Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Redirection. Suspect rootkit. [Solved]

Started by Vacine , Nov 16 2009 12:28 PM

  • This topic is locked This topic is locked

#1
Vacine
Posted 16 November 2009 - 12:28 PM

Vacine

    Member

  • Member
  • PipPip
  • 41 posts
Hello, when surfing the web I am sometimes (5% or so) redirected to a different web site than I was trying to visit. Sometimes it is a site in my bookmarks/favorites, google is a popular one, and sometimes I have never been to the site before (like California's official state site). They don't seem to be phishing sites as they are not login pages etc.

Norton hasn't found anything. Malwarebytes occasionally finds some cookies. SuperAntiSpyware recently found Trojan.Agent/Gen-Nullo and removed it. It had found occasional cookies or nothing before that but the redirection happened before Gen-Nullo was found and has happened since.

Do you want the SuperAntiSpyware log?

I used Norton Removal Tool before RootRepeal and OTL. (Reinstalled and updated now of course.)

Note: When running RootRepeal I had no opportunity to do "Step 7. In the next dialog select all drives showing". The scan began immediately on step 6.

-- MALWAREBYTES LOG --

Malwarebytes' Anti-Malware 1.41
Database version: 3172
Windows 5.1.2600 Service Pack 3

11/14/2009 4:20:14 PM
mbam-log-2009-11-14 (16-20-14).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 183357
Time elapsed: 52 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-- ROOTREPEAL LOG --

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/16 09:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xB7803000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_viamraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_viamraid.sys
Address: 0xAE99D000 Size: 77824 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAE220000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==


-- OTL LOGS (Extras.txt and OTL.txt) --

-OTL.txt-

OTL logfile created on: 11/16/2009 10:00:32 AM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\AMM\OTL
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.64 Gb Available Physical Memory | 82.27% Memory free
2.55 Gb Paging File | 2.35 Gb Available in Paging File | 92.19% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 120.43 Gb Free Space | 80.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 12.12 Gb Total Space | 11.82 Gb Free Space | 97.54% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BRYANDUAL
Current User Name: Bryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/10/24 12:47:59 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\AMM\OTL\OTL.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/09/17 22:55:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2008/04/13 17:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wscntfy.exe
PRC - [2008/04/13 17:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2007/03/06 10:35:02 | 00,198,168 | ---- | M] (InterVideo Inc.) -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
PRC - [2007/03/03 13:48:28 | 00,067,056 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2006/03/20 17:34:50 | 00,213,936 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2005/09/22 15:42:00 | 00,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/03/08 02:33:28 | 00,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\System32\VTTimer.exe
PRC - [2003/08/29 06:54:16 | 00,307,200 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE
PRC - [2003/08/29 06:50:24 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXPPS.EXE
PRC - [1996/11/16 23:00:00 | 00,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (XEGJGVPRC [On_Demand | Stopped])
SRV - File not found -- -- (WTOGSKWBN [On_Demand | Stopped])
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/09/17 22:55:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/13 17:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (W3SVC [On_Demand | Stopped])
SRV - [2008/04/13 17:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (SMTPSVC [On_Demand | Stopped])
SRV - [2008/04/13 17:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (MSFtpsvc [On_Demand | Stopped])
SRV - [2008/04/13 17:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (IISADMIN [On_Demand | Running])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/01/29 16:09:02 | 00,394,704 | ---- | M] (Symantec, Inc.) -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist [On_Demand | Stopped])
SRV - [2007/03/06 10:35:02 | 00,198,168 | ---- | M] (InterVideo Inc.) -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service [Auto | Running])
SRV - [2007/03/03 13:48:28 | 00,067,056 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper [Auto | Running])
SRV - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr [Auto | Running])
SRV - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])
SRV - [2006/05/26 03:50:24 | 04,149,248 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL [On_Demand | Stopped])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2003/08/29 06:54:16 | 00,307,200 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\System32\LEXBCES.EXE -- (LexBceS [Auto | Running])

========== Modules (SafeList) ==========

MOD - [2009/10/24 12:47:59 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\AMM\OTL\OTL.exe
MOD - [2008/04/13 17:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 17:12:05 | 00,065,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ShimEng.dll
MOD - [2008/04/13 17:11:58 | 00,071,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSACM32.dll
MOD - [2008/04/13 17:11:48 | 01,852,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AppPatch\AcGenral.DLL
MOD - [2004/08/04 04:00:00 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\serwvdrv.dll
MOD - [2004/08/04 04:00:00 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\umdmxfrm.dll

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo....e...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..extensions.enabledItems: {8545daff-ad1e-493f-a37e-eed1ac79682b}:1.0
FF - prefs.js..extensions.enabledItems: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC}:3.7
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/20 11:24:47 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/08/25 15:37:04 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 20:29:39 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/06 20:29:40 | 00,000,000 | ---D | M]

