80.dll
[2008/05/21 07:41:08 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcp80.dll
[2008/05/21 07:41:08 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\msvcr80.dll
[2011/11/08 19:59:39 | 000,611,224 | ---- | M] (Oracle Corporation) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2008/08/16 16:44:46 | 000,427,312 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
[2008/08/16 16:42:04 | 000,023,864 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
[2011/05/31 15:22:40 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/10 18:35:10 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2011/05/02 19:29:35 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10t_ActiveX.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html File not found
O15 - HKCU\..Trusted Domains: accessallstate.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: aicpcu.org ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: allstate.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: allstate.com ([agencygateway] * in Trusted sites)
O15 - HKCU\..Trusted Domains: allstate.com ([agencygateway1] * in Trusted sites)
O15 - HKCU\..Trusted Domains: allstate.com ([agencygateway2] * in Trusted sites)
O15 - HKCU\..Trusted Domains: allstate.com ([allianceweb] * in Trusted sites)
O15 - HKCU\..Trusted Domains: allstate.com ([mymail] * in Trusted sites)
O15 - HKCU\..Trusted Domains: allstate.com ([webmail] * in Trusted sites)
O15 - HKCU\..Trusted Domains: allstateagencies.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: allstatehelp.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: allstateinsurance.skillwsa.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: allstate-lcec.lrn.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: bisyseducation.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: custhelp.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: elementk.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: gotoassist.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: insmark.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: insmark.us ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: insmarkstore.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: learn.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: nicta.org ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sumtotalsystems.com ([]* in Trusted sites)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/distribution/alternatiff-ax-w32-2.0.1.cab (AlternaTIFF ActiveX)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6AB7E3A0-F252-4A5D-A5B8-871E7B46B3C7}: NameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\615\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\615\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\GoToMyPC: DllName - (C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll) - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Matt Tow\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Matt Tow\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/05/05 10:44:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/15 19:03:56 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Matt Tow\Desktop\OTL.exe
[2011/11/15 01:54:31 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Matt Tow\Desktop\dds.scr
[2011/11/10 13:29:32 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/11/09 10:08:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/09 10:08:36 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/08 20:37:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/11/08 20:37:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/11/08 20:37:22 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/11/08 20:37:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/11/08 20:16:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matt Tow\Local Settings\Application Data\Sun
[2011/11/08 20:00:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/11/08 19:59:59 | 000,214,408 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2011/11/08 19:59:59 | 000,128,000 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2011/11/08 19:59:58 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2011/11/08 19:59:58 | 000,173,960 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2011/11/08 19:58:39 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/11/08 17:39:38 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2011/11/06 09:55:22 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Matt Tow\Desktop\Combo-Fix18855C
[2011/11/05 21:10:01 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Matt Tow\Desktop\Combo-Fix1216C
[2011/11/05 20:41:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matt Tow\Application Data\SUPERAntiSpyware.com
[2011/11/05 20:39:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matt Tow\Start Menu\Programs\SUPERAntiSpyware
[2011/11/05 20:39:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/11/05 20:39:55 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/11/04 16:11:04 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro
[2011/11/04 15:16:08 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Matt Tow\Desktop\Combo-Fix16711C
[2011/11/04 15:02:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Matt Tow\Start Menu\Programs\Administrative Tools
[2011/11/04 14:59:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Matt Tow\Recent
[2011/11/04 13:31:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Matt Tow\Start Menu\Programs\System Restore

========== Files - Modified Within 30 Days ==========

[2011/11/15 19:03:57 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Matt Tow\Desktop\OTL.exe
[2011/11/15 18:14:01 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/15 17:51:47 | 000,000,373 | ---- | M] () -- C:\Documents and Settings\Matt Tow\Desktop\Shortcut to Database.lnk
[2011/11/15 16:42:51 | 000,188,791 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/11/15 16:42:20 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/11/15 16:42:19 | 000,000,392 | ---- | M] () -- C:\WINDOWS\tasks\Final Media Player Update Checker.job
[2011/11/15 16:41:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/15 13:31:30 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/15 01:54:32 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Matt Tow\Desktop\dds.scr
[2011/11/14 10:29:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/11 13:15:12 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Matt Tow\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/10 03:01:53 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/08 20:09:59 | 000,270,192 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/11/08 19:59:39 | 000,214,408 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2011/11/08 19:59:39 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2011/11/08 19:59:39 | 000,173,960 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2011/11/08 19:59:39 | 000,128,000 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2011/11/08 19:59:38 | 000,544,656 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2011/11/08 17:28:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Matt Tow\defogger_reenable
[2011/11/07 22:48:26 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/11/07 11:06:45 | 000,444,794 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/07 11:06:45 | 000,072,544 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/04 15:14:04 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\eqjuo.sys
[2011/11/04 13:31:09 | 000,000,296 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/11/04 13:31:09 | 000,000,200 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/11/04 13:31:08 | 000,000,857 | ---- | M] () -- C:\Documents and Settings\Matt Tow\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
[2011/11/04 13:30:55 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk

========== Files Created - No Company Name ==========

[2011/11/11 13:15:12 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Matt Tow\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/11/08 20:37:23 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/11/08 20:37:23 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/11/08 20:37:23 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/11/08 20:37:23 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/11/08 20:37:23 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/11/08 17:28:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Matt Tow\defogger_reenable
[2011/11/04 18:20:15 | 000,000,175 | ---- | C] () -- C:\Documents and Settings\Matt Tow\Desktop\Gateway Support.url
[2011/11/04 15:14:04 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\eqjuo.sys
[2011/11/04 15:07:18 | 000,001,620 | ---- | C] () -- C:\Documents and Settings\Matt Tow\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/11/04 15:07:18 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\Matt Tow\Application Data\Microsoft\Internet Explorer\Quick Launch\FinalMediaPlayer.lnk
[2011/11/04 15:07:18 | 000,000,530 | ---- | C] () -- C:\Documents and Settings\Matt Tow\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to Show Desktop.lnk
[2011/11/04 15:07:11 | 000,002,315 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/11/04 15:07:11 | 000,001,986 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN.lnk
[2011/11/04 15:07:11 | 000,000,855 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\HD ADeck.lnk
[2011/11/04 15:07:11 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2011/11/04 15:07:11 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat_com.lnk
[2011/11/04 15:07:11 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2011/11/04 15:07:11 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/11/04 14:19:33 | 000,000,857 | ---- | C] () -- C:\Documents and Settings\Matt Tow\Application Data\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk
[2011/11/04 13:31:09 | 000,000,200 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjkr
[2011/11/04 13:31:08 | 000,000,296 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~6DSS92c31Apgjk
[2011/11/04 13:30:55 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk
[2011/04/28 21:09:54 | 000,015,438 | -HS- | C] () -- C:\Documents and Settings\Matt Tow\Local Settings\Application Data\m1dj00v761qom4ai5t3j52u8uojj8as03fy75t5
[2011/04/28 21:09:54 | 000,015,438 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\m1dj00v761qom4ai5t3j52u8uojj8as03fy75t5
[2011/04/28 20:46:51 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Pqilewapanuva.dat
[2011/04/28 20:46:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Rzunise.bin
[2011/04/12 17:08:26 | 000,018,878 | -HS- | C] () -- C:\Documents and Settings\Matt Tow\Local Settings\Application Data\2086665996
[2011/04/12 17:08:26 | 000,018,878 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2086665996
[2010/07/20 09:49:12 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/22 12:48:43 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\hpsfs.dll
[2010/05/21 15:26:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2010/05/19 15:30:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/19 14:48:09 | 000,004,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2010/05/19 14:47:45 | 000,001,769 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2010/05/19 14:36:42 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2010/05/19 14:36:40 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2010/05/19 14:36:40 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2010/05/19 14:36:36 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2010/05/19 14:36:33 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2010/05/19 14:36:30 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2010/05/19 14:36:29 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2010/05/19 14:36:15 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2010/05/19 14:36:11 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2010/05/05 10:49:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/05/05 10:42:00 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/05/05 06:35:53 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/05/05 06:34:46 | 000,270,192 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/08/07 09:15:34 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/04/14 07:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/09 16:00:30 | 000,053,478 | ---- | C] () -- C:\WINDOWS\mvtcpui.ini
[2008/02/07 09:05:18 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll
[2006/12/31 09:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 07:00:00 | 000,444,794 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 07:00:00 | 000,072,544 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 07:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

OTL Extras logfile created on: 11/15/2011 7:04:05 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Matt Tow\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 55.94% Memory free
3.72 Gb Paging File | 2.99 Gb Available in Paging File | 80.29% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 56.58 Gb Free Space | 75.91% Space Free | Partition Type: NTFS
Drive S: | 186.30 Gb Total Space | 162.68 Gb Free Space | 87.32% Space Free | Partition Type: NTFS

Computer Name: MATTTOW | User Name: Matt Tow | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- "C:\Program Files\File Type Assistant\tsassist.exe" "%1" (Trusted Software ApS)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{11E94FDB-C895-45F1-B756-1C9B8C36C8F1}" = Microsoft IntelliType Pro 7.1
"{13F00518-807A-4B3A-83B0-A7CD90F3A398}" = MarketResearch
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{26A24AE4-039D-4CA4-87B4-2F83217001FF}" = Java™ 7 Update 1
"{3248E093-5288-4CA9-B3AB-11A675FEA1F9}" = Symantec AntiVirus
"{32A3A4F4-B792-11D6-A78A-00B0D0170010}" = Java™ SE Development Kit 7 Update 1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}" = Seagate Manager Installer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{58F4D4FD-1814-4068-B316-C28FC776C6DD}" = GoToMyPC
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7057ABC2-EFF3-4E43-9806-8BCB6EEA9FE6}" = Microsoft IntelliPoint 7.1
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7902E313-FF0F-4493-ACB1-A8147B78DCD0}" = HPSSupply
"{7CA4F780-7AD0-417A-82A1-46EB825CFD53}" = HP Managed Printing Admin
"{8CB35C7E-E506-4DC4-8E39-7DFC4E826C45}" = hppusgP2030
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A82D052A-0806-42DF-80CD-1730A1AC0ED3}" = MrvlUsgTracking
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English) v1.0.3705
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C165C324-8139-4FA5-B99B-3321B4F4C918}" = Go Gateway Install
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 SP1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D7EC8A27-CDA2-46AE-8A26-4104A04FA5BE}" = 32 Bit HP CIO Components Installer
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Carbonite Setup Lite" = Carbonite Online Backup Setup
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"FinalMediaPlayer_is1" = Final Media Player 2011
"GoToAssist" = GoToAssist Corporate
"HP LaserJet P2030 Series" = HP LaserJet P2030 Series
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platform Device Manager
"InstallShield_{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}" = Seagate Manager Installer
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 8.0 (x86 en-US)" = Mozilla Firefox 8.0 (x86 en-US)
"NVIDIA Drivers" = NVIDIA Drivers
"Trusted Software Assistant_is1" = File Type Assistant
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ce0092d39b7c084e" = Go Gateway
"SEMCAT" = SEMCAT

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/10/2011 4:59:09 PM | Computer Name = MATTTOW | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 11/11/2011 10:49:13 AM | Computer Name = MATTTOW | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19154, fault address 0x001bad27.

