• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
  • Welcome to Free PC Help, a free PC Help forum to get help with your computer problems.

    Free PC Help is a community that offers free computer help and support for all users, all ages, worldwide.

    In order to start asking questions or contribute on someone else's post you will first need to register. Don't worry - it's quick and easy and once you have registered you will have instant access to the entire forum.

    If you do decide to join the forums you will not have the option to send Private Messages [ PMs ] or add a Signature until you have made 5 posts or more. This is an attempt to try to stop Spammers using the PM system or adding links to their Signature.

  • Due to the complexity and risks involved our formally trained malware staff will be the only ones allowed to help with malware removal advice. Thank you.

Hijacked by Malware/Virus

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#1
I am a very experienced computer user, but came home to find that my wife had gotten into a bit of trouble. She states that when she was looking for recipes, something took over the browser and opened about 40 windows. It locked up the computer and she had to reboot. Since then, all browsers have obviously been hijacked. I successfully fought off one of these at work a couple of weeks ago and dove right in. However, I am over my head.

The Machine: Dell Model with XP Media Center Edition SP3 updated regularly
Virus Package: PC-Cillan updated regularly

The Symptoms: When I got home it was showing a few popups for a program called "AV Virus Protection" and a few variants on that name. A shield icon in the system tray gave me a balloon saying that I was unprotected and needed an update, and there were various popups.

My attempts to fix: I managed to boot in safe mode and check the start-up and the registry for anything out of the ordinary. I found a tutorial on the web that told me what to look for with the "AV Virus Protection" but found none of the files they suggested might be there. I did a full scan with PC-Cillan and found nothing. I did a full scan with Microsoft Malicious Software Removal Tool and it found nothing. So I managed to roll back Windows to a few days before the event with the recovery tool. After this, I thought I had made some headway. That is until I tried to use Google. Google specifically seems to be hijacked in any browser that I chose. It will give me various errors when I search and attempt to take me to fake mockups of pages. So I dug deeper. I ran a scan with MBAM and it did find a few issues. Mostly cookies, but a few of the things looked like they might be the culprit. They were successfully removed by MBAM, so I continued. I downloaded another common malware detection program. It too found many problems and successfully removed them. But still the problems with Google persisted. And IE just suddenly brought up a page for "Car and Driver Magazine" for no reason without warning.

I have spent quite a bit of time on this already and I am stumped. I ran OTL figuring you would need the results:

OTL.TXT
---------------------------------------------
OTL logfile created on: 6/15/2010 5:40:48 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Lori\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 461.06 Gb Total Space | 252.50 Gb Free Space | 54.76% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: POWERWAGON
Current User Name: Lori
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Lori\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\Steam\Steam.exe (Valve Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\WINDOWS\system32\Wacom_Tablet.exe (Wacom Technology, Corp.)
PRC - C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe (Wacom Technology, Corp.)
PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
PRC - C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Creative\Shared Files\CTDevSrv.exe (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\PSIService.exe ()
PRC - C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
PRC - C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe (Intel Corporation)
PRC - C:\WINDOWS\system32\CTXFIHLP.EXE (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\CTXFISPI.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsu****a Electric Industrial Co., Ltd.)
PRC - C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
PRC - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.)
PRC - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
PRC - C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
PRC - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\devldr32.exe (Creative Technology Ltd.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Lori\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\CTAGENT.DLL (Creative Technology Ltd)


========== Win32 Services (SafeList) ==========

SRV - (RoxLiveShare9) -- File not found
SRV - (getPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.)
SRV - (TabletServiceWacom) -- C:\WINDOWS\system32\Wacom_Tablet.exe (Wacom Technology, Corp.)
SRV - (PcCtlCom) -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.)
SRV - (CTDevice_Srv) -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe (Creative Technology Ltd)
SRV - (ProtexisLicensing) -- C:\WINDOWS\system32\PSIService.exe ()
SRV - (tmproxy) -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.)
SRV - (TmPfw) -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.)
SRV - (Tmntsrv) -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.)
SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (ELService) Intel(R) -- C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\ELService.exe (Intel Corporation)
SRV - (Imapi Helper) -- C:\Program Files\ISO Recorder\ImapiHelper.exe (Alex Feinman)


========== Driver Services (SafeList) ==========

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (vmm) -- C:\WINDOWS\system32\drivers\VMM.sys (Microsoft Corporation)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (wacmoumonitor) -- C:\WINDOWS\system32\drivers\wacmoumonitor.sys (Wacom Technology)
DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys ()
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (wacomvhid) -- C:\WINDOWS\system32\drivers\wacomvhid.sys (Wacom Technology)
DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.)
DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.)
DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.)
DRV - (RDPVDD) -- C:\WINDOWS\system32\drivers\rdpvmp.sys (Microsoft Corporation)
DRV - (RDPDISPM) -- C:\WINDOWS\system32\drivers\rdpdispm.sys (Microsoft Corporation)
DRV - (truecrypt) -- C:\WINDOWS\system32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (IrBus) -- C:\WINDOWS\system32\drivers\irbus.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (wacommousefilter) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys (Wacom Technology)
DRV - (VPCNetS2) -- C:\WINDOWS\system32\drivers\VMNetSrv.sys (Microsoft Corporation)
DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (e1express) Intel(R) -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation)
DRV - (iaStor) -- C:\WINDOWS\system32\drivers\iaStor.sys (Intel Corporation)
DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation )
DRV - (ELacpi) -- C:\WINDOWS\system32\drivers\ELacpi.sys (Intel Corporation)
DRV - (ELmon) -- C:\WINDOWS\system32\drivers\Elmon.sys (Intel Corporation)
DRV - (ELkbd) -- C:\WINDOWS\system32\drivers\Elkbd.sys (Intel Corporation)
DRV - (ELmou) -- C:\WINDOWS\system32\drivers\Elmou.sys (Intel Corporation)
DRV - (ELhid) -- C:\WINDOWS\system32\drivers\Elhid.sys (Intel Corporation)
DRV - (ha20x2k) -- C:\WINDOWS\system32\drivers\ha20x2k.sys (Creative Technology Ltd)
DRV - (Angel2) -- C:\WINDOWS\system32\drivers\Angel2.sys (Lumanate, Inc.)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (emupia) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (FileDisk) -- C:\WINDOWS\system32\drivers\filedisk.sys (Bo Brantén)
DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions)
DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions)
DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (ctdvda2k) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (SDDMI2) -- C:\WINDOWS\system32\DDMI2.sys (Gteko Ltd.)
DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (sfman) Creative SoundFont Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.)
DRV - (emu10k1) Creative Interface Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.)
DRV - (emu10k) Creative SB Live! (WDM) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.)
DRV - (nuvvid2) -- C:\WINDOWS\system32\drivers\nuvvid2.sys (Nogatech Ltd.)
DRV - (nuvaud2) -- C:\WINDOWS\system32\drivers\nuvaud2.sys (Nogatech Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = Dell Start Page

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Start Page
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "Google"
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.87
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63

FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: M:\Mozilla Firefox\components
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: M:\Mozilla Firefox\plugins
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/15 11:25:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/15 11:36:08 | 000,000,000 | ---D | M]