[2009/04/13 11:23:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\mozilla\Extensions
[2009/04/13 11:23:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\mozilla\Extensions\{ea278cf8-93cd-484f-b951-57360482d33a}
[2008/06/19 16:59:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/15 10:44:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\mozilla\Firefox\Profiles\2klw6kkj.default\extensions
[2009/08/20 13:20:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\mozilla\Firefox\Profiles\2klw6kkj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/16 07:16:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/11/06 20:29:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/25 15:37:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/11/03 13:46:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
[2009/11/06 20:29:33 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/11/06 20:29:34 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/10/11 04:17:27 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/11/06 20:29:36 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/11/17 14:37:48 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2007/11/17 14:37:48 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2007/11/17 14:37:48 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2007/11/17 14:37:48 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2007/11/17 14:37:48 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2007/11/17 14:37:48 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2007/11/17 14:37:48 | 00,131,072 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/07/30 00:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 00:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/30 00:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 00:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 00:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/09/09 07:19:17 | 00,002,221 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SafeSearch.xml
[2009/07/30 00:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 00:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (347163 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11905 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe (Lexmark)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe (InterVideo Digital Technology Corporation)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTtrayp.exe (S3 Graphics Co., Ltd.)
O4 - HKCU..\RunOnce: [] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe (PKWARE, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
O4 - Startup: C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\MySQL System Tray Monitor.lnk = C:\Program Files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe ()
O4 - Startup: C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O4 - Startup: C:\Documents and Settings\Bryan\Start Menu\Programs\Startup\PowerReg Scheduler.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} http://download.micr...tualEarth3D.cab (SentinelProxy Class)
O16 - DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} http://download.micr...tualEarth3D.cab (SentinelProxy Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1134415597281 (WUWebControl Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.syma...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symant...ex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} http://www.crucial.c.../cpcScanner.cab (Crucial cpcScan)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/27 14:51:48 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/08 09:22:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kodak
[2009/11/16 09:30:35 | 00,793,200 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Bryan\Desktop\Norton_Removal_Tool(2).exe
[2009/11/09 19:30:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bryan\My Documents\TheMirror
[2009/11/08 09:36:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bryan\My Documents\Kodak_Z650_Manual

========== Files - Modified Within 14 Days ==========

[2009/11/16 09:43:15 | 00,597,526 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/16 09:43:15 | 00,495,800 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/16 09:43:15 | 00,089,644 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/16 09:41:48 | 00,192,339 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/11/16 09:41:42 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/16 09:39:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/16 09:39:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/16 09:30:35 | 00,793,200 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Bryan\Desktop\Norton_Removal_Tool(2).exe
[2009/11/16 09:15:27 | 00,000,804 | ---- | M] () -- C:\WINDOWS\tasks\PhosphorGalleryBKSched.job
[2009/11/16 09:12:13 | 00,000,804 | ---- | M] () -- C:\WINDOWS\tasks\FinisWebsiteBKSched.job
[2009/11/16 08:35:38 | 00,002,427 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Paint Shop Pro.lnk
[2009/11/15 21:17:25 | 00,000,494 | ---- | M] () -- C:\WINDOWS\Caligari.ini
[2009/11/15 10:06:33 | 00,030,720 | ---- | M] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/13 20:14:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/11/11 18:43:11 | 00,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/11 10:16:51 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/11/08 09:46:55 | 00,000,667 | ---- | M] () -- C:\Documents and Settings\Bryan\Desktop\Z650 Manual.lnk
[2009/11/04 06:50:07 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

========== Files - No Company Name ==========
[2009/11/16 09:15:27 | 00,000,804 | ---- | C] () -- C:\WINDOWS\tasks\PhosphorGalleryBKSched.job
[2009/11/16 09:12:13 | 00,000,804 | ---- | C] () -- C:\WINDOWS\tasks\FinisWebsiteBKSched.job
[2009/11/08 09:46:55 | 00,000,667 | ---- | C] () -- C:\Documents and Settings\Bryan\Desktop\Z650 Manual.lnk
[2009/07/23 13:15:03 | 00,010,047 | ---- | C] () -- C:\WINDOWS\PlantStudio2.ini
[2009/07/22 18:54:35 | 00,001,159 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/09/04 11:08:41 | 00,000,736 | ---- | C] () -- C:\WINDOWS\SamsungMaster.INI
[2008/07/31 12:15:16 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\fusioncache.dat
[2008/07/21 15:14:10 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/06/05 19:43:32 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/06/05 19:43:32 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/03/30 12:27:24 | 00,278,728 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2008/03/30 12:27:24 | 00,025,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2008/02/01 19:55:02 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/02/01 19:55:02 | 01,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/02/01 19:55:02 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/02/01 19:55:02 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/02/01 19:54:01 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/02/01 19:53:57 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/12/03 21:04:27 | 00,000,102 | ---- | C] () -- C:\WINDOWS\VSWizard.ini
[2007/11/17 14:36:54 | 00,210,456 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2007/11/17 14:36:54 | 00,206,360 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2007/11/17 14:36:54 | 00,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2007/11/17 14:36:54 | 00,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2007/11/17 14:36:54 | 00,194,072 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2007/11/17 14:36:54 | 00,026,136 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2007/11/06 18:09:09 | 00,000,183 | ---- | C] () -- C:\WINDOWS\3DR.INI
[2007/11/06 18:09:08 | 00,374,784 | ---- | C] () -- C:\WINDOWS\3DG32.DLL
[2007/01/21 13:07:36 | 00,000,367 | ---- | C] () -- C:\WINDOWS\TreeDo.Ini
[2006/12/18 20:51:22 | 00,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2006/12/15 17:56:39 | 00,000,032 | ---- | C] () -- C:\WINDOWS\basefx.INI
[2006/12/12 09:30:26 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2006/12/12 09:24:42 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/12/03 12:20:48 | 00,000,221 | ---- | C] () -- C:\WINDOWS\SOFTEK.INI
[2006/12/02 15:45:27 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/06/05 14:55:33 | 00,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2006/06/05 14:55:33 | 00,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2006/06/05 14:54:57 | 00,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2006/06/05 14:54:56 | 00,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2006/06/05 14:54:56 | 00,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2006/06/05 14:54:55 | 00,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2006/06/05 13:57:01 | 00,000,144 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2006/05/24 18:27:55 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxblvs.dll
[2006/05/24 18:23:52 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBLLCNP.DLL
[2006/05/24 15:53:22 | 00,001,041 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2006/05/24 15:53:18 | 00,328,704 | ---- | C] () -- C:\WINDOWS\System32\dosfnt32.dll
[2006/05/24 15:38:16 | 00,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2006/05/24 15:38:15 | 00,000,709 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/20 21:32:23 | 00,000,494 | ---- | C] () -- C:\WINDOWS\Caligari.ini
[2006/05/19 21:03:55 | 00,030,720 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/05/19 20:40:46 | 00,044,296 | ---- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/05/19 20:39:32 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Bryan\Application Data\desktop.ini
[2006/05/19 20:39:31 | 04,284,774 | -H-- | C] () -- C:\Documents and Settings\Bryan\Local Settings\Application Data\IconCache.db
[2006/05/12 08:30:27 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/01 04:40:10 | 00,000,503 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/27 16:24:22 | 00,000,882 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/27 14:45:53 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/08/27 14:40:08 | 00,001,336 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/27 14:40:07 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/03/18 08:44:29 | 01,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2002/09/10 21:54:22 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2001/08/31 15:33:58 | 00,425,984 | ---- | C] () -- C:\WINDOWS\System32\VxDMDcDlg.dll
[2001/07/13 06:04:00 | 00,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[1996/11/16 23:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/16 23:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/16 23:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[1979/12/31 23:00:00 | 00,157,184 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