Error - 11/12/2011 1:04:56 PM | Computer Name = MATTTOW | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.19154, fault address 0x000262c6.

Error - 11/12/2011 2:46:33 PM | Computer Name = MATTTOW | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x01712762.

Error - 11/12/2011 5:18:26 PM | Computer Name = MATTTOW | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 11/14/2011 11:31:57 AM | Computer Name = MATTTOW | Source = Media Center Scheduler | ID = 0
Description =

Error - 11/14/2011 2:59:44 PM | Computer Name = MATTTOW | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/14/2011 11:03:30 PM | Computer Name = MATTTOW | Source = Application Hang | ID = 1002
Description = Hanging application MSACCESS.EXE, version 12.0.4518.1014, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/14/2011 11:03:58 PM | Computer Name = MATTTOW | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 8.0.0.4325, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/15/2011 6:51:01 AM | Computer Name = MATTTOW | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module jvm.dll, version 21.1.0.2, fault address 0x0006591a.

[ OSession Events ]
Error - 11/30/2010 6:16:47 PM | Computer Name = TOW-4223653FA74 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 625
seconds with 60 seconds of active time. This session ended with a crash.

Error - 1/20/2011 6:24:16 PM | Computer Name = TOW-4223653FA74 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 187
seconds with 120 seconds of active time. This session ended with a crash.

Error - 1/20/2011 6:28:31 PM | Computer Name = TOW-4223653FA74 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 190
seconds with 120 seconds of active time. This session ended with a crash.

Error - 4/21/2011 3:26:47 PM | Computer Name = MATTTOW | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2115
seconds with 60 seconds of active time. This session ended with a crash.

Error - 8/31/2011 8:07:31 PM | Computer Name = MATTTOW | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1567
seconds with 960 seconds of active time. This session ended with a crash.

Error - 9/28/2011 1:33:55 PM | Computer Name = MATTTOW | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 2, Application Name: Microsoft Office Access, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 14919
seconds with 960 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 11/14/2011 2:27:43 PM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 11/14/2011 2:32:02 PM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 11/14/2011 2:49:33 PM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 11/14/2011 2:57:53 PM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 11/14/2011 3:02:43 PM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 11/14/2011 11:07:16 PM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 11/15/2011 12:13:57 AM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 11/15/2011 1:26:52 AM | Computer Name = MATTTOW | Source = TermService | ID = 1006
Description = The terminal server received large number of incomplete connections.
The system may be under attack.

Error - 11/15/2011 12:00:47 PM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 11/15/2011 5:43:03 PM | Computer Name = MATTTOW | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126


< End of report >

#7 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:14 PM

Posted 16 November 2011 - 09:11 AM

Hello Austin77 :)

I notice that you have run ComboFix. This was a very risky move, as tools such as ComboFix run unsupervised can do more harm than good. Hopefully, this won't be the case with your machine.

I would like to see the log from your CF run, if you still have it. It will be at the following location: C:\Combofix\Combofix.txt

Just open the file with Notepad, and copy and paste it into your reply.

==========

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Best Regards,
oneof4.


#8 Austin77

Austin77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 16 November 2011 - 11:32 AM

- No log was generated for combofix previously.



