Jump to content

Buckman

Members
 View Profile  See their activity

  • Posts

    13

  • Joined

  • Last visited

About Buckman

  • Birthday 3/4/1971

Tech Info

  • Experience
    very_experienced
  • System: windows_xp_media

Buckman's Achievements

Newbie

Newbie (1/14)

0

Reputation

  1. Buckman
    The computer is reinfected as it originally was. I got a good look at it this time. (Wasn't able to because this originally happened to my wife.) A window pops up with a big green shield with a diagonal line through it. The program calls itself 'AV Protection Suite' with a little slogan that says, 'Innovative protection for your PC.' This is accompanied by a green shield in the icon tray. It acts as if it is doing a scan of your PC, has a little counter that goes slowly to 100%. Meanwhile it tells you that you are infected and the icon throws up balloons telling you the same. I was able to start the task manager and two programs were running: 'AV Security Suite Demo' and something else that corresponded to a warning window that was warning me about infection as well. This may give you some help trying to locate it. I am going to read up on this specifically. Quite the tenacious little infection. Hats off to the little bugger who wrote this thing. BTW...this was not the popup that comes with the site every 15 minutes which I am now starting to think is legit. But...it is similar. This could be dangerous on a site that helps people try to rid themselves of infection. I tried to get screen shots, but no other program would run until I shut down the demo in the task manager. Sorry.
  2. Buckman
    A window saying "security warning" has popped up telling me that "Application cannot be executed. The file svchost.exe is infected. Do you want to activate your antivirus software now?" I am given 'yes' and 'no' buttons. And of course my antivirus software is running. I tried to 'CNTL-ALT-DEL' out of this, but this program is blocking it. The task manager will only remain open for a split second. I am affraid this is a lost cause. If the scan turned up anything I can manually fix, please let me know. But I need this computer back and I think a reformat is the only thing that may work.
  3. Buckman
    I will attempt to get a screen shot of the popup, but it is the least of my worries right now. Google is back to serving up pages that I did not click on. Just for a test I searched for 'Star Trek.' The results seemed logical. There was the official site, the IMDB page and other things. But clicking any of these took me to 'caranddriver.com' and 'marthastewart.com.' I have been trying to read up on GMER. It listed a few things though and nothing came up in red. Combofix still says I have rootkit activity. Any thoughts on this? Or am I nuking the hard drive?
  4. Buckman
    I had a little trouble with this. I was trying to shut off my network connection and I couldn't. Not even after rebooting. So I got nasty about it and booted in safe mode WITHOUT networking and unplugged the CAT5 cable. So as the directions instructed, I was definitely off the internet. If my extreme measures messed up the scan, please let me know. And BTW, thanks for all this. What have we tried by now, 10 different programs? Defogger did put something out: defogger_disable by jpshortstuff (23.02.10.1) Log created at 16:30 on 25/06/2010 (Lori) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... SPTD -> Already disabled -=E.O.F=- -------------------------------------------------- Here is the GMER output: GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover Rootkit scan 2010-06-25 21:14:22 Windows 5.1.2600 Service Pack 3 Running: yzwmhzd1.exe; Driver: C:\DOCUME~1\Lori\LOCALS~1\Temp\kwryipow.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation) Device \FileSystem\Fastfat \Fat B7C14D20 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0xBE 0xE6 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x31 0x46 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x80 0x61 0x2A 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x5D 0x8D 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0xBE 0xE6 0x2D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x33 0x31 0x46 0x65 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x80 0x61 0x2A 0x7E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x5D 0x8D 0x09 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8E 0x44 0x8C 0x0F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x2C 0xBB 0xD2 0x6D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x88 0x73 0x13 0x22 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0x95 0xC7 0x79 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3F 0xA7 0x98 0xCB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1D 0xBA 0x47 0x7D ... ---- EOF - GMER 1.0.15 ----
  5. Buckman
    Thanks, but I am pretty sure that those popups have nothing to do with your site. I have kind of become a fan here and I lurk around a bit. I can think of four different Windows PC's that I use to access this site. My infected computer is at home, and whenever I have the energy, I sit down and try to repair this rootkit. I get a popup about once every 15 minutes or so. On that computer your site is the ONLY one I access, since it is not in regular use and the only reason I turn it on is to work on the infection. But I have NEVER gotten a popup on the other machines I use to access this site. I am here right now and there are no popups for instance...
  6. Buckman
    Oops, scratch that. I'm still infected. A lottery popup came up. Question...is this a lost cause? Do I need to reformat and reinstall Windows? This is looking pretty grim. Thanks for the help.
  7. Buckman
    Oh and one more question. Just before I ran this scan I got yet another popup, but this one may be legit. Does your site have a popup for Install Registry Defender 2010? Registry Defender (Official Site) Just checking. If your site does not, then I hope this last round of scanning did the trick.
  8. Buckman
    okay, so here is the results of the next scan. BTW it started by saying it detected root kit activity. But it did appear to catch and remove something. I must learn how to use this software myself... ComboFix 10-06-22.03 - Lori 06/23/2010 19:08:27.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1389 [GMT -4:00] Running from: c:\documents and settings\Lori\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Lori\Desktop\CFScript.txt AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} FILE :: "c:\program files\temp01" "c:\windows\system32\drivers\fwkcquxy.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\temp01 Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_qxmofyba ((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 ))))))))))))))))))))))))))))))) . 2010-06-23 16:31 . 2010-06-23 17:16 -------- d-----w- C:\Combo-Fix 2010-06-19 18:58 . 2010-06-19 18:58 -------- d-----w- C:\_OTL 2010-06-15 22:10 . 2010-06-19 19:10 -------- d-----w- c:\windows\system32\MpEngineStore 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-06-15 18:38 . 2010-06-15 18:38 -------- d-----w- c:\program files\EraserPortable 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\Lori\Application Data\Malwarebytes 2010-06-15 16:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-15 16:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-15 15:39 . 2010-06-15 15:39 -------- d-----w- c:\program files\Common Files\Adobe AIR 2010-06-15 15:37 . 2010-06-15 15:37 -------- d-----w- c:\windows\system32\Adobe 2010-06-15 14:06 . 2010-06-15 14:06 -------- d-----w- c:\windows\system32\wbem\Repository 2010-06-15 14:04 . 2010-06-15 14:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-06-15 04:41 . 2010-06-19 12:58 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-15 04:22 . 2010-06-15 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-06-14 07:22 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-10 22:25 . 2010-06-10 22:27 -------- d-----w- c:\documents and settings\Lori\Application Data\TuxPaint 2010-06-10 22:24 . 2010-06-12 20:25 -------- d-----w- c:\program files\TuxPaint 2010-05-26 05:10 . 2010-05-26 00:00 -------- d-----w- c:\documents and settings\Lori\Application Data\gtk-2.0 2010-05-26 00:40 . 2010-06-12 21:45 -------- d-----w- c:\documents and settings\Lori\.gimp-2.6 2010-05-26 00:40 . 2010-05-26 00:40 -------- d-----w- c:\program files\GIMP-2.0 2010-05-26 00:28 . 2010-06-24 00:20 -------- d-----w- c:\documents and settings\Lori\Application Data\WTablet 2010-05-26 00:27 . 2010-05-26 00:27 -------- d-----w- c:\program files\TabletPlugins 2010-05-26 00:26 . 2007-02-16 14:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys 2010-05-26 00:26 . 2009-09-21 19:29 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys 2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\windows\system32\WTablet 2010-05-26 00:26 . 2010-01-24 18:32 16168 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys 2010-05-26 00:26 . 2010-03-08 19:47 5010288 ----a-w- c:\windows\system32\Wacom_Tablet.exe 2010-05-26 00:26 . 2010-03-08 19:47 415600 ----a-w- c:\windows\system32\Wacom_Tablet.dll 2010-05-26 00:26 . 2010-03-08 19:40 294400 ----a-w- c:\windows\system32\Wintab32.dll 2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\program files\Tablet 2010-05-25 22:25 . 2010-06-15 14:56 -------- d-----w- c:\documents and settings\Buck\Application Data\WTablet 2010-05-25 22:25 . 2010-06-23 23:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-24 00:22 . 2006-12-12 04:34 -------- d-----w- c:\program files\Steam 2010-06-19 04:54 . 2009-02-02 01:20 117 ---h--w- c:\windows\popcreg.dat 2010-06-19 04:54 . 2009-01-17 05:06 312 ----a-w- c:\windows\popcinfot.dat 2010-06-15 19:19 . 2006-12-12 01:24 -------- d-----w- c:\documents and settings\Lori\Application Data\Corel 2010-06-15 19:19 . 2006-12-12 01:24 1316 --sha-w- c:\windows\system32\KGyGaAvL.sys 2010-06-15 16:20 . 2008-01-26 17:36 -------- d-----w- c:\program files\YouTube Downloader 2010-06-15 15:36 . 2009-12-14 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-06-15 15:36 . 2010-01-16 23:35 -------- d-----w- c:\program files\NOS 2010-06-15 15:34 . 2006-12-08 16:41 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-15 14:57 . 2008-03-16 06:12 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-05 14:29 . 2007-01-14 23:31 -------- d-----w- c:\program files\PopCap Games 2010-05-25 21:10 . 2010-03-22 13:03 -------- d-----w- c:\program files\Pando Networks 2010-05-25 21:03 . 