========== LOP Check ==========

[2009/11/08 09:22:02 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data
[2004/08/27 16:28:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009/08/05 12:34:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2007/11/17 14:36:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2009/11/16 09:35:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/08/21 16:02:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/04/28 16:55:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2006/12/18 20:51:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2006/11/12 19:01:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PKWARE
[2004/08/27 16:25:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2007/11/17 15:21:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/10/24 12:51:50 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Bryan\Application Data
[2006/06/25 07:50:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\ActiveState
[2007/07/01 15:26:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\ArcSoft
[2007/11/17 15:05:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\InterVideo
[2006/10/06 16:08:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Jasc
[2006/12/21 16:02:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Leadertech
[2009/11/15 21:30:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Move Networks
[2009/09/04 15:44:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\MySQL
[2006/11/12 19:02:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\PKWARE
[2009/04/07 21:03:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Thunderbird
[2007/11/17 15:33:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\Ulead Systems
[2006/11/13 13:16:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bryan\Application Data\VERITAS
[2009/11/13 20:14:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2004/08/04 04:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/16 09:12:13 | 00,000,804 | ---- | M] () -- C:\WINDOWS\Tasks\FinisWebsiteBKSched.job
[2009/11/16 09:15:27 | 00,000,804 | ---- | M] () -- C:\WINDOWS\Tasks\PhosphorGalleryBKSched.job
[2009/11/16 09:39:08 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[EventLog.dll : MD5=258ED9A1CCD8102C3236DD97354C51EC] -> [2008/09/03 14:17:20 | 00,028,797 | R--- | M] () -- C:\Perl\lib\auto\Win32\EventLog\EventLog.dll
[eventlog.dll : MD5=82B24CB70E5944E6E34662205A2A5B78] -> [2004/08/04 04:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656] -> [2008/04/13 17:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[eventlog.dll : MD5=6D4FEB43EE538FC5428CC7F0565AA656] -> [2008/04/13 17:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[scecli.dll : MD5=0F78E27F563F2AAF74B91A49E2ABF19A] -> [2004/08/04 04:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084] -> [2008/04/13 17:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[scecli.dll : MD5=A86BB5E61BF3E39B62AB4C7E7085A084] -> [2008/04/13 17:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[netlogon.dll : MD5=96353FCECBA774BB8DA74A1C6507015A] -> [2004/08/04 04:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550] -> [2008/04/13 17:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[netlogon.dll : MD5=1B7F071C51B77C272875C3A23E1E4550] -> [2008/04/13 17:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
[iaStor.sys : MD5=309C4D86D989FB1FCF64BD30DC81C51B] -> [2005/10/12 11:07:12 | 00,874,240 | ---- | M] (Intel Corporation) -- C:\Drivers\iaStor.sys
[iaStor.sys : MD5=309C4D86D989FB1FCF64BD30DC81C51B] -> [2005/10/12 11:07:12 | 00,874,240 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iaStor.sys

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[atapi.sys : MD5=CDFE4411A69C224BD1D11B2DA92DAC51] -> [2004/08/03 21:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674] -> [2008/04/13 11:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[atapi.sys : MD5=9F3A2F5AA6875C72BF062C712CFA2674] -> [2008/04/13 11:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >
[viasraid.sys : MD5=EBE101C01D80A42868F57B327BE1B564] -> [2003/10/31 07:22:38 | 00,077,312 | ---- | M] (VIA Technologies inc,.ltd) -- C:\Drivers\Winxp\viasraid.sys
< End of report >