11:23:33.0453 2168 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50
11:23:33.0875 2168 ============================================================
11:23:33.0875 2168 Current date / time: 2011/11/16 11:23:33.0875
11:23:33.0875 2168 SystemInfo:
11:23:33.0875 2168
11:23:33.0875 2168 OS Version: 5.1.2600 ServicePack: 3.0
11:23:33.0875 2168 Product type: Workstation
11:23:33.0875 2168 ComputerName: MATTTOW
11:23:33.0875 2168 UserName: Matt Tow
11:23:33.0875 2168 Windows directory: C:\WINDOWS
11:23:33.0875 2168 System windows directory: C:\WINDOWS
11:23:33.0875 2168 Processor architecture: Intel x86
11:23:33.0875 2168 Number of processors: 2
11:23:33.0875 2168 Page size: 0x1000
11:23:33.0875 2168 Boot type: Normal boot
11:23:33.0875 2168 ============================================================
11:23:35.0156 2168 Initialize success
11:23:43.0593 2192 ============================================================
11:23:43.0593 2192 Scan started
11:23:43.0593 2192 Mode: Manual;
11:23:43.0593 2192 ============================================================
11:23:44.0796 2192 Abiosdsk - ok
11:23:44.0812 2192 abp480n5 - ok
11:23:44.0890 2192 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:23:44.0890 2192 ACPI - ok
11:23:44.0921 2192 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
11:23:44.0921 2192 ACPIEC - ok
11:23:44.0937 2192 adpu160m - ok
11:23:45.0000 2192 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
11:23:45.0015 2192 aec - ok
11:23:45.0062 2192 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
11:23:45.0062 2192 AFD - ok
11:23:45.0078 2192 Aha154x - ok
11:23:45.0093 2192 aic78u2 - ok
11:23:45.0109 2192 aic78xx - ok
11:23:45.0109 2192 AliIde - ok
11:23:45.0125 2192 amsint - ok
11:23:45.0140 2192 asc - ok
11:23:45.0156 2192 asc3350p - ok
11:23:45.0171 2192 asc3550 - ok
11:23:45.0250 2192 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:23:45.0250 2192 AsyncMac - ok
11:23:45.0296 2192 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
11:23:45.0296 2192 atapi - ok
11:23:45.0312 2192 Atdisk - ok
11:23:45.0328 2192 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:23:45.0343 2192 Atmarpc - ok
11:23:45.0390 2192 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
11:23:45.0390 2192 audstub - ok
11:23:45.0437 2192 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
11:23:45.0453 2192 Beep - ok
11:23:45.0453 2192 BIOS (be5d50529799b9bab6be879ec768b6cf) C:\WINDOWS\system32\drivers\BIOS.sys
11:23:45.0468 2192 BIOS - ok
11:23:45.0609 2192 catchme - ok
11:23:45.0656 2192 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
11:23:45.0656 2192 cbidf2k - ok
11:23:45.0671 2192 cd20xrnt - ok
11:23:45.0734 2192 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
11:23:45.0750 2192 Cdaudio - ok
11:23:45.0796 2192 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
11:23:45.0796 2192 Cdfs - ok
11:23:45.0812 2192 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:23:45.0828 2192 Cdrom - ok
11:23:45.0828 2192 Changer - ok
11:23:45.0843 2192 CmdIde - ok
11:23:45.0875 2192 Cpqarray - ok
11:23:45.0890 2192 dac2w2k - ok
11:23:45.0906 2192 dac960nt - ok
11:23:45.0921 2192 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
11:23:45.0921 2192 Disk - ok
11:23:46.0031 2192 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
11:23:46.0078 2192 dmboot - ok
11:23:46.0078 2192 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
11:23:46.0078 2192 dmio - ok
11:23:46.0093 2192 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
11:23:46.0093 2192 dmload - ok
11:23:46.0140 2192 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
11:23:46.0140 2192 DMusic - ok
11:23:46.0171 2192 dpti2o - ok
11:23:46.0187 2192 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
11:23:46.0187 2192 drmkaud - ok
11:23:46.0312 2192 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
11:23:46.0328 2192 eeCtrl - ok
11:23:46.0468 2192 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
11:23:46.0468 2192 Fastfat - ok
11:23:46.0500 2192 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
11:23:46.0500 2192 Fdc - ok
11:23:46.0546 2192 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
11:23:46.0546 2192 Fips - ok
11:23:46.0562 2192 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:23:46.0562 2192 Flpydisk - ok
11:23:46.0578 2192 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:23:46.0578 2192 FltMgr - ok
11:23:46.0640 2192 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:23:46.0640 2192 Fs_Rec - ok
11:23:46.0640 2192 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:23:46.0656 2192 Ftdisk - ok
11:23:46.0703 2192 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:23:46.0703 2192 Gpc - ok
11:23:46.0765 2192 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:23:46.0765 2192 HDAudBus - ok
11:23:46.0812 2192 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:23:46.0828 2192 HidUsb - ok
11:23:46.0828 2192 hpn - ok
11:23:46.0890 2192 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
11:23:46.0890 2192 HTTP - ok
11:23:46.0906 2192 i2omgmt - ok
11:23:46.0921 2192 i2omp - ok
11:23:46.0968 2192 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:23:46.0984 2192 i8042prt - ok
11:23:47.0000 2192 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
11:23:47.0015 2192 Imapi - ok
11:23:47.0031 2192 ini910u - ok
11:23:47.0031 2192 IntelIde - ok
11:23:47.0062 2192 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:23:47.0062 2192 intelppm - ok
11:23:47.0109 2192 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:23:47.0125 2192 Ip6Fw - ok
11:23:47.0140 2192 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:23:47.0156 2192 IpFilterDriver - ok
11:23:47.0156 2192 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:23:47.0171 2192 IpInIp - ok
11:23:47.0187 2192 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:23:47.0203 2192 IpNat - ok
11:23:47.0250 2192 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:23:47.0250 2192 IPSec - ok
11:23:47.0296 2192 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
11:23:47.0296 2192 IRENUM - ok
11:23:47.0312 2192 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:23:47.0312 2192 isapnp - ok
11:23:47.0328 2192 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:23:47.0328 2192 Kbdclass - ok
11:23:47.0343 2192 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:23:47.0359 2192 kbdhid - ok
11:23:47.0406 2192 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
11:23:47.0406 2192 kmixer - ok
11:23:47.0421 2192 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
11:23:47.0437 2192 KSecDD - ok
11:23:47.0437 2192 lbrtfdc - ok
11:23:47.0500 2192 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
11:23:47.0500 2192 mnmdd - ok
11:23:47.0546 2192 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
11:23:47.0546 2192 Modem - ok
11:23:47.0625 2192 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
11:23:47.0703 2192 monfilt - ok
11:23:47.0750 2192 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:23:47.0750 2192 Mouclass - ok
11:23:47.0796 2192 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:23:47.0796 2192 mouhid - ok
11:23:47.0812 2192 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
11:23:47.0812 2192 MountMgr - ok
11:23:47.0828 2192 mraid35x - ok
11:23:47.0859 2192 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:23:47.0859 2192 MRxDAV - ok
11:23:47.0875 2192 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:23:47.0906 2192 MRxSmb - ok
11:23:47.0937 2192 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
11:23:47.0937 2192 Msfs - ok
11:23:47.0984 2192 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:23:47.0984 2192 MSKSSRV - ok
11:23:48.0015 2192 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:23:48.0015 2192 MSPCLOCK - ok
11:23:48.0031 2192 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
11:23:48.0031 2192 MSPQM - ok
11:23:48.0062 2192 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:23:48.0078 2192 mssmbios - ok
11:23:48.0109 2192 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
11:23:48.0125 2192 Mup - ok
11:23:48.0312 2192 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110428.002\naveng.sys
11:23:48.0312 2192 NAVENG - ok
11:23:48.0359 2192 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110428.002\navex15.sys
11:23:48.0421 2192 NAVEX15 - ok
11:23:48.0546 2192 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
11:23:48.0546 2192 NDIS - ok
11:23:48.0593 2192 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:23:48.0593 2192 NdisTapi - ok
11:23:48.0640 2192 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:23:48.0640 2192 Ndisuio - ok
11:23:48.0656 2192 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:23:48.0671 2192 NdisWan - ok
11:23:48.0703 2192 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
11:23:48.0718 2192 NDProxy - ok
11:23:48.0765 2192 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