2006-12-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-05-25 21:00 . 2006-12-08 16:32 -------- d-----w- c:\program files\Dell 2010-05-25 20:54 . 2008-04-05 17:53 -------- d-----w- c:\documents and settings\Lori\Application Data\Amazon 2010-05-25 20:54 . 2008-04-05 17:50 -------- d-----w- c:\program files\Amazon 2010-05-25 20:49 . 2006-12-08 16:40 -------- d-----w- c:\program files\Google 2010-05-25 20:47 . 2010-03-22 12:08 -------- d-----w- c:\program files\Turbine 2010-05-25 20:32 . 2010-02-09 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Lite 2010-05-25 20:30 . 2010-02-13 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Pro 2010-05-19 01:32 . 2008-02-01 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-04-30 04:18 . 2007-07-16 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Friends Games 2010-04-27 01:05 . 2010-04-27 01:05 -------- d-----w- c:\documents and settings\Lori\Application Data\PopCapv1001 2010-04-20 05:30 . 2005-08-16 10:18 285696 ----a-w- c:\windows\system32\atmfd.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040] "Steam"="c:\program files\Steam\Steam.exe" [2010-05-24 1238352] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "MFP1815_S2P"="c:\program files\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe" [2006-04-13 258048] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944] "CTHelper"="CTHELPER.EXE" [2005-11-08 16384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] c:\documents and settings\All Users\Start Menu\Programs\Startup\ LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-5-12 57344] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Steam\\SteamApps\\loriferis\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"= "c:\\xampplite\\mysql\\bin\\mysqld.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/25/2010 8:26 PM 5010288] R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 9:10 AM 345696] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 9:10 AM 923216] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 9:10 AM 36368] R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 9:10 AM 566872] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 9:10 AM 280392] S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\drivers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?] S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [8/29/2008 1:03 PM 12288] S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [8/29/2008 1:03 PM 22656] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/25/2010 8:26 PM 16168] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/22/2007 1:01 PM 691696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-06-23 c:\windows\Tasks\Norton Security Scan for Zoe.job - c:\program files\Norton Security Scan\Nss.exe [2009-03-13 23:01] 2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 TCP: {17D76292-E8C2-493A-A751-23627903614D} = 74.128.17.114,74.128.19.102 DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab FF - ProfilePath - c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\ FF - prefs.js: browser.startup.homepage - hxxp://google.com FF - plugin: c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\program files\TabletPlugins\npwacom.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2010-06-23 20:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87967EC5]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28 \Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8 \Driver\iaStor -> iaStor.sys @ 0xb7e74f80 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: IntelĀ® 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7d68bb0 PacketIndicateHandler -> NDIS.sys @ 0xb7d75a21 SendHandler -> NDIS.sys @ 0xb7d5387b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:8e,7b,dd,27,d1,28,f3,3b,92,d6,6d,64,ec,32,e4,25,b2,f5,0d,d9,d2,f5,30, 91,6c,ec,8a,92,aa,30,f6,14,d3,d8,d5,b3,22,72,31,56,26,0b,a7,6e,67,68,8b,4a,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 [HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\License information*] "datasecu"=hex:9e,c7,9a,40,c3,5a,8f,ee,42,cd,6b,4a,f4,f6,6a,a5,a2,a6,4f,82,0f, ed,39,2e,29,3a,d7,f2,eb,ff,10,dc,bc,aa,06,4d,ce,ed,2d,1b,48,e4,2f,00,eb,6a,\ "rkeysecu"=hex:71,40,0f,1b,00,e9,54,d3,84,98,d5,e3,d9,48,f4,35 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1416) c:\windows\system32\WININET.dll c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'lsass.exe'(1476) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3940) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Microsoft Virtual PC\VPCShExH.DLL c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvsvc32.exe c:\windows\system32\CTsvcCDA.exe c:\program files\Creative\Shared Files\CTDevSrv.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe c:\windows\system32\PSIService.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Intel\IntelDH\IntelĀ® Quick Resume Technology Drivers\Elservice.exe c:\windows\system32\dllhost.exe c:\windows\system32\WTablet\Wacom_TabletUser.exe c:\windows\system32\RUNDLL32.EXE c:\windows\eHome\ehmsas.exe c:\windows\SYSTEM32\CTXFISPI.EXE c:\windows\system32\devldr32.exe . ************************************************************************** . Completion time: 2010-06-23 20:32:29 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-24 00:32 ComboFix2.txt 2010-06-23 17:16 Pre-Run: 271,190,323,200 bytes free Post-Run: 271,286,239,232 bytes free - - End Of File - - B7A9A51F50658AC4B91BAE9518B06491
  9. Buckman
    And there wasn't any sort of big fanfare saying that anything had been removed. I am not encouraged by that...
  10. Buckman
    It said that it detected rootkit activity. Crap...I have read about rootkits, but this is the first one I have encountered. I have done some reading about this particular one as well and it is suggested that this one downloads other viruses constantly to your machine. Nice. Here is the log: ComboFix 10-06-22.03 - Lori 06/23/2010 12:59:02.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1172 [GMT -4:00] Running from: c:\documents and settings\Lori\Desktop\Combo-Fix.exe AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Lori\Application Data\Sky-Banners c:\documents and settings\Lori\Application Data\Sky-Banners\skb\log.xml c:\windows\bobsaver.exe c:\windows\bobsaver.scr c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\xpsp1hfm.log Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 ))))))))))))))))))))))))))))))) . 2010-06-19 18:58 . 2010-06-19 18:58 -------- d-----w- C:\_OTL 2010-06-15 22:10 . 2010-06-19 19:10 -------- d-----w- c:\windows\system32\MpEngineStore 2010-06-15 20:29 . 2010-06-15 20:29 63488 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-15 20:29 . 2010-06-15 20:29 52224 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-06-15 20:29 . 2010-06-15 20:29 117760 ----a-w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\Lori\Application Data\SUPERAntiSpyware.com 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-15 20:28 . 2010-06-15 20:28 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-06-15 18:38 . 2010-06-15 18:38 -------- d-----w- c:\program files\EraserPortable 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\Lori\Application Data\Malwarebytes 2010-06-15 16:29 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-06-15 16:29 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-06-15 16:29 . 2010-06-15 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-06-15 15:39 . 2010-06-15 15:39 -------- d-----w- c:\program files\Common Files\Adobe AIR 2010-06-15 15:37 . 2010-06-15 15:37 -------- d-----w- c:\windows\system32\Adobe 2010-06-15 15:36 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll 2010-06-15 15:36 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe 2010-06-15 14:06 . 2010-06-15 14:06 -------- d-----w- c:\windows\system32\wbem\Repository 2010-06-15 14:04 . 2010-06-15 14:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-06-15 04:41 . 2010-06-19 12:58 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-15 04:22 . 2010-06-15 04:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-06-14 07:22 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-10 22:25 . 2010-06-10 22:27 -------- d-----w- c:\documents and settings\Lori\Application Data\TuxPaint 2010-06-10 22:24 . 2010-06-12 20:25 -------- d-----w- c:\program files\TuxPaint 2010-05-26 05:10 . 2010-05-26 00:00 -------- d-----w- c:\documents and settings\Lori\Application Data\gtk-2.0 2010-05-26 00:40 . 2010-06-12 21:45 -------- d-----w- c:\documents and settings\Lori\.gimp-2.6 2010-05-26 00:40 . 2010-05-26 00:40 -------- d-----w- c:\program files\GIMP-2.0 2010-05-26 00:28 . 2010-06-23 16:54 -------- d-----w- c:\documents and settings\Lori\Application Data\WTablet 2010-05-26 00:27 . 2010-05-26 00:27 -------- d-----w- c:\program files\TabletPlugins 2010-05-26 00:26 . 2007-02-16 14:12 11312 ----a-w- c:\windows\system32\drivers\wacommousefilter.sys 2010-05-26 00:26 . 2009-09-21 19:29 14120 ----a-w- c:\windows\system32\drivers\wacomvhid.sys 2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\windows\system32\WTablet 2010-05-26 00:26 . 2010-01-24 18:32 16168 ----a-w- c:\windows\system32\drivers\wacmoumonitor.sys 2010-05-26 00:26 . 2010-03-08 19:47 5010288 ----a-w- c:\windows\system32\Wacom_Tablet.exe 2010-05-26 00:26 . 2010-03-08 19:47 415600 ----a-w- c:\windows\system32\Wacom_Tablet.dll 2010-05-26 00:26 . 2010-03-08 19:40 294400 ----a-w- c:\windows\system32\Wintab32.dll 2010-05-26 00:26 . 2010-05-26 00:26 -------- d-----w- c:\program files\Tablet 2010-05-25 22:25 . 2010-06-15 14:56 -------- d-----w- c:\documents and settings\Buck\Application Data\WTablet 2010-05-25 22:25 . 2010-06-23 16:53 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet 2010-05-24 23:04 . 2010-05-24 23:04 -------- d-----w- c:\documents and settings\Lori\.thumbnails . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-23 16:56 . 2006-12-12 04:34 -------- d-----w- c:\program files\Steam 2010-06-19 04:54 . 2009-02-02 01:20 117 ---h--w- c:\windows\popcreg.dat 2010-06-19 04:54 . 2009-01-17 05:06 312 ----a-w- c:\windows\popcinfot.dat 2010-06-15 19:19 . 2006-12-12 01:24 -------- d-----w- c:\documents and settings\Lori\Application Data\Corel 2010-06-15 19:19 . 2006-12-12 01:24 1316 --sha-w- c:\windows\system32\KGyGaAvL.sys 2010-06-15 16:20 . 2008-01-26 17:36 -------- d-----w- c:\program files\YouTube Downloader 2010-06-15 15:36 . 2009-12-14 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-06-15 15:36 . 