-Extras.txt-

OTL Extras logfile created on: 11/16/2009 10:00:32 AM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\AMM\OTL
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.64 Gb Available Physical Memory | 82.27% Memory free
2.55 Gb Paging File | 2.35 Gb Available in Paging File | 92.19% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 120.43 Gb Free Space | 80.80% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 12.12 Gb Total Space | 11.82 Gb Free Space | 97.54% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BRYANDUAL
Current User Name: Bryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0201B8AB-D2AB-4782-84A4-F6532860AB43}" = MySQL Workbench 5.0 OSS
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = VERITAS RecordNow Update Manager
"{0CB3C535-1171-4A20-B549-E2CB5DEB9723}" = MySQL Connector/ODBC 3.51
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"{20C53FA2-4307-4671-A93F-9463B29DFCF1}" = Symantec Technical Support Web Controls
"{237a4b22-78c2-11d6-a394-00104bd190b1}" = QuickBooks Pro Edition 2003
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 17
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Virtual Earth 3D (Beta)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{362755FC-209C-4B69-93C3-BE8101A29F8B}" = MySQL Server 5.0
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{521AAD14-5030-44BB-8B0E-5CE65FCE57E0}" = InterVideo DeviceService
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8214CC02-6271-4DC8-B8DD-779933450264}" = VERITAS RecordNow
"{82A27957-45D5-41BC-8593-60249895727B}" = ActivePerl 5.10.0 Build 1004
"{86D6A20D-3910-4441-A3E5-EB6977251C86}" = Samsung USB Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}" =
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.5
"{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}" = Samsung Master
"{B4B338BD-4C93-4531-B5BB-7F0E5EB7340B}" =
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{BE8DD809-A406-40E2-AB9F-28E69E737383}" = PKZIP for Windows 9.00.0010
"{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}" = EVGA Display Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Anniversary Edition
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EC561602-C0B9-4FAA-A175-1B3273639AC3}" = MySQL Tools for 5.0
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}" = QuickTime
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F99F9E24-EE2F-47FD-AEB0-FDB82859B5C9}" = VideoStudio
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Apophysis 2.0" = Apophysis 2.0
"Caligari trueSpace5_is1" = Caligari trueSpace5
"Caligari trueSpace7.6_is1" = Uninstall trueSpace7.6
"CNXT_MODEM_PCI_HSF" = PCI SoftV92 Modem
"Dune 2000" = Dune 2000
"EditPlus 2" = EditPlus 2
"ERUNT_is1" = ERUNT 1.1j
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{20471B27-D702-4FE8-8DEC-0702CC8C0A85}" = InterVideo WinDVD 8
"InstallShield_{F99F9E24-EE2F-47FD-AEB0-FDB82859B5C9}" = Ulead VideoStudio 11
"Lexmark Z700-P700 Series" = Lexmark Z700-P700 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Manual for trueSpace7.51_is1" = Manual for trueSpace7.51
"Manual video for trueSpace7.6_is1" = Manual video for trueSpace7.6
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Office8.0" = Microsoft Office 97, Professional Edition
"PlantStudio version 2.10_is1" = PlantStudio version 2.10
"Primal Particles 1.7.2 for trueSpace5_is1" = Primal Particles 1.7.2 for trueSpace5
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"trueSpace3DeinstKey" = Caligari trueSpace3
"trueSpace75 Guided Tour_is1" = trueSpace75 Guided Tour
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WOLAPI" = Westwood Shared Internet Components
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/21/2009 11:00:09 AM | Computer Name = BRYANDUAL | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/21/2009 11:00:22 PM | Computer Name = BRYANDUAL | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/22/2009 11:00:14 AM | Computer Name = BRYANDUAL | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/22/2009 11:00:08 PM | Computer Name = BRYANDUAL | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/23/2009 11:00:16 AM | Computer Name = BRYANDUAL | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/23/2009 11:00:08 PM | Computer Name = BRYANDUAL | Source = NTBackup | ID = 8019
Description = End Operation: Warnings or errors were encountered. Consult the backup
report for more details.

Error - 10/28/2009 10:03:17 AM | Computer Name = BRYANDUAL | Source = Application Error | ID = 1000
Description = Faulting application ts5.exe, version 5.1.0.4, faulting module ntdll.dll,
version 5.1.2600.5755, fault address 0x00011689.

Error - 11/12/2009 12:12:19 AM | Computer Name = BRYANDUAL | Source = Application Hang | ID = 1002
Description = Hanging application tS7.exe, version 7.6.0.2, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/12/2009 10:15:55 PM | Computer Name = BRYANDUAL | Source = Application Hang | ID = 1002
Description = Hanging application tS7.exe, version 7.6.0.2, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/12/2009 10:32:39 PM | Computer Name = BRYANDUAL | Source = Application Hang | ID = 1002
Description = Hanging application tS7.exe, version 7.6.0.2, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 11/14/2009 6:15:31 PM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7034
Description = The IIS Admin service terminated unexpectedly. It has done this 1
time(s).

Error - 11/14/2009 6:15:32 PM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 11/14/2009 6:15:32 PM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7034
Description = The Ulead Burning Helper service terminated unexpectedly. It has
done this 1 time(s).

Error - 11/14/2009 6:15:32 PM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7031
Description = The Windows Media Player Network Sharing Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.

Error - 11/14/2009 6:17:43 PM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 11/14/2009 8:21:48 PM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 11/15/2009 10:49:43 AM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 11/15/2009 7:12:08 PM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 11/16/2009 10:16:53 AM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 11/16/2009 12:39:21 PM | Computer Name = BRYANDUAL | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd


< End of report >
  • 0

Advertisements

#2
Vacine
Posted 17 November 2009 - 10:41 AM

Vacine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Update:

Now, when visiting geekstogo Norton Web Safe shows a red X and the details say:

Norton Safe Web has analyzed geekstogo.com for safety and security problems. Below is a sample of the threats that were found.

...

Threats found: 1
Here is a complete list:
Threat Name: Trojan.Dropper
Location: http://siri.geekstog...mitfraudFix.exe

I also frequently see unexpected 404 errors or blank screens instead of web pages.

The file in the location at Geeks to Go above is what we call a false positive, it is one of the tools that we use to assist in removing malware and is nothing to be concerned about. Sometimes anti-virus programs will detect these tools as threats. I am confident that Symantec have been notified of the issue.

Edited by Octagonal, 17 November 2009 - 08:27 PM.

  • 0

#3
hammerman
Posted 20 December 2009 - 05:49 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello Vacine and welcome to GeeksToGo :)
I'm hammerman and I'm going to help you fix your problem.

Sorry for the delay

Before we begin, here are some guidelines which will help us both in fixing your problem.
  • Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
  • Please do no attach logs or post them in Quote/Code boxes unless requested.
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
  • When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • If in doubt about anything, please ask.

As it's been a while, let's get some fresh logs.

Please follow these steps.