11:23:48.0765 2192 NetBIOS - ok
11:23:48.0781 2192 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
11:23:48.0796 2192 NetBT - ok
11:23:48.0812 2192 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
11:23:48.0812 2192 Npfs - ok
11:23:48.0875 2192 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
11:23:48.0890 2192 Ntfs - ok
11:23:48.0968 2192 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
11:23:48.0968 2192 NuidFltr - ok
11:23:49.0046 2192 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
11:23:49.0062 2192 Null - ok
11:23:49.0296 2192 nv (597a5167c509547fc691416887171079) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
11:23:49.0453 2192 nv - ok
11:23:49.0515 2192 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
11:23:49.0531 2192 NVENETFD - ok
11:23:49.0546 2192 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
11:23:49.0546 2192 nvnetbus - ok
11:23:49.0593 2192 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:23:49.0593 2192 NwlnkFlt - ok
11:23:49.0609 2192 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:23:49.0609 2192 NwlnkFwd - ok
11:23:49.0687 2192 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
11:23:49.0687 2192 Parport - ok
11:23:49.0734 2192 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
11:23:49.0734 2192 PartMgr - ok
11:23:49.0750 2192 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
11:23:49.0750 2192 ParVdm - ok
11:23:49.0796 2192 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
11:23:49.0796 2192 PCI - ok
11:23:49.0796 2192 PCIDump - ok
11:23:49.0828 2192 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
11:23:49.0828 2192 PCIIde - ok
11:23:49.0875 2192 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
11:23:49.0890 2192 Pcmcia - ok
11:23:49.0906 2192 PDCOMP - ok
11:23:49.0921 2192 PDFRAME - ok
11:23:49.0937 2192 PDRELI - ok
11:23:49.0953 2192 PDRFRAME - ok
11:23:49.0953 2192 perc2 - ok
11:23:50.0000 2192 perc2hib - ok
11:23:50.0093 2192 Point32 (2e3394c8ebf31a9b4f0a531eb5cc7bc7) C:\WINDOWS\system32\DRIVERS\point32.sys
11:23:50.0109 2192 Point32 - ok
11:23:50.0140 2192 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:23:50.0140 2192 PptpMiniport - ok
11:23:50.0156 2192 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
11:23:50.0156 2192 PSched - ok
11:23:50.0187 2192 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:23:50.0187 2192 Ptilink - ok
11:23:50.0203 2192 ql1080 - ok
11:23:50.0218 2192 Ql10wnt - ok
11:23:50.0234 2192 ql12160 - ok
11:23:50.0234 2192 ql1240 - ok
11:23:50.0265 2192 ql1280 - ok
11:23:50.0312 2192 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:23:50.0312 2192 RasAcd - ok
11:23:50.0375 2192 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:23:50.0375 2192 Rasl2tp - ok
11:23:50.0390 2192 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:23:50.0390 2192 RasPppoe - ok
11:23:50.0421 2192 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
11:23:50.0421 2192 Raspti - ok
11:23:50.0453 2192 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:23:50.0453 2192 Rdbss - ok
11:23:50.0468 2192 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:23:50.0484 2192 RDPCDD - ok
11:23:50.0531 2192 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:23:50.0546 2192 rdpdr - ok
11:23:50.0593 2192 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
11:23:50.0609 2192 RDPWD - ok
11:23:50.0640 2192 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
11:23:50.0656 2192 redbook - ok
11:23:50.0734 2192 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
11:23:50.0734 2192 SASDIFSV - ok
11:23:50.0750 2192 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
11:23:50.0765 2192 SASKUTIL - ok
11:23:50.0812 2192 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\Symantec AntiVirus\savrt.sys
11:23:50.0828 2192 SAVRT - ok
11:23:50.0828 2192 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
11:23:50.0828 2192 SAVRTPEL - ok
11:23:50.0921 2192 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:23:50.0921 2192 Secdrv - ok
11:23:50.0937 2192 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
11:23:50.0953 2192 serenum - ok
11:23:50.0968 2192 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
11:23:50.0984 2192 Serial - ok
11:23:51.0015 2192 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
11:23:51.0015 2192 Sfloppy - ok
11:23:51.0031 2192 Simbad - ok
11:23:51.0046 2192 Sparrow - ok
11:23:51.0125 2192 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
11:23:51.0140 2192 SPBBCDrv - ok
11:23:51.0171 2192 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
11:23:51.0171 2192 splitter - ok
11:23:51.0218 2192 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
11:23:51.0218 2192 sr - ok
11:23:51.0250 2192 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
11:23:51.0265 2192 Srv - ok
11:23:51.0296 2192 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
11:23:51.0296 2192 swenum - ok
11:23:51.0312 2192 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
11:23:51.0312 2192 swmidi - ok
11:23:51.0328 2192 symc810 - ok
11:23:51.0359 2192 symc8xx - ok
11:23:51.0406 2192 SymEvent (3feeb051c94f5005f56423619315273b) C:\Program Files\Symantec\SYMEVENT.SYS
11:23:51.0406 2192 SymEvent - ok
11:23:51.0437 2192 SYMREDRV (8d668fe83a439e2166b7defff995cddc) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
11:23:51.0437 2192 SYMREDRV - ok
11:23:51.0484 2192 SYMTDI (b825e10cd61046672fef234820842c42) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
11:23:51.0500 2192 SYMTDI - ok
11:23:51.0500 2192 sym_hi - ok
11:23:51.0515 2192 sym_u3 - ok
11:23:51.0578 2192 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
11:23:51.0578 2192 sysaudio - ok
11:23:51.0625 2192 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:23:51.0640 2192 Tcpip - ok
11:23:51.0671 2192 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
11:23:51.0671 2192 TDPIPE - ok
11:23:51.0703 2192 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
11:23:51.0703 2192 TDTCP - ok
11:23:51.0718 2192 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
11:23:51.0734 2192 TermDD - ok
11:23:51.0734 2192 TosIde - ok
11:23:51.0781 2192 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
11:23:51.0796 2192 Udfs - ok
11:23:51.0796 2192 ultra - ok
11:23:51.0843 2192 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
11:23:51.0875 2192 Update - ok
11:23:51.0937 2192 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:23:51.0937 2192 usbccgp - ok
11:23:51.0968 2192 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:23:51.0968 2192 usbehci - ok
11:23:51.0984 2192 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:23:52.0000 2192 usbhub - ok
11:23:52.0015 2192 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
11:23:52.0015 2192 usbohci - ok
11:23:52.0062 2192 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:23:52.0062 2192 usbprint - ok
11:23:52.0109 2192 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:23:52.0109 2192 USBSTOR - ok
11:23:52.0156 2192 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
11:23:52.0156 2192 VgaSave - ok
11:23:52.0218 2192 VIAHdAudAddService (80ed26c12af05779a3f897b9badf6f28) C:\WINDOWS\system32\drivers\viahduaa.sys
11:23:52.0218 2192 VIAHdAudAddService - ok
11:23:52.0234 2192 ViaIde - ok
11:23:52.0265 2192 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
11:23:52.0265 2192 VolSnap - ok
11:23:52.0328 2192 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:23:52.0328 2192 Wanarp - ok
11:23:52.0375 2192 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
11:23:52.0375 2192 WDC_SAM - ok
11:23:52.0437 2192 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
11:23:52.0453 2192 Wdf01000 - ok
11:23:52.0453 2192 WDICA - ok
11:23:52.0500 2192 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
11:23:52.0515 2192 wdmaud - ok
11:23:52.0578 2192 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:23:52.0578 2192 WudfPf - ok
11:23:52.0593 2192 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:23:52.0593 2192 WudfRd - ok
11:23:52.0625 2192 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
11:23:52.0656 2192 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
11:23:52.0656 2192 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
11:23:52.0656 2192 Boot (0x1200) (050e7a84362fcfb0e3181335c31accf0) \Device\Harddisk0\DR0\Partition0
11:23:52.0656 2192 \Device\Harddisk0\DR0\Partition0 - ok
11:23:52.0656 2192 ============================================================
11:23:52.0656 2192 Scan finished
11:23:52.0656 2192 ============================================================
11:23:52.0671 2764 Detected object count: 1
11:23:52.0671 2764 Actual detected object count: 1
11:24:00.0921 2764 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
11:24:00.0921 2764 \Device\Harddisk0\DR0 - ok
11:24:00.0921 2764 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
11:24:10.0250 1688 Deinitialize success