2010-01-16 23:35 -------- d-----w- c:\program files\NOS 2010-06-15 15:34 . 2006-12-08 16:41 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-15 14:57 . 2008-03-16 06:12 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-05 14:29 . 2007-01-14 23:31 -------- d-----w- c:\program files\PopCap Games 2010-05-25 21:10 . 2010-03-22 13:03 -------- d-----w- c:\program files\Pando Networks 2010-05-25 21:03 . 2006-12-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-05-25 21:00 . 2006-12-08 16:32 -------- d-----w- c:\program files\Dell 2010-05-25 20:54 . 2008-04-05 17:53 -------- d-----w- c:\documents and settings\Lori\Application Data\Amazon 2010-05-25 20:54 . 2008-04-05 17:50 -------- d-----w- c:\program files\Amazon 2010-05-25 20:49 . 2006-12-08 16:40 -------- d-----w- c:\program files\Google 2010-05-25 20:47 . 2010-03-22 12:08 -------- d-----w- c:\program files\Turbine 2010-05-25 20:32 . 2010-02-09 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Lite 2010-05-25 20:30 . 2010-02-13 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Astroburn Pro 2010-05-19 01:32 . 2008-02-01 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys 2010-04-30 04:18 . 2007-07-16 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Friends Games 2010-04-27 01:05 . 2010-04-27 01:05 -------- d-----w- c:\documents and settings\Lori\Application Data\PopCapv1001 2010-04-20 05:30 . 2005-08-16 10:18 285696 ----a-w- c:\windows\system32\atmfd.dll 2008-02-26 21:26 . 2008-02-26 21:26 0 ----a-w- c:\program files\temp01 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040] "Steam"="c:\program files\Steam\Steam.exe" [2010-05-24 1238352] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056] "VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880] "AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] "MFP1815_S2P"="c:\program files\DELL\DELL LASER MFP 1815\PSU\Scan2Pc.exe" [2006-04-13 258048] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944] "CTHelper"="CTHELPER.EXE" [2005-11-08 16384] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] c:\documents and settings\All Users\Start Menu\Programs\Startup\ LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-5-12 57344] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Steam\\SteamApps\\loriferis\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"= "c:\\xampplite\\mysql\\bin\\mysqld.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/25/2010 8:26 PM 5010288] R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [9/25/2006 9:10 AM 345696] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [9/25/2006 9:10 AM 923216] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/25/2006 9:10 AM 36368] R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [9/25/2006 9:10 AM 566872] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [9/25/2006 9:10 AM 280392] S0 qxmofyba;qxmofyba;c:\windows\system32\drivers\fwkcquxy.sys --> c:\windows\system32\drivers\fwkcquxy.sys [?] S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\drivers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?] S3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [8/29/2008 1:03 PM 12288] S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [8/29/2008 1:03 PM 22656] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/25/2010 8:26 PM 16168] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/22/2007 1:01 PM 691696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper . Contents of the 'Scheduled Tasks' folder 2010-06-16 c:\windows\Tasks\Norton Security Scan for Zoe.job - c:\program files\Norton Security Scan\Nss.exe [2009-03-13 23:01] 2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = iexplore IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 TCP: {17D76292-E8C2-493A-A751-23627903614D} = 74.128.17.114,74.128.19.102 DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab FF - ProfilePath - c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\ FF - prefs.js: browser.startup.homepage - hxxp://google.com FF - plugin: c:\documents and settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\program files\TabletPlugins\npwacom.dll FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe AddRemove-LucasArts' Curse of Monkey Island - c:\program files\LucasArts\Curse\DeIsL1.isu AddRemove-Mozilla Firefox (2.0.0.20) - m:\mozilla firefox\uninstall\helper.exe AddRemove-Mozilla Thunderbird (2.0.0.19) - k:\programs files\ThunderbirdPortable\App\thunderbird\uninstall\helper.exe AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2010-06-23 13:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x87C9EEC5]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xb80ecf28 \Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8 \Driver\iaStor -> iaStor.sys @ 0xb7e74f80 IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: IntelĀ® 82566DC Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb7d68bb0 PacketIndicateHandler -> NDIS.sys @ 0xb7d75a21 SendHandler -> NDIS.sys @ 0xb7d5387b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:8e,7b,dd,27,d1,28,f3,3b,92,d6,6d,64,ec,32,e4,25,b2,f5,0d,d9,d2,f5,30, 91,6c,ec,8a,92,aa,30,f6,14,d3,d8,d5,b3,22,72,31,56,26,0b,a7,6e,67,68,8b,4a,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 [HKEY_USERS\S-1-5-21-3398107660-505966276-2709992435-1006\Software\SecuROM\License information*] "datasecu"=hex:9e,c7,9a,40,c3,5a,8f,ee,42,cd,6b,4a,f4,f6,6a,a5,a2,a6,4f,82,0f, ed,39,2e,29,3a,d7,f2,eb,ff,10,dc,bc,aa,06,4d,ce,ed,2d,1b,48,e4,2f,00,eb,6a,\ "rkeysecu"=hex:71,40,0f,1b,00,e9,54,d3,84,98,d5,e3,d9,48,f4,35 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1412) c:\windows\system32\WININET.dll c:\program files\SUPERAntiSpyware\SASWINLO.DLL - - - - - - - > 'lsass.exe'(1472) c:\windows\system32\WININET.dll . Completion time: 2010-06-23 13:16:31 ComboFix-quarantined-files.txt 2010-06-23 17:16 Pre-Run: 271,179,919,360 bytes free Post-Run: 271,170,846,720 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - 8577CD089B482AD0BEBE13A0A97DB5BB
  11. Buckman
    Thanks so much for the excellent help. I have learned a lot in the past couple of hours, and I appreciate what you are doing here. Unfortunately, things are still being found. You asked me to report how the computer is acting though. I just had my browser open up a new window without any prompt from me...so something is still lurking. I can use Google as I would normally now. I have done comparrison searches on different machines and it seems fine. One thing of note though...this machine doesn't have the green checks by google links as my other computers do. I have to admit I have never looked into what those green checks mean... You asked me to post results. So here they are. Hopefully you will be able to tell what still lurks in the machine. --------------------------------- OTL RESULTS: All processes killed ========== OTL ========== Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{981FE6A8-260C-4930-960F-C3BC82746CB0} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{981FE6A8-260C-4930-960F-C3BC82746CB0}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NWEReboot deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\nwiz deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully. Starting removal of ActiveX control {40F8967E-34A6-474A-837A-CEC1E7DAC54C} Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\DownloadInformation\\INF . Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}\ not found. Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found. Starting removal of ActiveX control {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} C:\WINDOWS\Downloaded Program Files\TSWeb.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3E21079-7F41-4125-9EBB-FD44CFCC0AC1}\ not found. Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000} C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a58ec34-e83f-11de-b649-001676b674e2}\ not found. File J:\WINDOWS\IronKey.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{361ac05d-0e0d-11da-9aa9-806d6172696f}\ not found. File E:\setup.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{58a3a095-2045-11dd-b5c7-001676b674e2}\ not found. File I:\WINDOWS\IronKey.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7144ff19-69a4-11de-b622-001676b674e2}\ not found. File I:\IronKey.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{978b5df5-1f17-11df-9e68-001676b674e2}\ not found. File I:\LaunchU3.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d0ab9b99-8a76-11de-b62e-001676b674e2}\ not found. File J:\IronKey.exe not found. ADS C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:756C8543 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:B203B914 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 16384 bytes ->Temporary Internet Files folder emptied: 67 bytes User: All Users User: Buck ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Java cache emptied: 84332 bytes ->FireFox cache emptied: 3895328 bytes ->Flash cache emptied: 53660 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 56504 bytes User: LocalService ->Temp folder emptied: 66016 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Lori ->Temp folder emptied: 5692590 bytes ->Temporary Internet Files folder emptied: 44080767 bytes ->Java cache emptied: 76845590 bytes ->FireFox cache emptied: 34971752 bytes ->Flash cache emptied: 2228095 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 10258275 bytes ->Flash cache emptied: 11935 bytes User: Zoe ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Java cache emptied: 7618415 bytes ->FireFox cache emptied: 55339254 bytes ->Flash cache emptied: 8677 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 5308945 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 325857 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 47622620 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes RecycleBin emptied: 10751648 bytes Total Files Cleaned = 291.00 mb C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYFLASH] User: Administrator User: All Users User: Buck ->Flash cache emptied: 0 bytes User: Default User ->Flash cache emptied: 0 bytes User: LocalService User: Lori ->Flash cache emptied: 0 bytes User: NetworkService ->Flash cache emptied: 0 bytes User: Zoe ->Flash cache emptied: 0 bytes Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.6.0 log created on 06192010_145859 Files\Folders moved on Reboot... File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C22.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C2D.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C8A.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9C95.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9CD5.tmp not found! File\Folder C:\Documents and Settings\Lori\Local Settings\Temp\~DF9CE0.tmp not found! C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\MKQ3UN4H\ads[3].htm moved successfully. C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\FCPDGBLK\9912-hijacked-malware-virus[1].html moved successfully. C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\Content.IE5\9H2YHU00\ads[3].htm moved successfully. C:\Documents and Settings\Lori\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5IA4O29\140153_21dating_1[1].flv moved successfully. C:\WINDOWS\temp\fla4D.tmp moved successfully. Registry entries deleted on Reboot... --------------------------------------- ESET Results: C:\RECYCLER\S-1-5-21-3398107660-505966276-2709992435-1008\Dc1.exe multiple threats deleted - quarantined