-- Step 1 --

To ensure that I get all the information, this log will need to be attached (instructions at the end).

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Disabled MS Config Items
    • Reg - Drivers32
    • Reg - File Associations
    • Reg - SafeBoot Minimal
    • Reg - SafeBoot Network
    • Reg - Shell Spawning
    • Reg - Uninstall List
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under the Custom Scans box at the bottom left paste the following in

    netsvcs
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    nvstor32.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

-- Step 2 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#4
Vacine
Posted 20 December 2009 - 04:31 PM

Vacine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi hammerman,

Thanks for your help.

I'll do the OTS and GMER scans soon.

Edited by Vacine, 20 December 2009 - 04:47 PM.

  • 0

#5
Vacine
Posted 20 December 2009 - 09:32 PM

Vacine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Well, that was unpleasant.

OTS ran with no trouble.

I ran GMER. With nothing noted as a rootkit or otherwise suspicious I didn't know whether to click the Scan button, with the show all box unchecked, or not. I did. Hours later the scan was still running and seemed to be slowing. I clicked the Cancel button but it didn't stop for a long time. The task manager, which took forever to appear, showed both processors at 100% and then it took forever to stop.

Eventually I tried to shut down the computer. Start -> Turn off computer produced the log off box! Clicking log off didn't stop anything. I had to power off to stop it.

I rebooted and ran GMER again (I neglected to save the log before clicking Scan before), saved the log below, and clicked OK. Both processors again at 100% and again I had to power off to stop it.

The OTS log is attached. The GMER log is below.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2009-12-20 19:50:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Bryan\LOCALS~1\Temp\awryypoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  OTS.Txt   161.37KB   274 downloads

  • 0

#6
hammerman
Posted 21 December 2009 - 12:55 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Do you recognise these?

FinisWebsiteBKSched.job
PhosphorGalleryBKSched.job

Please follow these steps.

-- Step 1 --

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (XEGJGVPRC) XEGJGVPRC [On_Demand | Stopped] ->
YN -> (WTOGSKWBN) WTOGSKWBN [On_Demand | Stopped] ->
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

-- Step 2 --

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.
-- Step 3 --
  • Please download mbr.exe and save in your root folder C:\
  • Click on start then Run...
  • In the Open: window, type cmd and OK
  • In the command window, enter the following
    cd C:\ (followed by Enter)
    mbr -t > %userprofile%\Desktop\mbr_log.txt (followed by Enter)
  • This will produce a log file mbr_log.txt on your desktop. Please copy/paste the contents of that file in your reply

  • 0

#7
Vacine
Posted 21 December 2009 - 03:13 PM

Vacine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi hammerman,

I do recognize these: FinisWebsiteBKSched.job PhosphorGalleryBKSched.job. They are scheduled backups I set up using the windows backup utility. I stopped them from happening during the scans (I think I did).

I'll do the steps you gave this evening.

Thank you very much for your help.

Vacine

Edited by Vacine, 21 December 2009 - 08:28 PM.

  • 0

#8
hammerman
Posted 21 December 2009 - 03:16 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
OK. Thanks for letting me know.
  • 0

#9
Vacine
Posted 21 December 2009 - 09:52 PM

Vacine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi hammerman,

OTS ran fine with the fix. Its log is below.

SysProt ran and made the log below but afterward its window would not respond to any mouse clicks. I stopped it with task manager which took a minute or so before it stopped. Then both processors where at 100%. There were two processes called dumprep.exe that had 32 in the task manager CPU column. I restarted with Start->Turn off computer->Restart before running mbr.

Why don't GMER and Sysprot stop normally? What causes the 100% cpu usage?


--- mbr ---

mbr produced this error (typed from a Paint Shop screen grab):

16 bit MS-DOS Subsystem

C:\WINDOWS/system32\cmd.exe - mbr -t and Settings\Bryan\Desktop\mbr_log.txt
The NTVDM CPU has encountered an illegal instruction.
CS:056c IP:039b OP:63 65 3d 74 69 Choose 'Close' to terminate the application.


--- OTS LOG ---

All Processes Killed
[Win32 Services - Safe List]
Service XEGJGVPRC stopped successfully!
Service WTOGSKWBN stopped successfully!
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Bryan
->Temp folder emptied: 9460475 bytes
->Temporary Internet Files folder emptied: 4713536 bytes
->Java cache emptied: 13690431 bytes
->FireFox cache emptied: 28969124 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Phosphor Gallery
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 82403 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10438874 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 414919 bytes

Total Files Cleaned = 65.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.12.0 fix logfile created on 12212009_195204

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\JETDA33.tmp not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_398.dat not found!

Registry entries deleted on Reboot...


--- SYSPROT LOG ---

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 1000
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 1088
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 1112
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 1156
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 1168
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1316
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1396
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1436
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1660
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1760
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\LexBceS.exe
PID: 1932
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1972
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\Lexpps.exe
PID: 2008
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 248
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
PID: 280
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 372
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PID: 472
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 536
Hidden: No
Window Visible: No

Name: C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\nvsvc32.exe
PID: 704
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 808
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PID: 856
Hidden: No
Window Visible: No

Name: C:\Program Files\Windows Media Player\wmpnetwk.exe
PID: 1028
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\inetsrv\inetinfo.exe
PID: 2276
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2288
Hidden: No
Window Visible: No

Name: C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
PID: 2704
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 2740
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 2880
Hidden: No
Window Visible: No