[2010/06/15 11:25:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Extensions
[2009/06/04 19:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Extensions\contact@callgraph.in
[2010/06/15 15:14:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions
[2010/06/15 11:27:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/15 11:27:55 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/06/15 11:36:06 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/06/15 11:25:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/06/15 00:20:13 | 000,000,765 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 us.search.yahoo.com
O1 - Hosts: 84.16.244.58 uk.search.yahoo.com
O1 - Hosts: 84.16.244.58 search.yahoo.com
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 84.16.244.58 Google
O1 - Hosts: 2 more lines...
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - No CLSID value found.
O4 - HKLM..\Run: [AudioDrvEmulator] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [MFP1815_S2P] C:\Program Files\Dell\Dell Laser MFP 1815\PSU\Scan2pc.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk = C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsu****a Electric Industrial Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} Seite nicht gefunden (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.quickbooks.com/c1/v16.561/qboax9.cab (Reg Error: Key error.)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab (DLM Control)
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166037347859 (MUWebControl Class)
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://webgames.d.tmsrv.com/c=223ca...elease/mumbo/wg_luxor2/luxor2/mjolauncher.cab (MJLauncherCtrl Class)
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} https://accounting.quickbooks.com/c1/v16.608/qboax10.cab (QuickBooks Online Edition Utilities Class v10)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} https://www.mesh.com/0.9.3103.13/TSWeb.cab (Reg Error: Value error.)
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} http://aolsvc.aol.com/onlinegames/free-trial-zenerchi/ZenerchiWeb.1.0.0.10.cab (CPlayFirstzenerchiControl Object)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab (EPUImageControl Class)
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} http://www.yoyogames.com/downloads/activex/YoYo.cab (YYGInstantPlay Control)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe (Virtools WebPlayer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15111/CTPID.cab (Creative Software AutoUpdate Support Package)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun\command - "" = J:\WINDOWS\IronKey.exe -- File not found
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun\command - "" = I:\WINDOWS\IronKey.exe -- File not found
O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun\command - "" = I:\IronKey.exe -- File not found
O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun\command - "" = J:\IronKey.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/16 06:22:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (69256455022182400)