#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:14 PM

Posted 16 November 2011 - 04:55 PM

Hey Austin77 :)

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the

PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where

applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and

there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected

with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more

information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to continue with the cleaning of your machine, please perform the next instruction:

==========

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Best Regards,
oneof4.


#10 Austin77

Austin77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 16 November 2011 - 07:02 PM

Thank-you for the information and I appreciate your help. Let's continue cleaning it for now and I will probably end up reformatting at a later date.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-16 18:29:20
-----------------------------
18:29:20.640 OS Version: Windows 5.1.2600 Service Pack 3
18:29:20.656 Number of processors: 2 586 0x170A
18:29:20.656 ComputerName: MATTTOW UserName:
18:29:21.515 Initialize success
18:31:25.656 AVAST engine defs: 11111601
18:33:25.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-10
18:33:25.031 Disk 0 Vendor: ST380815AS 4.AAB Size: 76319MB BusType: 3
18:33:27.062 Disk 0 MBR read successfully
18:33:27.062 Disk 0 MBR scan
18:33:27.140 Disk 0 Windows XP default MBR code
18:33:27.140 Disk 0 scanning sectors +156296385
18:33:27.203 Disk 0 scanning C:\WINDOWS\system32\drivers
18:33:35.640 Service scanning
18:33:37.078 Modules scanning
18:33:42.234 Disk 0 trace - called modules:
18:33:42.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:33:42.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6a9ab8]
18:33:42.250 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006d[0x8a6fd9e8]
18:33:42.265 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T1L0-10[0x8a6d0d98]
18:33:42.687 AVAST engine scan C:\WINDOWS
18:33:56.187 AVAST engine scan C:\WINDOWS\system32
18:35:44.984 AVAST engine scan C:\WINDOWS\system32\drivers
18:35:54.968 AVAST engine scan C:\Documents and Settings\Matt Tow
18:51:56.046 AVAST engine scan C:\Documents and Settings\All Users
18:52:24.671 Scan finished successfully
18:57:40.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Matt Tow\Desktop\MBR.dat"
18:57:40.343 The log file has been saved successfully to "C:\Documents and Settings\Matt Tow\Desktop\aswMBR.txt"

#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:14 PM

Posted 17 November 2011 - 09:56 AM

Hi :)

Things are looking good! TDSSKiller successfully removed the rootkit that had infected your Master Boot Record; aswMBR confirmed it. Now, let's re-run CF and see what comes back:

If you still have ComboFix installed on your system, Right-Click on the ComboFix icon on your Desktop, choose Delete, then proceed with the next set of instructions. If ComboFix is no longer on your system, then just proceed with the following instructions.

==========

Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
The Recovery Console step that follows does not apply to Vista or Windows 7

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Best Regards,
oneof4.