Name: C:\WINDOWS\SOUNDMAN.EXE
PID: 3472
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\VTTimer.exe
PID: 3492
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PID: 3552
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 3596
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 3624
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 3712
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office\OSA.EXE
PID: 2000
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2608
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Bryan\Desktop\SysProt\SysProt.exe
PID: 1292
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Bryan\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: AB8C6000
Module End: AB8D1000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E4000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E4000
Module End: 80704D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BA5A8000
Module End: BA5AA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BA4B8000
Module End: BA4BB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B9F79000
Module End: B9FA7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BA5AA000
Module End: BA5AC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: B9F68000
Module End: B9F79000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA0A8000
Module End: BA0B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA0B8000
Module End: BA0C8000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA0C8000
Module End: BA0D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BA670000
Module End: BA671000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BA328000
Module End: BA32F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aliide.sys
Service Name: AliIde
Module Base: BA5AC000
Module End: BA5AE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cmdide.sys
Service Name: CmdIde
Module Base: BA5AE000
Module End: BA5B0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\toside.sys
Service Name: TosIde
Module Base: BA5B0000
Module End: BA5B2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaide.sys
Service Name: ViaIde
Module Base: BA5B2000
Module End: BA5B4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: BA5B4000
Module End: BA5B6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA0D8000
Module End: BA0E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B9F49000
Module End: B9F68000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: BA5B6000
Module End: BA5B8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: B9F23000
Module End: B9F49000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BA330000
Module End: BA335000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA0E8000
Module End: BA0F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pnp680r.sys
Service Name: Pnp680r
Module Base: B9F10000
Module End: B9F23000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: B9EF8000
Module End: B9F10000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cpqarray.sys
Service Name: Cpqarray
Module Base: BA4BC000
Module End: BA4C0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\iaStor.sys
Service Name: iaStor
Module Base: B9E22000
Module End: B9EF8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: B9E0A000
Module End: B9E22000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aha154x.sys
Service Name: Aha154x
Module Base: BA4C0000
Module End: BA4C4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sparrow.sys
Service Name: Sparrow
Module Base: BA338000
Module End: BA33D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc810.sys
Service Name: symc810
Module Base: BA4C4000
Module End: BA4C8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78xx.sys
Service Name: aic78xx
Module Base: BA0F8000
Module End: BA106000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac960nt.sys
Service Name: dac960nt
Module Base: BA4C8000
Module End: BA4CC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql10wnt.sys
Service Name: Ql10wnt
Module Base: BA108000
Module End: BA111000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amsint.sys
Service Name: amsint
Module Base: BA4CC000
Module End: BA4CF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc.sys
Service Name: asc
Module Base: BA340000
Module End: BA347000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3550.sys
Service Name: asc3550
Module Base: BA4D0000
Module End: BA4D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\mraid35x.sys
Service Name: mraid35x
Module Base: BA348000
Module End: BA34D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\i2omp.sys
Service Name: i2omp
Module Base: BA350000
Module End: BA355000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ini910u.sys
Service Name: ini910u
Module Base: BA4D4000
Module End: BA4D8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1240.sys
Service Name: ql1240
Module Base: BA118000
Module End: BA122000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aic78u2.sys
Service Name: aic78u2
Module Base: BA128000
Module End: BA136000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\symc8xx.sys
Service Name: symc8xx
Module Base: BA358000
Module End: BA360000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_hi.sys
Service Name: sym_hi
Module Base: BA360000
Module End: BA367000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sym_u3.sys
Service Name: sym_u3
Module Base: BA368000
Module End: BA370000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ABP480N5.SYS
Service Name: abp480n5
Module Base: BA370000
Module End: BA376000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\asc3350p.sys
Service Name: asc3350p
Module Base: BA378000
Module End: BA37E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cd20xrnt.sys
Service Name: cd20xrnt
Module Base: BA5B8000
Module End: BA5BA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ultra.sys
Service Name: ultra
Module Base: BA138000
Module End: BA141000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\adpu160m.sys
Service Name: adpu160m
Module Base: B9DF1000
Module End: B9E0A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dpti2o.sys
Service Name: dpti2o
Module Base: BA380000
Module End: BA385000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1080.sys
Service Name: ql1080
Module Base: BA148000
Module End: BA152000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql1280.sys
Service Name: ql1280
Module Base: BA158000
Module End: BA164000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ql12160.sys
Service Name: ql12160
Module Base: BA168000
Module End: BA174000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2.sys
Service Name: perc2
Module Base: BA388000
Module End: BA38F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\perc2hib.sys
Service Name: perc2hib
Module Base: BA5BA000
Module End: BA5BC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\hpn.sys
Service Name: hpn
Module Base: BA390000
Module End: BA397000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cbidf2k.sys
Service Name: cbidf
Module Base: BA4D8000
Module End: BA4DC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dac2w2k.sys
Service Name: dac2w2k
Module Base: B9DC5000
Module End: B9DF1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viamraid.sys
Service Name: viamraid
Module Base: B9DB2000
Module End: B9DC5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA178000
Module End: BA181000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA188000
Module End: BA195000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: B9D92000
Module End: B9DB2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: B9D80000
Module End: B9D92000
Hidden: No