========== Files/Folders - Created Within 30 Days ==========

[2010/06/15 17:39:17 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lori\Desktop\OTL.exe
[2010/06/15 16:28:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\SUPERAntiSpyware.com
[2010/06/15 16:28:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/15 16:28:20 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/06/15 16:18:03 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/06/15 14:38:49 | 000,000,000 | ---D | C] -- C:\Program Files\EraserPortable
[2010/06/15 12:29:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\Malwarebytes
[2010/06/15 12:29:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/15 12:29:41 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/15 12:29:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/15 12:29:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/15 12:22:29 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Lori\Desktop\ATF-Cleaner.exe
[2010/06/15 11:39:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/06/15 11:37:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2010/06/15 11:25:23 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/06/15 10:24:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/06/15 00:21:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/15 00:21:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/14 23:58:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\Sky-Banners
[2010/06/14 03:22:21 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/10 18:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\TuxPaint
[2010/06/10 18:24:34 | 000,000,000 | ---D | C] -- C:\Program Files\TuxPaint
[2010/05/26 01:10:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\gtk-2.0
[2010/05/25 20:40:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\.gimp-2.6
[2010/05/25 20:40:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\My Documents\gegl-0.0
[2010/05/25 20:40:04 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP-2.0
[2010/05/25 20:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\WTablet
[2010/05/25 20:27:57 | 000,000,000 | ---D | C] -- C:\Program Files\TabletPlugins
[2010/05/25 20:27:56 | 007,773,040 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\WacomTablet.cpl
[2010/05/25 20:26:30 | 000,011,312 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacommousefilter.sys
[2010/05/25 20:26:28 | 000,014,120 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacomvhid.sys
[2010/05/25 20:26:26 | 000,016,168 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacmoumonitor.sys
[2010/05/25 20:26:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WTablet
[2010/05/25 20:26:24 | 005,010,288 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wacom_Tablet.exe
[2010/05/25 20:26:24 | 000,415,600 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wacom_Tablet.dll
[2010/05/25 20:26:24 | 000,294,400 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wintab32.dll
[2010/05/25 20:26:22 | 000,000,000 | ---D | C] -- C:\Program Files\Tablet
[2010/05/25 18:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WTablet
[2010/05/24 19:04:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\.thumbnails
[2010/05/17 15:57:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Desktop\art
[2006/12/13 12:50:56 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll
[2006/12/08 12:17:55 | 000,033,792 | R--- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/15 17:39:22 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lori\Desktop\OTL.exe
[2010/06/15 17:32:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/15 17:31:02 | 000,264,653 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/15 17:30:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/15 17:30:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/15 17:29:54 | 2145,300,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/15 17:28:35 | 011,272,192 | ---- | M] () -- C:\Documents and Settings\Lori\ntuser.dat
[2010/06/15 17:28:35 | 000,064,980 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx
[2010/06/15 17:28:35 | 000,055,172 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx
[2010/06/15 17:28:35 | 000,055,172 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx
[2010/06/15 17:28:35 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/06/15 17:28:35 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/06/15 16:58:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/06/15 16:28:25 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/15 15:31:19 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job
[2010/06/15 15:19:26 | 000,001,316 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2010/06/15 14:47:53 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\EraserPortable.exe.lnk
[2010/06/15 12:29:45 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/15 12:22:29 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Lori\Desktop\ATF-Cleaner.exe
[2010/06/15 12:02:50 | 109,456,774 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\reg_backup.reg
[2010/06/15 11:25:28 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/15 10:58:03 | 000,372,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/15 10:53:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/15 10:47:11 | 000,553,312 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/15 10:47:11 | 000,477,622 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/15 10:47:11 | 000,085,804 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/15 10:35:22 | 000,000,821 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/15 10:35:22 | 000,000,259 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/15 10:35:22 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2010/06/15 04:07:51 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/15 00:16:19 | 000,000,312 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2010/06/15 00:06:41 | 002,109,342 | -H-- | M] () -- C:\Documents and Settings\Lori\Local Settings\Application Data\IconCache.db
[2010/06/13 18:00:00 | 000,000,404 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Zoe.job
[2010/06/12 17:45:12 | 000,004,041 | ---- | M] () -- C:\Documents and Settings\Lori\.recently-used.xbel
[2010/06/12 16:55:12 | 000,000,297 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Zoe Land.url
[2010/06/10 18:24:42 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Tux Paint.lnk
[2010/06/08 13:25:35 | 000,150,016 | ---- | M] () -- C:\Documents and Settings\Lori\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/05 10:29:47 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Cosmic Bugs.lnk
[2010/05/28 00:08:42 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2010/05/26 16:04:23 | 000,000,117 | -H-- | M] () -- C:\WINDOWS\popcreg.dat
[2010/05/25 20:40:32 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk
[2010/05/25 20:00:48 | 000,113,863 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Superman.xcf
[2010/05/25 17:49:41 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Lori\ntuser.ini
[2010/05/24 18:01:37 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\June 2010.xls
[2010/05/22 07:36:29 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\may 2010.xls
[2010/05/18 21:39:49 | 386,478,079 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\FANTASTIC_MR_FOX.ISO
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/15 16:28:25 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/15 14:47:23 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\EraserPortable.exe.lnk
[2010/06/15 12:29:45 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/15 12:02:43 | 109,456,774 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\reg_backup.reg
[2010/06/15 11:25:28 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/06/15 10:37:33 | 2145,300,480 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/15 00:41:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/14 23:58:05 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/06/12 17:45:12 | 000,004,041 | ---- | C] () -- C:\Documents and Settings\Lori\.recently-used.xbel
[2010/06/11 17:41:10 | 011,272,192 | ---- | C] () -- C:\Documents and Settings\Lori\ntuser.dat
[2010/06/10 18:26:18 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\Tux Paint.lnk
[2010/06/05 10:29:47 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Cosmic Bugs.lnk
[2010/05/25 20:40:32 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk
[2010/05/25 20:27:56 | 001,746,986 | ---- | C] () -- C:\WINDOWS\System32\WacomTablet.znc
[2010/05/25 20:00:48 | 000,113,863 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\Superman.xcf
[2010/05/22 07:36:51 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\June 2010.xls
[2010/05/22 07:36:29 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\may 2010.xls
[2010/05/18 21:32:01 | 386,478,079 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\FANTASTIC_MR_FOX.ISO
[2010/02/09 09:54:18 | 000,000,183 | ---- | C] () -- C:\WINDOWS\civ.ini
[2009/09/13 14:58:31 | 000,000,033 | ---- | C] () -- C:\WINDOWS\Eraser.INI
[2009/07/20 15:26:01 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2008/09/17 13:49:52 | 000,000,037 | ---- | C] () -- C:\WINDOWS\C30Tbo.INI
[2008/09/04 22:28:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2008/06/29 14:46:38 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/05/12 13:03:30 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/02/01 02:52:26 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/26 22:55:42 | 001,936,528 | ---- | C] () -- C:\WINDOWS\System32\ltmm15.dll
[2008/01/05 18:35:18 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2007/12/23 23:26:48 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2007/12/23 23:26:48 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2007/12/23 23:26:48 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2007/12/14 23:32:10 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/11/15 11:54:51 | 000,000,605 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2007/10/14 17:01:27 | 000,000,165 | ---- | C] () -- C:\WINDOWS\BluesCluesPreschool.ini
[2007/09/29 16:01:39 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2007/09/17 01:07:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/06/22 13:01:57 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/05/26 23:00:08 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/04/05 22:09:03 | 000,000,600 | ---- | C] () -- C:\WINDOWS\Rtcw.INI
[2007/01/14 18:47:18 | 000,094,208 | R--- | C] () -- C:\WINDOWS\System32\WIAIPH.dll
[2007/01/14 18:47:18 | 000,086,016 | R--- | C] () -- C:\WINDOWS\System32\WIAEH.dll
[2007/01/14 18:47:18 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\WIASTIIO.dll
[2007/01/14 18:47:18 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\Sswiadrv.dll
[2007/01/07 00:08:02 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.dll
[2007/01/07 00:08:01 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\DELG1CI.dll
[2007/01/07 00:08:01 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\d1815ci.dll
[2007/01/07 00:08:01 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\VdSetup.dll
[2007/01/07 00:08:01 | 000,022,663 | ---- | C] () -- C:\WINDOWS\System32\DELG1LMK.DLL
[2006/12/29 16:15:24 | 000,000,749 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/12/13 13:41:58 | 000,155,648 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll
[2006/12/13 13:41:58 | 000,102,400 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll
[2006/12/13 12:51:06 | 000,000,507 | ---- | C] () -- C:\WINDOWS\DKAAY2DD.ini
[2006/12/12 00:43:17 | 000,000,072 | ---- | C] () -- C:\WINDOWS\sbwin.ini
[2006/12/11 21:24:50 | 000,001,316 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/12/08 12:48:50 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/12/08 12:42:44 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/12/08 12:39:24 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/12/08 12:12:46 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/12/08 12:12:46 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2006/12/08 12:12:46 | 000,000,053 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2006/12/08 12:12:45 | 000,050,432 | ---- | C] () -- C:\WINDOWS\System32\claptn.ini
[2006/12/08 12:11:43 | 000,102,480 | ---- | C] () -- C:\WINDOWS\System32\EzRating.dll
[2006/12/08 12:11:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\EzdCoIns.dll
[2006/12/08 12:10:44 | 000,000,393 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/09/27 07:19:25 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\C30coi.dll
[2005/11/10 03:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/16 06:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 06:18:33 | 001,291,776 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2005/08/05 16:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/05/25 16:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Astroburn Lite
[2010/05/25 16:30:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Astroburn Pro
[2009/06/19 21:09:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2009/12/12 12:35:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2009/02/08 19:25:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fallout3
[2010/04/30 00:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Friends Games
[2007/04/30 20:35:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games
[2008/02/26 17:32:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2007/11/07 16:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2007/05/03 12:43:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Palo Alto Software
[2007/04/14 11:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/10/31 12:28:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/01/17 01:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/01/22 16:16:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCapv1005
[2007/04/13 11:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2007/05/03 12:07:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScreenSeven
[2008/05/14 15:45:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games
[2010/04/03 23:29:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/16 15:44:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thomson.ResearchSoft.Installers
[2010/05/25 17:03:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/01/16 19:34:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YoYoGames
[2010/03/11 00:24:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7A246771-272C-415B-B2AB-AE698ADB7EEB}
[2007/05/10 10:45:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\7Wonders
[2010/05/25 16:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Amazon
[2008/01/04 20:12:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Arduino
[2010/02/09 10:14:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Astroburn Lite
[2010/02/13 19:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Astroburn Pro
[2009/11/24 11:22:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Bioshock
[2008/02/08 23:12:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\DAEMON Tools
[2010/01/16 19:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\DAEMON Tools Lite
[2009/09/16 19:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\EndNote
[2009/12/14 11:41:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\FileZilla
[2008/05/30 19:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Flickr
[2008/01/26 22:55:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\GetRightToGo
[2010/05/25 20:00:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\gtk-2.0
[2008/03/22 14:45:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\ImgBurn
[2009/08/21 14:58:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\IronKey
[2007/05/19 11:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\iWin
[2008/01/21 22:38:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\JungleDisk
[2007/03/28 13:28:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Leadertech
[2007/05/06 12:37:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Magic Academy
[2007/04/09 14:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Magic Match
[2008/11/24 11:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\MITSTN
[2008/06/12 14:44:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\MSNInstaller
[2009/01/17 02:55:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\My Battle for Middle-earth Files
[2009/01/25 05:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\NetMedia Providers
[2009/10/31 01:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Notepad++
[2006/12/13 15:10:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\OfficeUpdate12
[2007/05/03 12:45:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Palo Alto Software
[2008/05/12 13:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Panasonic
[2008/04/09 20:49:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PlayFirst
[2010/04/26 21:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1001
[2009/12/08 18:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1002
[2008/07/28 21:57:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1005
[2009/01/25 05:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Publish Providers
[2008/08/09 18:08:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\REAPER
[2010/06/14 23:58:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Sky-Banners
[2008/02/16 20:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Smart Recorder
[2009/01/25 05:29:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Sony
[2008/02/11 17:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Stamps.com Internet Postage
[2007/02/19 12:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Template
[2008/03/21 02:04:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Thunderbird
[2008/07/13 20:13:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TrueCrypt
[2010/06/10 18:27:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TuxPaint
[2009/04/21 10:41:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
[2009/09/18 19:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Unity
[2007/11/28 23:30:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\URSE Games
[2007/08/13 11:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\yoclient
[2010/06/15 16:58:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job
[2010/06/15 15:31:19 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/10 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: IASTOR.SYS >
[2006/10/10 15:03:48 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\drivers\storage\R130118\iastor.sys
[2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\i386\iaStor.sys
[2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
[2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\drivers\iaStor.sys
[2006/10/10 15:03:48 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\iaStor.sys
[2006/07/06 09:01:32 | 000,484,864 | ---- | M] (Intel Corporation) MD5=6A3C354BFC163B81F6EF2FC421280DB5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/10 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/10 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/10 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 20:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll
[8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2009/12/12 12:35:48 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:756C8543
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A
< End of report >

--------------------------

Thanks in advance for any help you can give me. I am usually the person people come to for help, but this has me stumped. There are some cowboys in here...
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#2
Adding the OTL Extras...too big for one post.