  12. Buckman
    Adding the OTL Extras...too big for one post. ------------------------------------------------- OTL EXTRAS RESULTS OTL Extras logfile created on: 6/15/2010 5:40:48 PM - Run 1 OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Lori\Desktop Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free 2.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free Paging file location(s): [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 461.06 Gb Total Space | 252.50 Gb Free Space | 54.76% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: POWERWAGON Current User Name: Lori Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.) Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.) Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 0 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found "C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe" = C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9 -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found "C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found "C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main -- File not found "C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD -- File not found "C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater -- File not found "C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe" = C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server -- File not found "C:\Program Files\Steam\SteamApps\loriferis\half-life 2 deathmatch\hl2.exe" = C:\Program Files\Steam\SteamApps\loriferis\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2 -- () "C:\Program Files\Fox\No One Lives Forever\eReg\NAVBrowser.exe" = C:\Program Files\Fox\No One Lives Forever\eReg\NAVBrowser.exe:*:Enabled:NAVBrowser -- File not found "C:\Program Files\LucasArts\SWKotOR2\swupdate.exe" = C:\Program Files\LucasArts\SWKotOR2\swupdate.exe:*:Enabled:Star Wars: Knights of the Old Republic II: The Sith Lords Update Program -- File not found "C:\Documents and Settings\Lori\Desktop\wowclient-downloader.exe" = C:\Documents and Settings\Lori\Desktop\wowclient-downloader.exe:*:Enabled:Blizzard Downloader -- File not found "C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment) "C:\Program Files\Atari-Infogrames\Roller Coaster Tycoon 2\rct2.exe" = C:\Program Files\Atari-Infogrames\Roller Coaster Tycoon 2\rct2.exe:*:Enabled:rct2 -- File not found "C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation) "C:\Program Files\EA GAMES\The Battle for Middle-earth \game.dat" = C:\Program Files\EA GAMES\The Battle for Middle-earth \game.dat:*:Enabled:The Battle for Middle-earth -- File not found "C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found "C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found "C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- File not found "C:\Program Files\JungleDisk\junglediskmonitor.exe" = C:\Program Files\JungleDisk\junglediskmonitor.exe:*:Enabled:Jungle Disk Monitor -- File not found "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation) "C:\Program Files\QuickTime\QuickTimePlayer.exe" = C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player -- (Apple Inc.) "C:\xampplite\mysql\bin\mysqld.exe" = C:\xampplite\mysql\bin\mysqld.exe:*:Enabled:mysqld -- () "C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe" = C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9 -- File not found "C:\Program Files\xampp\mysql\bin\mysqld.exe" = C:\Program Files\xampp\mysql\bin\mysqld.exe:*:Enabled:mysqld -- File not found "C:\Program Files\xampp\apache\bin\apache.exe" = C:\Program Files\xampp\apache\bin\apache.exe:LocalSubNet:Disabled:apache.exe -- File not found "C:\Program Files\Zero Hour\Zero Hour\Binaries\ZeroHour.exe" = C:\Program Files\Zero Hour\Zero Hour\Binaries\ZeroHour.exe:*:Enabled:ZeroHour -- File not found "C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe" = C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe:*:Enabled:Live Mesh -- File not found ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable "{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data "{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = IntelĀ® PRO Network Connections "{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}" = Sound Blaster X-Fi "{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE "{2CDCCE7E-55D5-40CC-AEA0-ABA54713501F}" = LUMIX Simple Viewer "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5 "{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion "{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Advanced Decoder Patch "{49132408-7784-4FD7-8382-B3AF58CA0EAA}" = Internet Explorer Administration Kit 7 "{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE "{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 4.1 "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool "{5A847475-157F-45AD-9919-CD40D344B8B1}" = QBFC3.0 "{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module "{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon "{64635543-70E7-436D-8D6D-4A721595029E}" = Microsoft IntelliPoint 5.2 "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works "{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer "{6FF543AB-99B3-4120-902C-70A38314ABD8}" = Norton Security Scan "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7EAB1D85-7BA3-47C1-BBF7-A0EBC241DB94}" = IntelĀ® Viivā„¢ Software "{86604C06-DA30-425E-AECE-47304FE81C45}" = Creative Software Update "{86B3F2D6-AC2B-4E88-8AE1-F2F77F781B0C}" = EndNote X3 "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A7CAA24-7B23-410B-A7C3-F994B0944160}" = Microsoft Virtual PC 2007 "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = IntelĀ® Matrix Storage Manager "{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003 "{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3 "{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders "{994AC11F-0549-4D26-B8AC-6F2DB14FF071}" = Preparing for Kindergarten "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3 "{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy "{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation "{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skypeā„¢ 4.1 "{DFC6573E-124D-4026-BFA4-B433C9D3FF21}" = ISO Recorder "{E1C7EF5E-3A7B-4ED4-A48B-F70F1B36EAB4}" = Corel Paint Shop Pro Photo XI "{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock "{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager "{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}" = Trend Micro PC-cillin Internet Security 14 "{FF70923C-8A51-47F4-A7E9-893C6D54EB68}" = TES Construction Set "Adobe AIR" = Adobe AIR "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Audacity_is1" = Audacity 1.2.6 "B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto "Blue's Art Time Activities" = Blue's Art Time Activities "BluesCluesPreschoolDKey" = Blue's Preschool "Bone - The Great Cowrace" = Bone - The Great Cowrace 2.0 "BookSmartā„¢ 1.9.5 1.9.5" = BookSmartā„¢ 1.9.5 1.9.5 "Cosmic Bugs 1.05" = Cosmic Bugs 1.05 "Creative Media Lite" = Creative Media Lite "Dell Laser MFP 1815" = Dell Laser MFP 1815 Software Uninstall "Dell_HostCD" = Dell Software Uninstall "DVD Shrink_is1" = DVD Shrink 3.2 "EL" = IntelĀ® Quick Resume Technology Drivers "EmeraldQFE2" = Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information] "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "ImgBurn" = ImgBurn "LucasArts' Curse of Monkey Island" = LucasArts' Curse of Monkey Island "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "MediaMonkey_is1" = MediaMonkey 3.1 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20) "Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3) "Mozilla Thunderbird (2.0.0.19)" = Mozilla Thunderbird (2.0.0.19) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "Notepad++" = Notepad++ "NVIDIA Display Control Panel" = NVIDIA Display Control Panel "NVIDIA Drivers" = NVIDIA Drivers "NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager "Peggle Deluxe 1.0" = Peggle Deluxe 1.0 "Plants vs. Zombies" = Plants vs. Zombies "PopCap Browser Plugin" = PopCap Browser Plugin "ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper "Revo Uninstaller" = Revo Uninstaller 1.88 "RollerCoaster Tycoon Setup" = Roll "SearchAssist" = SearchAssist "Steam App 420" = Half-Life 2: Episode Two "TmPcc" = Trend Micro PC-cillin Internet Security 14 "TrueCrypt" = TrueCrypt "Tux Paint_is1" = Tux Paint 0.9.21 "UnityWebPlayer" = Unity Web Player "Wacom Tablet Driver" = Wacom Tablet "Wacom WebTabletPlugin for IE" = WebTablet IE Plugin "Wacom WebTabletPlugin for Netscape" = WebTablet Netscape Plugin "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinGimp-2.0_is1" = GIMP 2.6.8 "WinRAR archiver" = WinRAR archiver "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "World of Warcraft" = World of Warcraft "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0 "ZENStoneUG" = Creative ZEN Stone User's Guide ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 6/15/2010 10:20:05 AM | Computer Name = POWERWAGON | Source = LoadPerf | ID = 3011 Description = Unloading the performance counter strings for service aspnet_state (ASP.NET State Service) failed. The Error code is the first DWORD in Data section. Error - 6/15/2010 10:20:06 AM | Computer Name = POWERWAGON | Source = LoadPerf | ID = 3001 Description = The performance counter name string value in the registry is incorrectly formatted. The bogus string is 8528, the bogus index value is the first DWORD in