Module Name: SYMEFA.SYS
Service Name: SymEFA
Module Base: B9D31000
Module End: B9D80000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\PxHelp20.sys
Service Name: PxHelp20
Module Base: BA198000
Module End: BA1A1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B9D1A000
Module End: B9D31000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B9C8D000
Module End: B9D1A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: B9C60000
Module End: B9C8D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp.sys
Service Name: viaagp
Module Base: BA1A8000
Module End: BA1B3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\uagp35.sys
Service Name: uagp35
Module Base: BA1B8000
Module End: BA1C3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\viaagp1.sys
Service Name: viaagp1
Module Base: BA398000
Module End: BA39F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B9C46000
Module End: B9C60000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\gagp30kx.sys
Service Name: gagp30kx
Module Base: BA1C8000
Module End: BA1D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\amdagp.sys
Service Name: amdagp
Module Base: BA1D8000
Module End: BA1E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\alim1541.sys
Service Name: alim1541
Module Base: BA1E8000
Module End: BA1F3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\agpCPQ.sys
Service Name: agpCPQ
Module Base: BA1F8000
Module End: BA203000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tunmp.sys
Service Name: tunmp
Module Base: BA570000
Module End: BA573000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: B96DC000
Module End: B96E5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: B87AE000
Module End: B8D88000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B879A000
Module End: B87AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
Service Name: ltmodem5
Module Base: B8705000
Module End: B879A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: BA458000
Module End: BA460000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
Service Name: RTL8023xp
Module Base: B86E5000
Module End: B8705000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: B96CC000
Module End: B96D7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pfc.sys
Service Name: pfc
Module Base: BA57C000
Module End: BA57F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: B96BC000
Module End: B96CC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: B96AC000
Module End: B96BB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B86C2000
Module End: B86E5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Service Name: GEARAspiWDM
Module Base: BA460000
Module End: BA467000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: BA468000
Module End: BA46E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B869E000
Module End: B86C2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BA470000
Module End: BA478000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ALCXWDM.SYS
Service Name: ALCXWDM
Module Base: B830F000
Module End: B869E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B82EB000
Module End: B830F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: B969C000
Module End: B96AB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: B968C000
Module End: B969C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: Serenum
Module Base: BA584000
Module End: BA588000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: B82D7000
Module End: B82EB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BA228000
Module End: BA235000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BA480000
Module End: BA486000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BA7C9000
Module End: BA7CA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BA238000
Module End: BA245000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: BA588000
Module End: BA58B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B82C0000
Module End: B82D7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: B8E18000
Module End: B8E23000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: B8E08000
Module End: B8E14000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BA488000
Module End: BA48D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B82AF000
Module End: B82C0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: B8DF8000
Module End: B8E01000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: B8E70000
Module End: B8E75000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: B8E68000
Module End: B8E6D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B827F000
Module End: B82AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: B8DE8000
Module End: B8DF2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: B8E60000
Module End: B8E66000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\SymIM.sys
Service Name: SymIM
Module Base: B8E58000
Module End: B8E60000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BA5EE000
Module End: BA5F0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B8221000
Module End: B827F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: B9B82000
Module End: B9B86000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
Service Name: MarvinBus
Module Base: B820D000
Module End: B8221000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BA2E8000
Module End: BA2F2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Service Name: MODEMCSA
Module Base: BA578000
Module End: BA57C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: B5431000
Module End: B5440000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BA622000
Module End: BA624000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Service Name: i2omgmt
Module Base: B7586000
Module End: B7589000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BA62C000
Module End: BA62E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BA792000
Module End: BA793000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BA62E000
Module End: BA630000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: B3922000
Module End: B3928000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BA630000
Module End: BA632000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BA632000
Module End: BA634000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: B391A000
Module End: B391F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: B3912000
Module End: B391A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: B7572000
Module End: B7575000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B27D3000
Module End: B27E6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B277A000
Module End: B27D3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B2754000
Module End: B277A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMTDI.SYS
Service Name: SYMTDI
Module Base: B2720000
Module End: B2754000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
Service Name: SymEvent
Module Base: B26FB000
Module End: B2720000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Service Name: usbprint
Module Base: B392A000
Module End: B3931000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMNDIS.SYS
Service Name: SYMNDIS
Module Base: B390A000
Module End: B3912000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMFW.SYS
Service Name: SYMFW
Module Base: B0E2E000
Module End: B0E43000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMIDS.SYS
Service Name: SYMIDS
Module Base: B38FA000
Module End: B3901000
Hidden: No

Module Name: \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091217.002\IDSxpx86.sys
Service Name: IDSxpx86
Module Base: B0D9B000
Module End: B0DEF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B0D73000
Module End: B0D9B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip6.sys
Service Name: Tcpip6
Module Base: B0D1B000
Module End: B0D53000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B0CF9000
Module End: B0D1B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: B8D88000
Module End: B8D91000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NIS\1007020.00B\SRTSPX.SYS
Service Name: SRTSPX
Module Base: BA318000
Module End: BA322000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Service Name: SASKUTIL
Module Base: B0C91000
Module End: B0CB6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ip6fw.sys
Service Name: Ip6Fw
Module Base: B8DB8000
Module End: B8DC1000
Hidden: No

Module Name: \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Service Name: SASDIFSV
Module Base: B1A3B000
Module End: B1A41000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B0C1A000
Module End: B0C45000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\pclepci.sys
Service Name: PCLEPCI
Module Base: B2A75000
Module End: B2A79000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B0BAA000
Module End: B0C1A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BA258000
Module End: BA263000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: B26D7000
Module End: B26DA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: BA2A8000
Module End: BA2B1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: BA3A8000
Module End: BA3AF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: B3962000
Module End: B3965000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: B3862000
Module End: B386B000
Hidden: No

Module Name: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Service Name: eeCtrl
Module Base: AC5FF000
Module End: AC65D000
Hidden: No