-------------------------------------------------

OTL EXTRAS RESULTS

OTL Extras logfile created on: 6/15/2010 5:40:48 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Lori\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 461.06 Gb Total Space | 252.50 Gb Free Space | 54.76% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: POWERWAGON
Current User Name: Lori
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe" = C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main -- File not found
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD -- File not found
"C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- File not found
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- File not found
"C:\Program Files\Steam\SteamApps\loriferis\half-life 2 deathmatch\hl2.exe" = C:\Program Files\Steam\SteamApps\loriferis\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2 -- ()
"C:\Program Files\Fox\No One Lives Forever\eReg\NAVBrowser.exe" = C:\Program Files\Fox\No One Lives Forever\eReg\NAVBrowser.exe:*:Enabled:NAVBrowser -- File not found
"C:\Program Files\LucasArts\SWKotOR2\swupdate.exe" = C:\Program Files\LucasArts\SWKotOR2\swupdate.exe:*:Enabled:Star Wars: Knights of the Old Republic II: The Sith Lords Update Program -- File not found
"C:\Documents and Settings\Lori\Desktop\wowclient-downloader.exe" = C:\Documents and Settings\Lori\Desktop\wowclient-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Atari-Infogrames\Roller Coaster Tycoon 2\rct2.exe" = C:\Program Files\Atari-Infogrames\Roller Coaster Tycoon 2\rct2.exe:*:Enabled:rct2 -- File not found
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\game.dat" = C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\game.dat:*:Enabled:The Battle for Middle-earth (tm) -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- File not found
"C:\Program Files\JungleDisk\junglediskmonitor.exe" = C:\Program Files\JungleDisk\junglediskmonitor.exe:*:Enabled:Jungle Disk Monitor -- File not found
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\QuickTime\QuickTimePlayer.exe" = C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player -- (Apple Inc.)
"C:\xampplite\mysql\bin\mysqld.exe" = C:\xampplite\mysql\bin\mysqld.exe:*:Enabled:mysqld -- ()
"C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe" = C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9 -- File not found
"C:\Program Files\xampp\mysql\bin\mysqld.exe" = C:\Program Files\xampp\mysql\bin\mysqld.exe:*:Enabled:mysqld -- File not found
"C:\Program Files\xampp\apache\bin\apache.exe" = C:\Program Files\xampp\apache\bin\apache.exe:LocalSubNet:Disabled:apache.exe -- File not found
"C:\Program Files\Zero Hour\Zero Hour\Binaries\ZeroHour.exe" = C:\Program Files\Zero Hour\Zero Hour\Binaries\ZeroHour.exe:*:Enabled:ZeroHour -- File not found
"C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe" = C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe:*:Enabled:Live Mesh -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel(R) PRO Network Connections
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}" = Sound Blaster X-Fi
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{2CDCCE7E-55D5-40CC-AEA0-ABA54713501F}" = LUMIX Simple Viewer
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Advanced Decoder Patch
"{49132408-7784-4FD7-8382-B3AF58CA0EAA}" = Internet Explorer Administration Kit 7
"{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 4.1
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5A847475-157F-45AD-9919-CD40D344B8B1}" = QBFC3.0
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{64635543-70E7-436D-8D6D-4A721595029E}" = Microsoft IntelliPoint 5.2
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6FF543AB-99B3-4120-902C-70A38314ABD8}" = Norton Security Scan
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7EAB1D85-7BA3-47C1-BBF7-A0EBC241DB94}" = Intel® Viiv™ Software
"{86604C06-DA30-425E-AECE-47304FE81C45}" = Creative Software Update
"{86B3F2D6-AC2B-4E88-8AE1-F2F77F781B0C}" = EndNote X3
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A7CAA24-7B23-410B-A7C3-F994B0944160}" = Microsoft Virtual PC 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{994AC11F-0549-4D26-B8AC-6F2DB14FF071}" = Preparing for Kindergarten
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder
"{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}" = Corel Paint Shop Pro Photo XI
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}" = Trend Micro PC-cillin Internet Security 14
"{FF70923C-8A51-47F4-A7E9-893C6D54EB68}" = TES Construction Set
"Adobe AIR" = Adobe AIR
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Audacity_is1" = Audacity 1.2.6
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Blue's Art Time Activities" = Blue's Art Time Activities
"BluesCluesPreschoolDKey" = Blue's Preschool
"Bone - The Great Cowrace" = Bone - The Great Cowrace 2.0
"BookSmart™ 1.9.5 1.9.5" = BookSmart™ 1.9.5 1.9.5
"Cosmic Bugs 1.05" = Cosmic Bugs 1.05
"Creative Media Lite" = Creative Media Lite
"Dell Laser MFP 1815" = Dell Laser MFP 1815 Software Uninstall
"Dell_HostCD" = Dell Software Uninstall
"DVD Shrink_is1" = DVD Shrink 3.2
"EL" = Intel(R) Quick Resume Technology Drivers
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn
"LucasArts' Curse of Monkey Island" = LucasArts' Curse of Monkey Island
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaMonkey_is1" = MediaMonkey 3.1
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (2.0.0.19)" = Mozilla Thunderbird (2.0.0.19)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Notepad++" = Notepad++
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Peggle Deluxe 1.0" = Peggle Deluxe 1.0
"Plants vs. Zombies" = Plants vs. Zombies
"PopCap Browser Plugin" = PopCap Browser Plugin
"ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper
"Revo Uninstaller" = Revo Uninstaller 1.88
"RollerCoaster Tycoon Setup" = Roll
"SearchAssist" = SearchAssist
"Steam App 420" = Half-Life 2: Episode Two
"TmPcc" = Trend Micro PC-cillin Internet Security 14
"TrueCrypt" = TrueCrypt
"Tux Paint_is1" = Tux Paint 0.9.21
"UnityWebPlayer" = Unity Web Player
"Wacom Tablet Driver" = Wacom Tablet
"Wacom WebTabletPlugin for IE" = WebTablet IE Plugin
"Wacom WebTabletPlugin for Netscape" = WebTablet Netscape Plugin
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"ZENStoneUG" = Creative ZEN Stone User's Guide

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/15/2010 10:20:05 AM | Computer Name = POWERWAGON | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service aspnet_state
(ASP.NET State Service) failed. The Error code is the first DWORD in Data section.