Data section while the last valid index values are the second and third DWORD in Data section. Error - 6/15/2010 10:20:06 AM | Computer Name = POWERWAGON | Source = MsiInstaller | ID = 11500 Description = Product: Java 6 Update 20 -- Error 1500.Another installation is in progress. You must complete that installation before continuing this one. Error - 6/15/2010 10:20:07 AM | Computer Name = POWERWAGON | Source = MsiInstaller | ID = 11500 Description = Product: Java 6 Update 20 -- Error 1500.Another installation is in progress. You must complete that installation before continuing this one. Error - 6/15/2010 12:11:30 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 6/15/2010 12:11:31 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Error - 6/15/2010 2:36:27 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 6/15/2010 2:36:28 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Error - 6/15/2010 5:33:39 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 6/15/2010 5:33:39 PM | Computer Name = POWERWAGON | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. [ System Events ] Error - 6/15/2010 10:59:55 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 11:18:09 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 11:18:09 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The TLRecAgent service failed to start due to the following error: %%2 Error - 6/15/2010 11:19:25 AM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 4:24:43 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 4:24:43 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The TLRecAgent service failed to start due to the following error: %%2 Error - 6/15/2010 4:26:12 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 5:30:29 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 Error - 6/15/2010 5:30:29 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The TLRecAgent service failed to start due to the following error: %%2 Error - 6/15/2010 5:32:14 PM | Computer Name = POWERWAGON | Source = Service Control Manager | ID = 7000 Description = The DgiVecp service failed to start due to the following error: %%2 < End of report > -------------------------------------------------------
  13. Buckman
    I am a very experienced computer user, but came home to find that my wife had gotten into a bit of trouble. She states that when she was looking for recipes, something took over the browser and opened about 40 windows. It locked up the computer and she had to reboot. Since then, all browsers have obviously been hijacked. I successfully fought off one of these at work a couple of weeks ago and dove right in. However, I am over my head. The Machine: Dell Model with XP Media Center Edition SP3 updated regularly Virus Package: PC-Cillan updated regularly The Symptoms: When I got home it was showing a few popups for a program called "AV Virus Protection" and a few variants on that name. A shield icon in the system tray gave me a balloon saying that I was unprotected and needed an update, and there were various popups. My attempts to fix: I managed to boot in safe mode and check the start-up and the registry for anything out of the ordinary. I found a tutorial on the web that told me what to look for with the "AV Virus Protection" but found none of the files they suggested might be there. I did a full scan with PC-Cillan and found nothing. I did a full scan with Microsoft Malicious Software Removal Tool and it found nothing. So I managed to roll back Windows to a few days before the event with the recovery tool. After this, I thought I had made some headway. That is until I tried to use Google. Google specifically seems to be hijacked in any browser that I chose. It will give me various errors when I search and attempt to take me to fake mockups of pages. So I dug deeper. I ran a scan with MBAM and it did find a few issues. Mostly cookies, but a few of the things looked like they might be the culprit. They were successfully removed by MBAM, so I continued. I downloaded another common malware detection program. It too found many problems and successfully removed them. But still the problems with Google persisted. And IE just suddenly brought up a page for "Car and Driver Magazine" for no reason without warning. I have spent quite a bit of time on this already and I am stumped. I ran OTL figuring you would need the results: OTL.TXT --------------------------------------------- OTL logfile created on: 6/15/2010 5:40:48 PM - Run 1 OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Lori\Desktop Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 51.00% Memory free 2.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free Paging file location(s): [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 461.06 Gb Total Space | 252.50 Gb Free Space | 54.76% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: POWERWAGON Current User Name: Lori Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Lori\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) PRC - C:\Program Files\Steam\Steam.exe (Valve Corporation) PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\WINDOWS\system32\Wacom_Tablet.exe (Wacom Technology, Corp.) PRC - C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe (Wacom Technology, Corp.) PRC - C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) PRC - C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.) PRC - C:\Program Files\Creative\Shared Files\CTDevSrv.exe (Creative Technology Ltd) PRC - C:\WINDOWS\system32\PSIService.exe () PRC - C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.) PRC - C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.) PRC - C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.) PRC - C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.) PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) PRC - C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.) PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) PRC - C:\Program Files\Intel\IntelDH\IntelĀ® Quick Resume Technology Drivers\ELService.exe (Intel Corporation) PRC - C:\WINDOWS\system32\CTXFIHLP.EXE (Creative Technology Ltd) PRC - C:\WINDOWS\system32\CTXFISPI.EXE (Creative Technology Ltd) PRC - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsu****a Electric Industrial Co., Ltd.) PRC - C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd) PRC - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.) PRC - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe (Creative Technology Ltd) PRC - C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions) PRC - C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation) PRC - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe (Creative Technology Ltd) PRC - C:\WINDOWS\system32\devldr32.exe (Creative Technology Ltd.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Lori\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) MOD - C:\WINDOWS\system32\CTAGENT.DLL (Creative Technology Ltd) ========== Win32 Services (SafeList) ========== SRV - (RoxLiveShare9) -- File not found SRV - (getPlusHelper) getPlusĀ® -- C:\Program Files\NOS\bin\getPlus_Helper.dll (NOS Microsystems Ltd.) SRV - (TabletServiceWacom) -- C:\WINDOWS\system32\Wacom_Tablet.exe (Wacom Technology, Corp.) SRV - (PcCtlCom) -- C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe (Trend Micro Inc.) SRV - (CTDevice_Srv) -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe (Creative Technology Ltd) SRV - (ProtexisLicensing) -- C:\WINDOWS\system32\PSIService.exe () SRV - (tmproxy) -- C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe (Trend Micro Inc.) SRV - (TmPfw) -- C:\Program Files\Trend Micro\Internet Security 14\TmPfw.exe (Trend Micro Inc.) SRV - (Tmntsrv) -- C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe (Trend Micro Inc.) SRV - (IAANTMON) IntelĀ® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) SRV - (ELService) IntelĀ® -- C:\Program Files\Intel\IntelDH\IntelĀ® Quick Resume Technology Drivers\ELService.exe (Intel Corporation) SRV - (Imapi Helper) -- C:\Program Files\ISO Recorder\ImapiHelper.exe (Alex Feinman) ========== Driver Services (SafeList) ========== DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (vmm) -- C:\WINDOWS\system32\drivers\VMM.sys (Microsoft Corporation) DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com) DRV - (wacmoumonitor) -- C:\WINDOWS\system32\drivers\wacmoumonitor.sys (Wacom Technology) DRV - (sptd) -- C:\WINDOWS\System32\Drivers\sptd.sys () DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation) DRV - (wacomvhid) -- C:\WINDOWS\system32\drivers\wacomvhid.sys (Wacom Technology) DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.) DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.) DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.) DRV - (RDPVDD) -- C:\WINDOWS\system32\drivers\rdpvmp.sys (Microsoft Corporation) DRV - (RDPDISPM) -- C:\WINDOWS\system32\drivers\rdpdispm.sys (Microsoft Corporation) DRV - (truecrypt) -- C:\WINDOWS\system32\drivers\truecrypt.sys (TrueCrypt Foundation) DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation) DRV - (IrBus) -- C:\WINDOWS\system32\drivers\irbus.sys (Microsoft Corporation) DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation) DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.) DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation) DRV - (wacommousefilter) -- C:\WINDOWS\system32\drivers\wacommousefilter.sys (Wacom Technology) DRV - (VPCNetS2) -- C:\WINDOWS\system32\drivers\VMNetSrv.sys (Microsoft Corporation) DRV - (tmcfw) -- C:\WINDOWS\system32\drivers\TM_CFW.sys (Trend Micro Inc.) DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.) DRV - (e1express) IntelĀ® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation) DRV - (iaStor) -- C:\WINDOWS\system32\drivers\iaStor.sys (Intel Corporation) DRV - (NAL) -- C:\WINDOWS\system32\drivers\iqvw32.sys (Intel Corporation ) DRV - (ELacpi) -- C:\WINDOWS\system32\drivers\ELacpi.sys (Intel Corporation) DRV - (ELmon) -- C:\WINDOWS\system32\drivers\Elmon.sys (Intel Corporation) DRV - (ELkbd) -- C:\WINDOWS\system32\drivers\Elkbd.sys (Intel Corporation) DRV - (ELmou) -- C:\WINDOWS\system32\drivers\Elmou.sys (Intel Corporation) DRV - (ELhid) -- C:\WINDOWS\system32\drivers\Elhid.sys (Intel Corporation) DRV - (ha20x2k) -- C:\WINDOWS\system32\drivers\ha20x2k.sys (Creative Technology Ltd) DRV - (Angel2) -- C:\WINDOWS\system32\drivers\Angel2.sys (Lumanate, Inc.) DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd) DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd) DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.) DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd) DRV - (emupia) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd) DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd) DRV - (FileDisk) -- C:\WINDOWS\system32\drivers\filedisk.sys (Bo BrantĆ©n) DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions) DRV - (DLAUDFAM) -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS (Sonic Solutions) DRV - (DLAUDF_M) -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS (Sonic Solutions) DRV - (DLAIFS_M) -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS (Sonic Solutions) DRV - (DLABOIOM) -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS (Sonic Solutions) DRV - (DLAOPIOM) -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS (Sonic Solutions) DRV - (DLAPoolM) -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS (Sonic Solutions) DRV - (DLADResN) -- C:\WINDOWS\system32\DLA\DLADResN.SYS (Sonic Solutions) DRV - (DLACDBHM) -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS (Sonic Solutions) DRV - (DLARTL_N) -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS (Sonic Solutions) DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Sonic Solutions) DRV - (ctdvda2k) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd) DRV - (SDDMI2) -- C:\WINDOWS\system32\DDMI2.sys (Gteko Ltd.) DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\ASPI32.SYS (Adaptec) DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.) DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic) DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic) DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic) DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.) DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.) DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation) DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation) DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation) DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation) DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.) DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.) DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.) DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation) DRV - (sfman) Creative SoundFont Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.) DRV - (emu10k1) Creative Interface Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.) DRV - (emu10k) Creative SB Live! (WDM) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.) DRV - (nuvvid2) -- C:\WINDOWS\system32\drivers\nuvvid2.sys (Nogatech Ltd.) DRV - (nuvaud2) -- C:\WINDOWS\system32\drivers\nuvaud2.sys (Nogatech Ltd.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = Dell Start Page IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Start Page IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Google IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "Google" FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.87 FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63 FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: M:\Mozilla Firefox\components FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: M:\Mozilla Firefox\plugins FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/15 11:25:36 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/15 11:36:08 | 000,000,000 | ---D | M] [2010/06/15 11:25:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Extensions [2009/06/04 19:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Extensions\contact@callgraph.in [2010/06/15 15:14:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions [2010/06/15 11:27:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/06/15 11:27:55 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} [2010/06/15 11:36:06 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlusĀ®)) -- C:\Documents and Settings\Lori\Application Data\Mozilla\Firefox\Profiles\evqtc5ll.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [2010/06/15 11:25:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2010/06/15 00:20:13 | 000,000,765 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 us.search.yahoo.com O1 - Hosts: 84.16.244.58 uk.search.yahoo.com O1 - Hosts: 84.16.244.58 search.yahoo.com O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 84.16.244.58 Google O1 - Hosts: 2 more lines... O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions) O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - No CLSID value found. O4 - HKLM..\Run: [AudioDrvEmulator] C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.) O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\CTHELPER.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [CTxfiHlp] C:\WINDOWS\System32\CTXFIHLP.EXE (Creative Technology Ltd) O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions) O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [intelliPoint] C:\Program Files\Microsoft IntelliPoint\point32.exe (Microsoft Corporation) O4 - HKLM..\Run: [iSUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation) O4 - HKLM..\Run: [MFP1815_S2P] C:\Program Files\Dell\Dell Laser MFP 1815\PSU\Scan2pc.exe () O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NWEReboot] File not found O4 - HKLM..\Run: [nwiz] File not found O4 - HKLM..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe (Trend Micro Inc.) O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [updReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.) O4 - HKLM..\Run: [userFaultCheck] File not found O4 - HKLM..\Run: [VolPanel] C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe (Creative Technology Ltd) O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd) O4 - HKCU..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) O4 - HKCU..\Run: [OE_OEM] C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.) O4 - HKCU..\Run: [steam] C:\Program Files\Steam\Steam.exe (Valve Corporation) O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com) O4 - HKCU..\RunOnce: [shockwave Updater] C:\WINDOWS\System32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk = C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsu****a Electric Industrial Co., Ltd.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme () O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell.com/systemprofiler/SysPro.CAB (SysProWmi Class) O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} Seite nicht gefunden (Facebook Photo Uploader 5 Control) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool) O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} https://accounting.quickbooks.com/c1/v16.561/qboax9.cab (Reg Error: Key error.) O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab (DLM Control) O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab (Creative Software AutoUpdate) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166037347859 (MUWebControl Class) O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://webgames.d.tmsrv.com/c=223ca9156990d74223a5e0efb4d55836/aff=trygames_wg/p/release/mumbo/wg_luxor2/luxor2/mjolauncher.cab (MJLauncherCtrl Class) O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} https://accounting.quickbooks.com/c1/v16.608/qboax10.cab (QuickBooks Online Edition Utilities Class v10) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} https://www.mesh.com/0.9.3103.13/TSWeb.cab (Reg Error: Value error.) O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} http://aolsvc.aol.com/onlinegames/free-trial-zenerchi/ZenerchiWeb.1.0.0.10.cab (CPlayFirstzenerchiControl Object) O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab (EPUImageControl Class) O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} http://www.yoyogames.com/downloads/activex/YoYo.cab (YYGInstantPlay Control) O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.) O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe (Virtools WebPlayer Class) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class) O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15111/CTPID.cab (Creative Software AutoUpdate Support Package) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com) O24 - Desktop WallPaper: C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lori\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2005/08/16 06:43:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{1a58ec34-e83f-11de-b649-001676b674e2}\Shell\AutoRun\command - "" = J:\WINDOWS\IronKey.exe -- File not found O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{58a3a095-2045-11dd-b5c7-001676b674e2}\Shell\AutoRun\command - "" = I:\WINDOWS\IronKey.exe -- File not found O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{7144ff19-69a4-11de-b622-001676b674e2}\Shell\AutoRun\command - "" = I:\IronKey.exe -- File not found O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{978b5df5-1f17-11df-9e68-001676b674e2}\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell - "" = AutoRun O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{d0ab9b99-8a76-11de-b62e-001676b674e2}\Shell\AutoRun\command - "" = J:\IronKey.