#12 Austin77

Austin77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 17 November 2011 - 11:21 AM

Thank-you again for your help and my computer seems to be running fine now. No previous versions of ComboFix were on my desktop before I ran ComboFix today, however when I go to attach a file to an email from my desktop, combofix is still listed in the dropdown menu of items on my desktop. It's like the previous ComboFix is still on my desktop, but invisible. Is there anyway to fix that? Thanks again for your help and I'm glad you are using your powers for good.

ComboFix 11-11-17.03 - Matt Tow 11/17/2011 11:01:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1917.1302 [GMT -5:00]
Running from: c:\documents and settings\Matt Tow\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Matt Tow\Application Data\OpenCloud Security
c:\documents and settings\Matt Tow\Application Data\OpenCloud Security\OpenCloud Security.ico
c:\documents and settings\Matt Tow\Application Data\OpenCloud Security\wmf.cfg
c:\documents and settings\Matt Tow\Start Menu\Programs\System Restore
c:\documents and settings\Matt Tow\Start Menu\Programs\System Restore\System Restore.lnk
c:\documents and settings\Matt Tow\Start Menu\Programs\System Restore\Uninstall System Restore.lnk
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-10 18:29 . 2011-11-10 18:29 -------- d-----w- c:\program files\ESET
2011-11-09 15:08 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-09 01:16 . 2011-11-09 01:16 -------- d-----w- c:\documents and settings\Matt Tow\Local Settings\Application Data\Sun
2011-11-09 01:00 . 2011-11-09 01:00 -------- d-----w- c:\program files\Common Files\Java
2011-11-09 00:59 . 2011-11-09 00:59 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-09 00:58 . 2011-11-09 00:59 -------- d-----w- c:\program files\Java
2011-11-08 22:39 . 2011-11-08 22:39 -------- d-----w- c:\program files\VS Revo Group
2011-11-06 01:41 . 2011-11-06 01:41 -------- d-----w- c:\documents and settings\Matt Tow\Application Data\SUPERAntiSpyware.com
2011-11-06 01:39 . 2011-11-06 01:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-06 01:39 . 2011-11-06 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-11-04 21:11 . 2011-11-09 02:36 -------- d-----w- c:\program files\trend micro
2011-11-04 20:14 . 2011-11-04 20:14 54016 ----a-w- c:\windows\system32\drivers\eqjuo.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-09 00:59 . 2010-05-19 20:27 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-10 14:22 . 2010-05-05 15:42 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2008-04-14 08:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2008-07-25 02:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-07-25 02:12 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-07-25 02:12 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-07-25 02:11 385024 ----a-w- c:\windows\system32\html.iec
2011-08-22 10:39 . 2011-05-05 04:36 52080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\GoToPrintProcessor.dll
2011-08-22 10:39 . 2011-05-05 04:36 113008 ----a-w- c:\windows\system32\gotomon.dll
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-11-10 23:35 . 2011-05-31 20:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-25 . 0CDE394F7FB69CB8548CFCA61F1B3855 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13529088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-07-15 20:57 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2011-08-22 10:39 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Matt Tow^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Matt Tow\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 17:29 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 07:49 318096 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-06-02 13:21 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 08:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-05-14 15:16 29831168 ----a-w- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2008-02-11 17:48 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2009-11-05 20:35 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2009-11-05 20:45 1505144 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 15:24 197928 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-08-01 18:48 13529088 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-08-01 18:48 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-08-01 18:48 1630208 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 18:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-10-17 17:18 4615552 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [5/6/2010 9:48 PM 13696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 10:25 AM 189736]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [5/19/2010 4:48 PM 238080]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 5:33 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 5:33 PM 136176]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 6:27 PM 124608]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-07-13 19:24]
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 22:33]
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 22:33]
.
2011-02-09 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-11-05 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: accessallstate.com
Trusted Zone: aicpcu.org
Trusted Zone: allstate-lcec.lrn.com
Trusted Zone: allstate.com
Trusted Zone: allstate.com\agencygateway
Trusted Zone: allstate.com\agencygateway1
Trusted Zone: allstate.com\agencygateway2
Trusted Zone: allstate.com\allianceweb
Trusted Zone: allstate.com\mymail
Trusted Zone: allstate.com\webmail
Trusted Zone: allstateagencies.com
Trusted Zone: allstatehelp.com
Trusted Zone: allstateinsurance.skillwsa.com
Trusted Zone: bisyseducation.com
Trusted Zone: custhelp.com
Trusted Zone: elementk.com
Trusted Zone: gotoassist.com
Trusted Zone: insmark.com
Trusted Zone: insmark.us
Trusted Zone: insmarkstore.com
Trusted Zone: learn.net
Trusted Zone: nicta.org
Trusted Zone: sumtotalsystems.com
TCP: Interfaces\{6AB7E3A0-F252-4A5D-A5B8-871E7B46B3C7}: NameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Matt Tow\Application Data\Mozilla\Firefox\Profiles\2fah3qzd.default\
FF - prefs.js: browser.startup.homepage - www.google.com
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-17 11:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1112)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2011-11-17 11:06:31
ComboFix-quarantined-files.txt 2011-11-17 16:06
.
Pre-Run: 60,599,496,704 bytes free
Post-Run: 61,374,640,128 bytes free
.
- - End Of File - - 6A62E2CA1F5858D54857F61A2ACC2A65

#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:01:14 PM

Posted 18 November 2011 - 10:13 AM

Hey Austin77 :)

Now things are beginning to click! :wink: The rootkit had blocked CF from doing its job.

Not to worry about still having previous CF files on your computer, when we uninstall it at the end of our journey, it will all be gone.