Error - 6/15/2010 10:20:06 AM | Computer Name = POWERWAGON | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 8528, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 6/15/2010 10:20:06 AM | Computer Name = POWERWAGON | Source = MsiInstaller | ID = 11500
Description = Product: Java(TM) 6 Update 20 -- Error 1500.Another installation is
in progress. You must complete that installation before continuing this one.

Error - 6/15/2010 10:20:07 AM | Computer Name = POWERWAGON | Source = MsiInstaller | ID = 11500
Description = Product: Java(TM) 6 Update 20 -- Error 1500.Another installation is
in progress. You must complete that installation before continuing this one.

Error - 6/15/2010 12:11:30 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/15/2010 12:11:31 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/15/2010 2:36:27 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/15/2010 2:36:28 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 6/15/2010 5:33:39 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 6/15/2010 5:33:39 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 6/15/2010 10:59:55 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%2

Error - 6/15/2010 11:18:09 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%2

Error - 6/15/2010 11:18:09 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The TLRecAgent service failed to start due to the following error:
%%2

Error - 6/15/2010 11:19:25 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%2

Error - 6/15/2010 4:24:43 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%2

Error - 6/15/2010 4:24:43 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The TLRecAgent service failed to start due to the following error:
%%2

Error - 6/15/2010 4:26:12 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%2

Error - 6/15/2010 5:30:29 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%2

Error - 6/15/2010 5:30:29 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The TLRecAgent service failed to start due to the following error:
%%2

Error - 6/15/2010 5:32:14 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000
Description = The DgiVecp service failed to start due to the following error: %%2


< End of report >

-------------------------------------------------------
 

Starbuck

Admin & Security Team
Joined
Feb 19, 2010
Messages
4,396
Location
Midlands, UK
PC Experience
Very Experienced
#3
Hi Buckman and welcome to FPCH.

The main problem with Google would seem to be that although the infection may have been removed.... your Hosts file needs resetting.
Let's clean up some reg entries and get the Hosts file replaced.
Then we'll get an online scan done to see if there's any leftovers.

Step 1
Double click on OTL.exe to run it.
Copy the lines in the codebox below. (make sure that :Otl is on the first line )
Code:
:Otl
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - No CLSID value found.
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [nwiz] File not found
O4 - HKLM..\Run: [UserFaultCheck] File not found
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.quickbooks.com/c1/v16.561/qboax9.cab  (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab  (Reg Error: Key error.)
O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} https://www.mesh.com/0.9.3103.13/TSWeb.cab (Reg Error: Value error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab  (Reg Error: Key error.)
O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun\command - "" = J:\WINDOWS\IronKey.exe -- File not found
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun\command - "" = I:\WINDOWS\IronKey.exe -- File not found
O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun\command - "" = I:\IronKey.exe -- File not found
O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell - "" = AutoRun
O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun\command - "" = J:\IronKey.exe -- File not found
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:756C8543
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A

:commands
[emptytemp]
[purity]
[RESETHOSTS]
[EMPTYFLASH]
  • Return to OTL,
  • right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.


  • Click the red Run Fix button.


  • OTL will reboot your system once the fix has completed.
  • After the reboot, you may need to double click OTL to launch the program and retrieve the log.

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

if you lose the report, there will be a copy here:
C:\_OTL\MovedFiles

Step 2
I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the
    button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on
      to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the
      icon on your desktop.
  • Check
  • Click the
    button.
  • Accept any security warnings from your browser.
  • Check
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Click
    , and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the
    button.
  • Click
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

In your next reply, please submit:
Otl fix report
Eset scan report

also let me know how the system is running now.


Thanks.
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#4
Thanks so much for the excellent help. I have learned a lot in the past couple of hours, and I appreciate what you are doing here. Unfortunately, things are still being found. You asked me to report how the computer is acting though. I just had my browser open up a new window without any prompt from me...so something is still lurking. I can use Google as I would normally now. I have done comparrison searches on different machines and it seems fine. One thing of note though...this machine doesn't have the green checks by google links as my other computers do. I have to admit I have never looked into what those green checks mean...

You asked me to post results. So here they are. Hopefully you will be able to tell what still lurks in the machine.

---------------------------------
OTL RESULTS:

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{981FE6A8-260C-4930-960F-C3BC82746CB0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{981FE6A8-260C-4930-960F-C3BC82746CB0}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NWEReboot deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\nwiz deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Starting removal of ActiveX control {40F8967E-34A6-474A-837A-CEC1E7DAC54C}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}
C:\WINDOWS\Downloaded Program Files\TSWeb.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ not found.
Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000}
C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found.
File J:\WINDOWS\IronKey.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found.
File E:\setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found.
File I:\WINDOWS\IronKey.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found.
File I:\IronKey.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found.
File I:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found.
File J:\IronKey.exe not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:756C8543 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B203B914 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 16384 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Buck
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 84332 bytes
->FireFox cache emptied: 3895328 bytes
->Flash cache emptied: 53660 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Lori
->Temp folder emptied: 5692590 bytes
->Temporary Internet Files folder emptied: 44080767 bytes
->Java cache emptied: 76845590 bytes
->FireFox cache emptied: 34971752 bytes
->Flash cache emptied: 2228095 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 10258275 bytes
->Flash cache emptied: 11935 bytes

User: Zoe
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 7618415 bytes
->FireFox cache emptied: 55339254 bytes
->Flash cache emptied: 8677 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 5308945 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 325857 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 47622620 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 10751648 bytes

Total Files Cleaned = 291.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator

User: All Users

User: Buck
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: Lori
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Zoe
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.6.0 log created on 06192010_145859
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C22.tmp not found!
File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C2D.tmp not found!
File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C8A.tmp not found!
File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C95.tmp not found!
File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9CD5.tmp not found!
File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9CE0.tmp not found!
C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\MKQ3UN4H\ads[3].htm moved successfully.
C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\FCPDGBLK\9912-hijacked-malware-virus[1].html moved successfully.
C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\9H2YHU00\ads[3].htm moved successfully.
C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IA4O29\140153_21dating_1[1].flv moved successfully.
C:\WINDOWS\temp\fla4D.tmp moved successfully.
Registry entries deleted on Reboot...

---------------------------------------

ESET Results:

C:\RECYCLER\S-1-5-21-3398107660-505966276-2709992435-1008\Dc1.exe multiple threats deleted - quarantined
 

Starbuck

Admin & Security Team
Joined
Feb 19, 2010
Messages
4,396
Location
Midlands, UK
PC Experience
Very Experienced
#5
Hi Buckman,

Thanks for explanation, let's look a little deeper then:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2






This is an example, you may rename ComboFix to anything you want.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
    For more information read:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

    Then:

    Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    If running Vista, you may not see this screen
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#6
It said that it detected rootkit activity. Crap...I have read about rootkits, but this is the first one I have encountered. I have done some reading about this particular one as well and it is suggested that this one downloads other viruses constantly to your machine. Nice. Here is the log:

ComboFix 10-06-22.03 - Lori 06/23/2010 12:59:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1172 [GMT -4:00]
Running from: c:\documents and settings\Lori\Desktop\Combo-Fix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Lori\Application Data\Sky-Banners
c:\documents and settings\Lori\Application Data\Sky-Banners\skb\log.xml
c:\windows\bobsaver.exe
c:\windows\bobsaver.scr
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\xpsp1hfm.log
Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.
2010-06-19 18:58 . 2010-06-19 18:58 -------- d-----w- C:\_OTL
2010-06-15 22:10 . 2010-06-19 19:10 -------- d-----w- c:\windows\system32\MpEngineStore
2010-06-15 20:29 . 2010-06-15 20:29 63488 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-15 20:29 . 2010-06-15 20:29 52224 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-15 20:29 . 2010-06-15 20:29 117760 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com
2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-15 18:38 . 2010-06-15 18:38 -------- d-----w- c:\program files\EraserPortable
2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\Lori\Application Data\Malwarebytes
2010-06-15 16:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-15 16:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-15 15:39 . 2010-06-15 15:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-15 15:37 . 2010-06-15 15:37 -------- d-----w- c:\windows\system32\Adobe
2010-06-15 15:36 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-06-15 15:36 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-06-15 14:06 . 2010-06-15 14:06 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-15 14:04 . 2010-06-15 14:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-15 04:41 . 2010-06-19 12:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 04:22 . 2010-06-15 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-14 07:22 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-10 22:25 . 2010-06-10 22:27 -------- d-----w- c:\documents and settings\Lori\Application Data\TuxPaint
2010-06-10 22:24 . 2010-06-12 20:25 -------- d-----w- c:\program files\TuxPaint
2010-05-26 05:10 . 2010-05-26 00:00 -------- d-----w- c:\documents and settings\Lori\Application Data\gtk-2.0
2010-05-26 00:40 . 2010-06-12 21:45 -------- d-----w- c:\documents and settings\Lori\.gimp-2.6
2010-05-26 00:40 . 2010-05-26 00:40 -------- d-----w- c:\program files\GIMP-2.0
2010-05-26 00:28 . 2010-06-23 16:54 -------- d-----w- c:\documents and settings\Lori\Application Data\WTablet
2010-05-26 00:27 . 2010-05-26 00:27 -------- d-----w- c:\program files\TabletPlugins
2010-05-26 00:26 . 2007-02-16 14:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2010-05-26 00:26 . 2009-09-21 19:29 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\windows\system32\WTablet
2010-05-26 00:26 . 2010-01-24 18:32 16168 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2010-05-26 00:26 . 2010-03-08 19:47 5010288 ----a-w- c:\windows\system32\Wacom_Tablet.exe
2010-05-26 00:26 . 2010-03-08 19:47 415600 ----a-w- c:\windows\system32\Wacom_Tablet.dll
2010-05-26 00:26 . 2010-03-08 19:40 294400 ----a-w- c:\windows\system32\Wintab32.dll
2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\program files\Tablet
2010-05-25 22:25 . 2010-06-15 14:56 -------- d-----w- c:\documents and settings\Buck\Application Data\WTablet
2010-05-25 22:25 . 2010-06-23 16:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-05-24 23:04 . 2010-05-24 23:04 -------- d-----w- c:\documents and settings\Lori\.thumbnails
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 16:56 . 2006-12-12 04:34 -------- d-----w- c:\program files\Steam
2010-06-19 04:54 . 2009-02-02 01:20 117 ---h--w- c:\windows\popcreg.dat
2010-06-19 04:54 . 2009-01-17 05:06 312 ----a-w- c:\windows\popcinfot.dat
2010-06-15 19:19 . 2006-12-12 01:24 -------- d-----w- c:\documents and settings\Lori\Application Data\Corel
2010-06-15 19:19 . 2006-12-12 01:24 1316 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-15 16:20 . 2008-01-26 17:36 -------- d-----w- c:\program files\YouTube Downloader
2010-06-15 15:36 . 2009-12-14 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-15 15:36 . 2010-01-16 23:35 -------- d-----w- c:\program files\NOS
2010-06-15 15:34 . 2006-12-08 16:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-15 14:57 . 2008-03-16 06:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 14:29 . 2007-01-14 23:31 -------- d-----w- c:\program files\PopCap Games
2010-05-25 21:10 . 2010-03-22 13:03 -------- d-----w- c:\program files\Pando Networks
2010-05-25 21:03 . 2006-12-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-25 21:00 . 2006-12-08 16:32 -------- d-----w- c:\program files\Dell
2010-05-25 20:54 . 2008-04-05 17:53 -------- d-----w- c:\documents and settings\Lori\Application Data\Amazon
2010-05-25 20:54 . 2008-04-05 17:50 -------- d-----w- c:\program files\Amazon
2010-05-25 20:49 . 2006-12-08 16:40 -------- d-----w- c:\program files\Google
2010-05-25 20:47 . 2010-03-22 12:08 -------- d-----w- c:\program files\Turbine
2010-05-25 20:32 . 2010-02-09 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Lite
2010-05-25 20:30 . 2010-02-13 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Pro
2010-05-19 01:32 . 2008-02-01 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 04:18 . 2007-07-16 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Friends Games
2010-04-27 01:05 . 2010-04-27 01:05 -------- d-----w- c:\documents and settings\Lori\Application Data\PopCapv1001
2010-04-20 05:30 . 2005-08-16 10:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-02-26 21:26 . 2008-02-26 21:26 0 ----a-w- c:\program files\temp01
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-24 1238352]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"MFP1815_S2P"="c:\program files\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe" [2006-04-13 258048]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"CTHelper"="CTHELPER.EXE" [2005-11-08 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-5-12 57344]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\loriferis\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\xampplite\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/25/2010 8:26 PM 5010288]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 9:10 AM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 9:10 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 9:10 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 9:10 AM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 9:10 AM 280392]
S0 qxmofyba;qxmofyba;c:\windows\system32\drivers\fwkcquxy.sys --> c:\windows\system32\drivers\fwkcquxy.sys [?]
S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\drivers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [8/29/2008 1:03 PM 12288]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [8/29/2008 1:03 PM 22656]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/25/2010 8:26 PM 16168]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/22/2007 1:01 PM 691696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-06-16 c:\windows\Tasks\Norton Security Scan for Zoe.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 23:01]
2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {17D76292-E8C2-493A-A751-23627903614D} = 74.128.17.114,74.128.19.102
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe
AddRemove-LucasArts' Curse of Monkey Island - c:\program files\LucasArts\Curse\DeIsL1.isu
AddRemove-Mozilla Firefox (2.0.0.20) - m:\mozilla firefox\uninstall\helper.exe
AddRemove-Mozilla Thunderbird (2.0.0.19) - k:\programs files\ThunderbirdPortable\App\thunderbird\uninstall\helper.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-06-23 13:11
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x87C9EEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\iaStor -> iaStor.sys @ 0xb7e74f80
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7d68bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7d75a21
SendHandler -> NDIS.sys @ 0xb7d5387b
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8e,7b,dd,27,d1,28,f3,3b,92,d6,6d,64,ec,32,e4,25,b2,f5,0d,d9,d2,f5,30,
91,6c,ec,8a,92,aa,30,f6,14,d3,d8,d5,b3,22,72,31,56,26,0b,a7,6e,67,68,8b,4a,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
[HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\License information*]
"datasecu"=hex:9e,c7,9a,40,c3,5a,8f,ee,42,cd,6b,4a,f4,f6,6a,a5,a2,a6,4f,82,0f,
ed,39,2e,29,3a,d7,f2,eb,ff,10,dc,bc,aa,06,4d,ce,ed,2d,1b,48,e4,2f,00,eb,6a,\
"rkeysecu"=hex:71,40,0f,1b,00,e9,54,d3,84,98,d5,e3,d9,48,f4,35
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1412)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
- - - - - - - > 'lsass.exe'(1472)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-23 13:16:31
ComboFix-quarantined-files.txt 2010-06-23 17:16
Pre-Run: 271,179,919,360 bytes free
Post-Run: 271,170,846,720 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
- - End Of File - - 8577CD089B482AD0BEBE13A0A97DB5BB
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#7
And there wasn't any sort of big fanfare saying that anything had been removed. I am not encouraged by that...
 