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/16 06:22:48 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found MsConfig - State: "system.ini" - 0 MsConfig - State: "win.ini" - 0 MsConfig - State: "bootini" - 0 MsConfig - State: "services" - 0 MsConfig - State: "startup" - 0 CREATERESTOREPOINT Restore point Set: OTL Restore Point (69256455022182400) ========== Files/Folders - Created Within 30 Days ========== [2010/06/15 17:39:17 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lori\Desktop\OTL.exe [2010/06/15 16:28:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\SUPERAntiSpyware.com [2010/06/15 16:28:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com [2010/06/15 16:28:20 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware [2010/06/15 16:18:03 | 000,000,000 | ---D | C] -- C:\Avenger [2010/06/15 14:38:49 | 000,000,000 | ---D | C] -- C:\Program Files\EraserPortable [2010/06/15 12:29:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\Malwarebytes [2010/06/15 12:29:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/06/15 12:29:41 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/06/15 12:29:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/06/15 12:29:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/06/15 12:22:29 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Lori\Desktop\ATF-Cleaner.exe [2010/06/15 11:39:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR [2010/06/15 11:37:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe [2010/06/15 11:25:23 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/06/15 10:24:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss [2010/06/15 00:21:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/06/15 00:21:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/06/14 23:58:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\Sky-Banners [2010/06/14 03:22:21 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll [2010/06/10 18:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\TuxPaint [2010/06/10 18:24:34 | 000,000,000 | ---D | C] -- C:\Program Files\TuxPaint [2010/05/26 01:10:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\gtk-2.0 [2010/05/25 20:40:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\.gimp-2.6 [2010/05/25 20:40:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\My Documents\gegl-0.0 [2010/05/25 20:40:04 | 000,000,000 | ---D | C] -- C:\Program Files\GIMP-2.0 [2010/05/25 20:28:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Application Data\WTablet [2010/05/25 20:27:57 | 000,000,000 | ---D | C] -- C:\Program Files\TabletPlugins [2010/05/25 20:27:56 | 007,773,040 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\WacomTablet.cpl [2010/05/25 20:26:30 | 000,011,312 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacommousefilter.sys [2010/05/25 20:26:28 | 000,014,120 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacomvhid.sys [2010/05/25 20:26:26 | 000,016,168 | ---- | C] (Wacom Technology) -- C:\WINDOWS\System32\drivers\wacmoumonitor.sys [2010/05/25 20:26:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\WTablet [2010/05/25 20:26:24 | 005,010,288 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wacom_Tablet.exe [2010/05/25 20:26:24 | 000,415,600 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wacom_Tablet.dll [2010/05/25 20:26:24 | 000,294,400 | ---- | C] (Wacom Technology, Corp.) -- C:\WINDOWS\System32\Wintab32.dll [2010/05/25 20:26:22 | 000,000,000 | ---D | C] -- C:\Program Files\Tablet [2010/05/25 18:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\WTablet [2010/05/24 19:04:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\.thumbnails [2010/05/17 15:57:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lori\Desktop\art [2006/12/13 12:50:56 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll [2006/12/08 12:17:55 | 000,033,792 | R--- | C] ( ) -- C:\WINDOWS\System32\a3d.dll [8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/06/15 17:39:22 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lori\Desktop\OTL.exe [2010/06/15 17:32:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/06/15 17:31:02 | 000,264,653 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml [2010/06/15 17:30:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/06/15 17:30:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/06/15 17:29:54 | 2145,300,480 | -HS- | M] () -- C:\hiberfil.sys [2010/06/15 17:28:35 | 011,272,192 | ---- | M] () -- C:\Documents and Settings\Lori\ntuser.dat [2010/06/15 17:28:35 | 000,064,980 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx [2010/06/15 17:28:35 | 000,055,172 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx [2010/06/15 17:28:35 | 000,055,172 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000004-00000000-00000004-00001102-00000005-10031102}.rfx [2010/06/15 17:28:35 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm [2010/06/15 17:28:35 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm [2010/06/15 16:58:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job [2010/06/15 16:28:25 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2010/06/15 15:31:19 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job [2010/06/15 15:19:26 | 000,001,316 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2010/06/15 14:47:53 | 000,000,754 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\EraserPortable.exe.lnk [2010/06/15 12:29:45 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/06/15 12:22:29 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Lori\Desktop\ATF-Cleaner.exe [2010/06/15 12:02:50 | 109,456,774 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\reg_backup.reg [2010/06/15 11:25:28 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2010/06/15 10:58:03 | 000,372,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/06/15 10:53:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010/06/15 10:47:11 | 000,553,312 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/06/15 10:47:11 | 000,477,622 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/06/15 10:47:11 | 000,085,804 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/06/15 10:35:22 | 000,000,821 | ---- | M] () -- C:\WINDOWS\win.ini [2010/06/15 10:35:22 | 000,000,259 | ---- | M] () -- C:\WINDOWS\system.ini [2010/06/15 10:35:22 | 000,000,209 | -HS- | M] () -- C:\boot.ini [2010/06/15 04:07:51 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/06/15 00:16:19 | 000,000,312 | ---- | M] () -- C:\WINDOWS\popcinfot.dat [2010/06/15 00:06:41 | 002,109,342 | -H-- | M] () -- C:\Documents and Settings\Lori\Local Settings\Application Data\IconCache.db [2010/06/13 18:00:00 | 000,000,404 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Zoe.job [2010/06/12 17:45:12 | 000,004,041 | ---- | M] () -- C:\Documents and Settings\Lori\.recently-used.xbel [2010/06/12 16:55:12 | 000,000,297 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Zoe Land.url [2010/06/10 18:24:42 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Tux Paint.lnk [2010/06/08 13:25:35 | 000,150,016 | ---- | M] () -- C:\Documents and Settings\Lori\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/06/05 10:29:47 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Cosmic Bugs.lnk [2010/05/28 00:08:42 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini [2010/05/26 16:04:23 | 000,000,117 | -H-- | M] () -- C:\WINDOWS\popcreg.dat [2010/05/25 20:40:32 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk [2010/05/25 20:00:48 | 000,113,863 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\Superman.xcf [2010/05/25 17:49:41 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Lori\ntuser.ini [2010/05/24 18:01:37 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\June 2010.xls [2010/05/22 07:36:29 | 000,025,600 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\may 2010.xls [2010/05/18 21:39:49 | 386,478,079 | ---- | M] () -- C:\Documents and Settings\Lori\Desktop\FANTASTIC_MR_FOX.ISO [8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\*.tmp files -> C:\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/06/15 16:28:25 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk [2010/06/15 14:47:23 | 000,000,754 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\EraserPortable.exe.lnk [2010/06/15 12:29:45 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/06/15 12:02:43 | 109,456,774 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\reg_backup.reg [2010/06/15 11:25:28 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk [2010/06/15 10:37:33 | 2145,300,480 | -HS- | C] () -- C:\hiberfil.sys [2010/06/15 00:41:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/06/14 23:58:05 | 000,000,412 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job [2010/06/12 17:45:12 | 000,004,041 | ---- | C] () -- C:\Documents and Settings\Lori\.recently-used.xbel [2010/06/11 17:41:10 | 011,272,192 | ---- | C] () -- C:\Documents and Settings\Lori\ntuser.dat [2010/06/10 18:26:18 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\Tux Paint.lnk [2010/06/05 10:29:47 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Cosmic Bugs.lnk [2010/05/25 20:40:32 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\GIMP 2.lnk [2010/05/25 20:27:56 | 001,746,986 | ---- | C] () -- C:\WINDOWS\System32\WacomTablet.znc [2010/05/25 20:00:48 | 000,113,863 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\Superman.xcf [2010/05/22 07:36:51 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\June 2010.xls [2010/05/22 07:36:29 | 000,025,600 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\may 2010.xls [2010/05/18 21:32:01 | 386,478,079 | ---- | C] () -- C:\Documents and Settings\Lori\Desktop\FANTASTIC_MR_FOX.ISO [2010/02/09 09:54:18 | 000,000,183 | ---- | C] () -- C:\WINDOWS\civ.ini [2009/09/13 14:58:31 | 000,000,033 | ---- | C] () -- C:\WINDOWS\Eraser.INI [2009/07/20 15:26:01 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini [2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat [2008/09/17 13:49:52 | 000,000,037 | ---- | C] () -- C:\WINDOWS\C30Tbo.INI [2008/09/04 22:28:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI [2008/06/29 14:46:38 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI [2008/05/12 13:03:30 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini [2008/02/01 02:52:26 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2008/01/26 22:55:42 | 001,936,528 | ---- | C] () -- C:\WINDOWS\System32\ltmm15.dll [2008/01/05 18:35:18 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll [2007/12/23 23:26:48 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll [2007/12/23 23:26:48 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll [2007/12/23 23:26:48 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll [2007/12/14 23:32:10 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini [2007/11/15 11:54:51 | 000,000,605 | ---- | C] () -- C:\WINDOWS\hegames.ini [2007/10/14 17:01:27 | 000,000,165 | ---- | C] () -- C:\WINDOWS\BluesCluesPreschool.ini [2007/09/29 16:01:39 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini [2007/09/17 01:07:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll [2007/06/22 13:01:57 | 000,691,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys [2007/05/26 23:00:08 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll [2007/04/05 22:09:03 | 000,000,600 | ---- | C] () -- C:\WINDOWS\Rtcw.INI [2007/01/14 18:47:18 | 000,094,208 | R--- | C] () -- C:\WINDOWS\System32\WIAIPH.dll [2007/01/14 18:47:18 | 000,086,016 | R--- | C] () -- C:\WINDOWS\System32\WIAEH.dll [2007/01/14 18:47:18 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\WIASTIIO.dll [2007/01/14 18:47:18 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\Sswiadrv.dll [2007/01/07 00:08:02 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\SVSetup.dll [2007/01/07 00:08:01 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\DELG1CI.dll [2007/01/07 00:08:01 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\d1815ci.dll [2007/01/07 00:08:01 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\VdSetup.dll [2007/01/07 00:08:01 | 000,022,663 | ---- | C] () -- C:\WINDOWS\System32\DELG1LMK.DLL [2006/12/29 16:15:24 | 000,000,749 | ---- | C] () -- C:\WINDOWS\cdplayer.ini [2006/12/13 13:41:58 | 000,155,648 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll [2006/12/13 13:41:58 | 000,102,400 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll [2006/12/13 12:51:06 | 000,000,507 | ---- | C] () -- C:\WINDOWS\DKAAY2DD.ini [2006/12/12 00:43:17 | 000,000,072 | ---- | C] () -- C:\WINDOWS\sbwin.ini [2006/12/11 21:24:50 | 000,001,316 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2006/12/08 12:48:50 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2006/12/08 12:42:44 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2006/12/08 12:39:24 | 000,000,126 | ---- | C] () -- C:\WINDOWS\wininit.ini [2006/12/08 12:12:46 | 000,038,400 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL [2006/12/08 12:12:46 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI [2006/12/08 12:12:46 | 000,000,053 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini [2006/12/08 12:12:45 | 000,050,432 | ---- | C] () -- C:\WINDOWS\System32\claptn.ini [2006/12/08 12:11:43 | 000,102,480 | ---- | C] () -- C:\WINDOWS\System32\EzRating.dll [2006/12/08 12:11:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\EzdCoIns.dll [2006/12/08 12:10:44 | 000,000,393 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2006/09/27 07:19:25 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\C30coi.dll [2005/11/10 03:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2005/08/16 06:37:24 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini [2005/08/16 06:18:33 | 001,291,776 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll [2005/08/05 16:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI ========== LOP Check ========== [2010/05/25 16:32:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Astroburn Lite [2010/05/25 16:30:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Astroburn Pro [2009/06/19 21:09:48 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix [2009/12/12 12:35:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2009/02/08 19:25:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fallout3 [2010/04/30 00:18:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Friends Games [2007/04/30 20:35:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin Games [2008/02/26 17:32:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear [2007/11/07 16:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo [2007/05/03 12:43:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Palo Alto Software [2007/04/14 11:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst [2007/10/31 12:28:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap [2009/01/17 01:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games [2010/01/22 16:16:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCapv1005 [2007/04/13 11:48:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games [2007/05/03 12:07:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScreenSeven [2008/05/14 15:45:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games [2010/04/03 23:29:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2009/09/16 15:44:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thomson.ResearchSoft.Installers [2010/05/25 17:03:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint [2010/01/16 19:34:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YoYoGames [2010/03/11 00:24:12 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7A246771-272C-415B-B2AB-AE698ADB7EEB} [2007/05/10 10:45:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\7Wonders [2010/05/25 16:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Amazon [2008/01/04 20:12:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Arduino [2010/02/09 10:14:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Astroburn Lite [2010/02/13 19:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Astroburn Pro [2009/11/24 11:22:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Bioshock [2008/02/08 23:12:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\DAEMON Tools [2010/01/16 19:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\DAEMON Tools Lite [2009/09/16 19:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\EndNote [2009/12/14 11:41:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\FileZilla [2008/05/30 19:00:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Flickr [2008/01/26 22:55:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\GetRightToGo [2010/05/25 20:00:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\gtk-2.0 [2008/03/22 14:45:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\ImgBurn [2009/08/21 14:58:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\IronKey [2007/05/19 11:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\iWin [2008/01/21 22:38:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\JungleDisk [2007/03/28 13:28:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Leadertech [2007/05/06 12:37:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Magic Academy [2007/04/09 14:02:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Magic Match [2008/11/24 11:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\MITSTN [2008/06/12 14:44:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\MSNInstaller [2009/01/17 02:55:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\My Battle for Middle-earth Files [2009/01/25 05:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\NetMedia Providers [2009/10/31 01:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Notepad++ [2006/12/13 15:10:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\OfficeUpdate12 [2007/05/03 12:45:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Palo Alto Software [2008/05/12 13:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Panasonic [2008/04/09 20:49:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PlayFirst [2010/04/26 21:05:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1001 [2009/12/08 18:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1002 [2008/07/28 21:57:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\PopCapv1005 [2009/01/25 05:29:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Publish Providers [2008/08/09 18:08:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\REAPER [2010/06/14 23:58:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Sky-Banners [2008/02/16 20:04:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Smart Recorder [2009/01/25 05:29:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Sony [2008/02/11 17:16:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Stamps.com Internet Postage [2007/02/19 12:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Template [2008/03/21 02:04:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Thunderbird [2008/07/13 20:13:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TrueCrypt [2010/06/10 18:27:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TuxPaint [2009/04/21 10:41:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1 [2009/09/18 19:05:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\Unity [2007/11/28 23:30:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\URSE Games [2007/08/13 11:32:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lori\Application Data\yoclient [2010/06/15 16:58:00 | 000,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\Updater.job [2010/06/15 15:31:19 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{205FFA7B-8B8E-4420-A4D9-7DD7D87A6636}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys [2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS [2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys < MD5 for: ATAPI.SYS > [2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys [2004/08/10 07:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2008/08/29 10:47:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys [2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004/08/10 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll [2004/08/10 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: IASTOR.SYS > [2006/10/10 15:03:48 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\drivers\storage\R130118\iastor.sys [2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\i386\iaStor.sys [2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys [2006/07/06 08:59:42 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\drivers\iaStor.sys [2006/10/10 15:03:48 | 000,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\iaStor.sys [2006/07/06 09:01:32 | 000,484,864 | ---- | M] (Intel Corporation) MD5=6A3C354BFC163B81F6EF2FC421280DB5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys < MD5 for: NETLOGON.DLL > [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2004/08/10 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll [2004/08/10 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2004/08/10 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll [2004/08/10 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [2008/04/13 20:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll [8 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > [2009/12/12 12:35:48 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys ========== Alternate Data Streams ========== @Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:72E6616C @Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8643C5BE @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:756C8543 @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914 @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:69D94DFA @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8E3D07DE @Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:411E1BE2 @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:359B3BDA @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4E1E5A60 @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C24B973A < End of report > -------------------------- Thanks in advance for any help you can give me. I am usually the person people come to for help, but this has me stumped. There are some cowboys in here...
×
×
  • Create New...