There is one suspicious file showing up in the CF log that I would like you to upload by following the next set of instructions:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\drivers\eqjuo.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

==========

Next, please perform the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

SRPeek::
c:\windows\system32\sfcfiles.dll

Save this as CFScript.txt, in the same location as ComboFix.exe (The Desktop)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Things I need to see in your next reply:

  • Jotti Results
  • ComboFix.txt

Best Regards,
oneof4.


#14 Austin77

Austin77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 18 November 2011 - 10:48 AM

ulvxn.sys

Scan finished. 1 out of 19 scanners reported malware.

File size: 54016 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: e6d35f3aa51a65eb35c1f2340154a25e
SHA1: aabbd57e20d2e7041f9e7abce6cfd8a53c366537

2011-11-16 Trj/Hupigon.BDH - PANDA

#15 Austin77

Austin77
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 18 November 2011 - 11:30 AM

ComboFix 11-11-18.02 - Matt Tow 11/18/2011 11:24:54.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1917.1313 [GMT -5:00]
Running from: c:\documents and settings\Matt Tow\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt Tow\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-18 to 2011-11-18 )))))))))))))))))))))))))))))))
.
.
2011-11-10 18:29 . 2011-11-10 18:29 -------- d-----w- c:\program files\ESET
2011-11-09 15:08 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-09 01:16 . 2011-11-09 01:16 -------- d-----w- c:\documents and settings\Matt Tow\Local Settings\Application Data\Sun
2011-11-09 01:00 . 2011-11-09 01:00 -------- d-----w- c:\program files\Common Files\Java
2011-11-09 00:59 . 2011-11-09 00:59 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-09 00:58 . 2011-11-09 00:59 -------- d-----w- c:\program files\Java
2011-11-08 22:39 . 2011-11-08 22:39 -------- d-----w- c:\program files\VS Revo Group
2011-11-06 01:41 . 2011-11-06 01:41 -------- d-----w- c:\documents and settings\Matt Tow\Application Data\SUPERAntiSpyware.com
2011-11-06 01:39 . 2011-11-06 01:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-06 01:39 . 2011-11-06 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-11-04 21:11 . 2011-11-09 02:36 -------- d-----w- c:\program files\trend micro
2011-11-04 20:14 . 2011-11-04 20:14 54016 ----a-w- c:\windows\system32\drivers\eqjuo.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-09 00:59 . 2010-05-19 20:27 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-10 14:22 . 2010-05-05 15:42 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-14 12:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2008-04-14 08:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2008-07-25 02:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-07-25 02:12 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-07-25 02:12 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-07-25 02:11 385024 ----a-w- c:\windows\system32\html.iec
2011-08-22 10:39 . 2011-05-05 04:36 52080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\GoToPrintProcessor.dll
2011-08-22 10:39 . 2011-05-05 04:36 113008 ----a-w- c:\windows\system32\gotomon.dll
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-11-10 23:35 . 2011-05-31 20:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-07-25 . 0CDE394F7FB69CB8548CFCA61F1B3855 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-11-17_16.05.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-18 15:58 . 2011-11-18 15:58 16384 c:\windows\Temp\Perflib_Perfdata_29c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13529088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-07-15 20:57 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2011-08-22 10:39 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Matt Tow^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Matt Tow\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 17:29 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
2009-08-04 07:49 318096 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-06-02 13:21 48752 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 08:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 04:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDAudDeck]
2008-05-14 15:16 29831168 ----a-w- c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2008-02-11 17:48 36864 ----a-w- c:\program files\HP\HP UT\bin\hppusg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2009-11-05 20:35 1468256 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2009-11-05 20:45 1505144 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 15:24 197928 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-08-01 18:48 13529088 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-08-01 18:48 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-08-01 18:48 1630208 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 18:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-10-17 17:18 4615552 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [5/6/2010 9:48 PM 13696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 10:25 AM 189736]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [5/19/2010 4:48 PM 238080]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 5:33 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 5:33 PM 136176]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 6:27 PM 124608]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-18 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-07-13 19:24]
.
2011-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 22:33]
.
2011-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 22:33]
.
2011-02-09 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-11-05 20:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: accessallstate.com
Trusted Zone: aicpcu.org
Trusted Zone: allstate-lcec.lrn.com
Trusted Zone: allstate.com
Trusted Zone: allstate.com\agencygateway
Trusted Zone: allstate.com\agencygateway1
Trusted Zone: allstate.com\agencygateway2
Trusted Zone: allstate.com\allianceweb
Trusted Zone: allstate.com\mymail
Trusted Zone: allstate.com\webmail
Trusted Zone: allstateagencies.com
Trusted Zone: allstatehelp.com
Trusted Zone: allstateinsurance.skillwsa.com
Trusted Zone: bisyseducation.com
Trusted Zone: custhelp.com
Trusted Zone: elementk.com
Trusted Zone: gotoassist.com
Trusted Zone: insmark.com
Trusted Zone: insmark.us
Trusted Zone: insmarkstore.com
Trusted Zone: learn.net
Trusted Zone: nicta.org
Trusted Zone: sumtotalsystems.com
TCP: Interfaces\{6AB7E3A0-F252-4A5D-A5B8-871E7B46B3C7}: NameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Matt Tow\Application Data\Mozilla\Firefox\Profiles\2fah3qzd.default\
FF - prefs.js: browser.startup.homepage - www.google.com
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-18 11:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1112)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'explorer.exe'(848)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2011-11-18 11:27:33
ComboFix-quarantined-files.txt 2011-11-18 16:27
ComboFix2.txt 2011-11-18 16:12
ComboFix3.txt 2011-11-18 15:55
ComboFix4.txt 2011-11-17 16:06
.
Pre-Run: 61,333,188,608 bytes free
Post-Run: 61,327,343,616 bytes free
.
- - End Of File - - AB5FF59A7101DC91A5C210D89FDB301C




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users