Starbuck

Admin & Security Team
Joined
Feb 19, 2010
Messages
4,396
Location
Midlands, UK
PC Experience
Very Experienced
#8
Hi Buckman,

And there wasn't any sort of big fanfare saying that anything had been removed. I am not encouraged by that...
This is what CF removed:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Lori\Application Data\Sky-Banners
c:\documents and settings\Lori\Application Data\Sky-Banners\skb\log.xml
c:\windows\bobsaver.exe
c:\windows\bobsaver.scr
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\xpsp1hfm.log
Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack
It not only removed some files, it also replaced an infected file for you.

The report is showing there's a few more things for us to address:

Close any open browsers.
Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
Code:
File::
c:\program files\temp01
c:\windows\system32\drivers\fwkcquxy.sys

Driver::
qxmofyba
Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Let me have the new Combofix.txt after the fix.

Thanks
The main ComboFix.exe program should be on your Desktop
Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon
as below.


Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#9
okay, so here is the results of the next scan. BTW it started by saying it detected root kit activity. But it did appear to catch and remove something. I must learn how to use this software myself...

ComboFix 10-06-22.03 - Lori 06/23/2010 19:08:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1389 [GMT -4:00]
Running from: c:\documents and settings\Lori\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Lori\Desktop\CFScript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
FILE ::
"c:\program files\temp01"
"c:\windows\system32\drivers\fwkcquxy.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\temp01
Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_qxmofyba

((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.
2010-06-23 16:31 . 2010-06-23 17:16 -------- d-----w- C:\Combo-Fix
2010-06-19 18:58 . 2010-06-19 18:58 -------- d-----w- C:\_OTL
2010-06-15 22:10 . 2010-06-19 19:10 -------- d-----w- c:\windows\system32\MpEngineStore
2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com
2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-15 18:38 . 2010-06-15 18:38 -------- d-----w- c:\program files\EraserPortable
2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\Lori\Application Data\Malwarebytes
2010-06-15 16:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-15 16:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-15 15:39 . 2010-06-15 15:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-15 15:37 . 2010-06-15 15:37 -------- d-----w- c:\windows\system32\Adobe
2010-06-15 14:06 . 2010-06-15 14:06 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-15 14:04 . 2010-06-15 14:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-15 04:41 . 2010-06-19 12:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 04:22 . 2010-06-15 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-14 07:22 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-10 22:25 . 2010-06-10 22:27 -------- d-----w- c:\documents and settings\Lori\Application Data\TuxPaint
2010-06-10 22:24 . 2010-06-12 20:25 -------- d-----w- c:\program files\TuxPaint
2010-05-26 05:10 . 2010-05-26 00:00 -------- d-----w- c:\documents and settings\Lori\Application Data\gtk-2.0
2010-05-26 00:40 . 2010-06-12 21:45 -------- d-----w- c:\documents and settings\Lori\.gimp-2.6
2010-05-26 00:40 . 2010-05-26 00:40 -------- d-----w- c:\program files\GIMP-2.0
2010-05-26 00:28 . 2010-06-24 00:20 -------- d-----w- c:\documents and settings\Lori\Application Data\WTablet
2010-05-26 00:27 . 2010-05-26 00:27 -------- d-----w- c:\program files\TabletPlugins
2010-05-26 00:26 . 2007-02-16 14:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys
2010-05-26 00:26 . 2009-09-21 19:29 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys
2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\windows\system32\WTablet
2010-05-26 00:26 . 2010-01-24 18:32 16168 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys
2010-05-26 00:26 . 2010-03-08 19:47 5010288 ----a-w- c:\windows\system32\Wacom_Tablet.exe
2010-05-26 00:26 . 2010-03-08 19:47 415600 ----a-w- c:\windows\system32\Wacom_Tablet.dll
2010-05-26 00:26 . 2010-03-08 19:40 294400 ----a-w- c:\windows\system32\Wintab32.dll
2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\program files\Tablet
2010-05-25 22:25 . 2010-06-15 14:56 -------- d-----w- c:\documents and settings\Buck\Application Data\WTablet
2010-05-25 22:25 . 2010-06-23 23:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 00:22 . 2006-12-12 04:34 -------- d-----w- c:\program files\Steam
2010-06-19 04:54 . 2009-02-02 01:20 117 ---h--w- c:\windows\popcreg.dat
2010-06-19 04:54 . 2009-01-17 05:06 312 ----a-w- c:\windows\popcinfot.dat
2010-06-15 19:19 . 2006-12-12 01:24 -------- d-----w- c:\documents and settings\Lori\Application Data\Corel
2010-06-15 19:19 . 2006-12-12 01:24 1316 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-15 16:20 . 2008-01-26 17:36 -------- d-----w- c:\program files\YouTube Downloader
2010-06-15 15:36 . 2009-12-14 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-15 15:36 . 2010-01-16 23:35 -------- d-----w- c:\program files\NOS
2010-06-15 15:34 . 2006-12-08 16:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-15 14:57 . 2008-03-16 06:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 14:29 . 2007-01-14 23:31 -------- d-----w- c:\program files\PopCap Games
2010-05-25 21:10 . 2010-03-22 13:03 -------- d-----w- c:\program files\Pando Networks
2010-05-25 21:03 . 2006-12-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-25 21:00 . 2006-12-08 16:32 -------- d-----w- c:\program files\Dell
2010-05-25 20:54 . 2008-04-05 17:53 -------- d-----w- c:\documents and settings\Lori\Application Data\Amazon
2010-05-25 20:54 . 2008-04-05 17:50 -------- d-----w- c:\program files\Amazon
2010-05-25 20:49 . 2006-12-08 16:40 -------- d-----w- c:\program files\Google
2010-05-25 20:47 . 2010-03-22 12:08 -------- d-----w- c:\program files\Turbine
2010-05-25 20:32 . 2010-02-09 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Lite
2010-05-25 20:30 . 2010-02-13 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Pro
2010-05-19 01:32 . 2008-02-01 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 04:18 . 2007-07-16 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Friends Games
2010-04-27 01:05 . 2010-04-27 01:05 -------- d-----w- c:\documents and settings\Lori\Application Data\PopCapv1001
2010-04-20 05:30 . 2005-08-16 10:18 285696 ----a-w- c:\windows\system32\atmfd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"Steam"="c:\program files\Steam\Steam.exe" [2010-05-24 1238352]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"MFP1815_S2P"="c:\program files\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe" [2006-04-13 258048]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"CTHelper"="CTHELPER.EXE" [2005-11-08 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-5-12 57344]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\loriferis\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\xampplite\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/25/2010 8:26 PM 5010288]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 9:10 AM 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 9:10 AM 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 9:10 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 9:10 AM 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 9:10 AM 280392]
S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\drivers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?]
S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [8/29/2008 1:03 PM 12288]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [8/29/2008 1:03 PM 22656]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/25/2010 8:26 PM 16168]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/22/2007 1:01 PM 691696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-06-23 c:\windows\Tasks\Norton Security Scan for Zoe.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-13 23:01]
2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {17D76292-E8C2-493A-A751-23627903614D} = 74.128.17.114,74.128.19.102
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath - c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-06-23 20:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87967EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\iaStor -> iaStor.sys @ 0xb7e74f80
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7d68bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7d75a21
SendHandler -> NDIS.sys @ 0xb7d5387b
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8e,7b,dd,27,d1,28,f3,3b,92,d6,6d,64,ec,32,e4,25,b2,f5,0d,d9,d2,f5,30,
91,6c,ec,8a,92,aa,30,f6,14,d3,d8,d5,b3,22,72,31,56,26,0b,a7,6e,67,68,8b,4a,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
[HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\License information*]
"datasecu"=hex:9e,c7,9a,40,c3,5a,8f,ee,42,cd,6b,4a,f4,f6,6a,a5,a2,a6,4f,82,0f,
ed,39,2e,29,3a,d7,f2,eb,ff,10,dc,bc,aa,06,4d,ce,ed,2d,1b,48,e4,2f,00,eb,6a,\
"rkeysecu"=hex:71,40,0f,1b,00,e9,54,d3,84,98,d5,e3,d9,48,f4,35
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1416)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
- - - - - - - > 'lsass.exe'(1476)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3940)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PSIService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2010-06-23 20:32:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-24 00:32
ComboFix2.txt 2010-06-23 17:16
Pre-Run: 271,190,323,200 bytes free
Post-Run: 271,286,239,232 bytes free
- - End Of File - - B7A9A51F50658AC4B91BAE9518B06491
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#10
Oh and one more question. Just before I ran this scan I got yet another popup, but this one may be legit. Does your site have a popup for Install Registry Defender 2010?

Registry Defender (Official Site)

Just checking. If your site does not, then I hope this last round of scanning did the trick.
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#11
Oops, scratch that. I'm still infected. A lottery popup came up. Question...is this a lost cause? Do I need to reformat and reinstall Windows? This is looking pretty grim.

Thanks for the help.
 

RandyL

Administrator
Joined
Jan 22, 2003
Messages
4,878
Location
USA, Nebraska
PC Experience
Very Experienced
#12
Starbuck and Buckman there is a chance that the popup is forum related and is not a problem with the computer. I'm going to look into it.
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#13
Thanks, but I am pretty sure that those popups have nothing to do with your site. I have kind of become a fan here and I lurk around a bit. I can think of four different Windows PC's that I use to access this site. My infected computer is at home, and whenever I have the energy, I sit down and try to repair this rootkit. I get a popup about once every 15 minutes or so. On that computer your site is the ONLY one I access, since it is not in regular use and the only reason I turn it on is to work on the infection. But I have NEVER gotten a popup on the other machines I use to access this site. I am here right now and there are no popups for instance...
 

Starbuck

Admin & Security Team
Joined
Feb 19, 2010
Messages
4,396
Location
Midlands, UK
PC Experience
Very Experienced
#14
Hi Buckman,

Question...is this a lost cause? Do I need to reformat and reinstall Windows? This is looking pretty grim.
We'll do our best, a reformat is always the last resort..... and we haven't got to that yet :)

Step 1
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

this step will help get a better report from the next step.

Step 2
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#15
I had a little trouble with this. I was trying to shut off my network connection and I couldn't. Not even after rebooting. So I got nasty about it and booted in safe mode WITHOUT networking and unplugged the CAT5 cable. So as the directions instructed, I was definitely off the internet. If my extreme measures messed up the scan, please let me know. And BTW, thanks for all this. What have we tried by now, 10 different programs?

Defogger did put something out:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 16:30 on 25/06/2010 (Lori)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
SPTD -> Already disabled

-=E.O.F=-

--------------------------------------------------

Here is the GMER output:

GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-06-25 21:14:22
Windows 5.1.2600 Service Pack 3
Running: yzwmhzd1.exe; Driver: C:\DOCUME~1\Lori\LOCALS~1\Temp\kwryipow.sys

---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
Device \FileSystem\Fastfat \Fat B7C14D20
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0xBE 0xE6 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x31 0x46 0x65 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x80 0x61 0x2A 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x5D 0x8D 0x09 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0xBE 0xE6 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x31 0x46 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x80 0x61 0x2A 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x5D 0x8D 0x09 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8E 0x44 0x8C 0x0F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x2C 0xBB 0xD2 0x6D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x88 0x73 0x13 0x22 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ...
---- EOF - GMER 1.0.15 ----
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#17
I will attempt to get a screen shot of the popup, but it is the least of my worries right now. Google is back to serving up pages that I did not click on. Just for a test I searched for 'Star Trek.' The results seemed logical. There was the official site, the IMDB page and other things. But clicking any of these took me to 'caranddriver.com' and 'marthastewart.com.' I have been trying to read up on GMER. It listed a few things though and nothing came up in red. Combofix still says I have rootkit activity. Any thoughts on this? Or am I nuking the hard drive?
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#18
A window saying "security warning" has popped up telling me that "Application cannot be executed. The file svchost.exe is infected. Do you want to activate your antivirus software now?" I am given 'yes' and 'no' buttons. And of course my antivirus software is running. I tried to 'CNTL-ALT-DEL' out of this, but this program is blocking it. The task manager will only remain open for a split second. I am affraid this is a lost cause. If the scan turned up anything I can manually fix, please let me know. But I need this computer back and I think a reformat is the only thing that may work.
 

Buckman

FPCH Member
Joined
Jun 15, 2010
Messages
13
PC Experience
Very Experienced
Operating System
Windows XP - Media Center Edition
#19
The computer is reinfected as it originally was. I got a good look at it this time. (Wasn't able to because this originally happened to my wife.) A window pops up with a big green shield with a diagonal line through it. The program calls itself 'AV Protection Suite' with a little slogan that says, 'Innovative protection for your PC.' This is accompanied by a green shield in the icon tray. It acts as if it is doing a scan of your PC, has a little counter that goes slowly to 100%. Meanwhile it tells you that you are infected and the icon throws up balloons telling you the same. I was able to start the task manager and two programs were running: 'AV Security Suite Demo' and something else that corresponded to a warning window that was warning me about infection as well.

This may give you some help trying to locate it. I am going to read up on this specifically. Quite the tenacious little infection. Hats off to the little bugger who wrote this thing.

BTW...this was not the popup that comes with the site every 15 minutes which I am now starting to think is legit. But...it is similar. This could be dangerous on a site that helps people try to rid themselves of infection.

I tried to get screen shots, but no other program would run until I shut down the demo in the task manager. Sorry.
 

Starbuck

Admin & Security Team
Joined
Feb 19, 2010
Messages
4,396
Location
Midlands, UK
PC Experience
Very Experienced
#20
Hi Buckman,

There is definitely something hiding, we could run more scans and try to find out what it is....
But if you need the pc back up and running and don't have much spare time, then by all means go for the reformat/reinstall.
It will sort the m/c out once and for all.
I'll wait for your reply.