Module Name: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Service Name: EraserUtilRebootDrv
Module Base: AC5E2000
Module End: AC5FF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NIS\1007020.00B\ccHPx86.sys
Service Name: ccHP
Module Base: AC567000
Module End: AC5E2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NIS\1007020.00B\BHDrvx86.sys
Service Name: BHDrvx86
Module Base: AC525000
Module End: AC567000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: AD186000
Module End: AD196000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_diskdump.sys
Service Name: ---
Module Base: ADC8D000
Module End: ADC91000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_viamraid.sys
Service Name: ---
Module Base: AC512000
Module End: AC525000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: AD397000
Module End: AD39A000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: AD32F000
Module End: AD334000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BA6C9000
Module End: BA6CA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
Service Name: NwlnkIpx
Module Base: AC2FE000
Module End: AC314000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
Service Name: NwlnkNb
Module Base: B9C06000
Module End: B9C16000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: AF9AD000
Module End: AF9B1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
Service Name: NwlnkSpx
Module Base: ACC9E000
Module End: ACCAC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: AC281000
Module End: AC2AE000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Service Name: atksgt
Module Base: AC216000
Module End: AC259000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: AC1D5000
Module End: AC216000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: AC170000
Module End: AC185000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B2F40000
Module End: B2F4F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Service Name: lirsgt
Module Base: BA418000
Module End: BA41D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: AC265000
Module End: AC269000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: AC0A8000
Module End: AC0FA000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: AA9B6000
Module End: AA9E1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: BA478000
Module End: BA47F000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlertResumeThread
Address: 89F2B2E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 89D3A1A8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 8A5324B8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAssignProcessToJobObject
Address: 8A4D5340
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: 8A232E30
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: B2711130
Driver Base: B26FB000
Driver End: B2720000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwCreateMutant
Address: 89EE81A8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSymbolicLinkObject
Address: 8A4E2168
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 8A541888
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDebugActiveProcess
Address: 8A514BD8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: B27113B0
Driver Base: B26FB000
Driver End: B2720000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDeleteValueKey
Address: B2711910
Driver Base: B26FB000
Driver End: B2720000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDuplicateObject
Address: 8A619D28
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwFreeVirtualMemory
Address: 8A543CD0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 8A506A90
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 8A4EA088
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadDriver
Address: 8A57FE30
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwMapViewOfSection
Address: 8A53AD80
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 8A5E0128
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: 8A4C5370
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcessToken
Address: 8A5E3618
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: 8A4A02A0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 8A5C8EB8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwProtectVirtualMemory
Address: 8A50B128
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwResumeThread
Address: 8A725A90
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 8A5B4928
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationProcess
Address: 89DDE108
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemInformation
Address: 8A547110
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: B2711B60
Driver Base: B26FB000
Driver End: B2720000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 8A519F48
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 8A5641E8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 8A5E35D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 8A5B0D70
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 8A5C01D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 8A651F00
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: BRYANDUAL:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: BRYANDUAL:1032
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
State: LISTENING

Local Address: BRYANDUAL:1030
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: BRYANDUAL:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\Lexpps.exe
State: LISTENING

Local Address: BRYANDUAL:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BRYANDUAL:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: BRYANDUAL:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BRYANDUAL:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BRYANDUAL:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: BRYANDUAL:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: BRYANDUAL:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: E:\System Volume Information\EfaData
Status: Access denied

Object: E:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: E:\System Volume Information\tracking.log
Status: Access denied

Object: E:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}
Status: Access denied

Object: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp\45BAAB10.TMP
Status: Access denied

Object: C:\System Volume Information\catalog.wci
Status: Access denied

Object: C:\System Volume Information\EfaData
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{2C4EEC66-1D4D-4D88-B177-DA8A21110D8A}
Status: Access denied
  • 0

#10
hammerman
Posted 21 December 2009 - 11:45 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

Advertisements

#11
Vacine
Posted 22 December 2009 - 10:10 PM

Vacine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi hammerman,

The redirection while web surfing has occurred again.

I ran combofix and it needed the recovery console. I turned the modem back on, without re-enableing Norton Internet Security, and the console was downloaded and installed. Then I turned the modem off again. I didn't watch while combofix ran but when I came back to the computer it was restarting. I logged on again and the combofix window appeared saying it was making a log. Again a restart while I wasn't watching. The windows error reporting window appeared saying that windows had recovered from a serious error. A window saying that Norton's sonar system failed to start. Combofix's window appeared with the same message.

I thought the error may have compromised the Combofix run and started a new one which completed without anything strange happening. The log below is from that run.

NOTE: I upgraded to Norton Internet Security 2010 after finishing with Combofix.

--- COMBOFIX LOG ---

ComboFix 09-12-20.08 - Bryan 12/22/2009 20:29:11.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1608 [GMT -7:00]
Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-23 03:10 . 2009-08-26 00:09 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-12-23 01:01 . 2009-11-16 09:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091222.023\NAVENG.SYS
2009-12-23 01:01 . 2009-11-16 09:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091222.023\EECTRL.SYS
2009-12-23 01:01 . 2009-11-16 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091222.023\ECMSVR32.DLL
2009-12-23 01:01 . 2009-11-16 09:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091222.023\NAVENG32.DLL
2009-12-23 01:01 . 2009-11-16 09:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091222.023\NAVEX32A.DLL
2009-12-23 01:01 . 2009-11-16 09:00 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091222.023\NAVEX15.SYS
2009-12-23 01:01 . 2009-11-16 09:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091222.023\ERASER.SYS
2009-12-23 01:01 . 2009-12-09 09:00 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091222.023\CCERASER.DLL
2009-12-22 02:52 . 2009-12-22 02:52 -------- d-----w- C:\_OTS
2009-12-22 02:43 . 2009-12-22 02:43 1365 ----a-w- C:\mbr.exe
2009-12-20 00:02 . 2009-12-20 00:54 -------- d-----w- C:\ArtGalleryV3Work
2009-12-19 15:33 . 2009-12-20 21:56 52224 ----a-w- c:\documents and settings\Bryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-19 00:34 . 2009-11-05 08:30 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\Scxpx86.dll
2009-12-19 00:34 . 2009-11-05 08:30 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSxpx86.dll
2009-12-19 00:34 . 2009-11-05 08:30 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSviA64.sys
2009-12-19 00:34 . 2009-11-05 08:30 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSvix86.sys
2009-12-19 00:34 . 2009-11-05 08:30 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091217.002\IDSXpx86.sys
2009-12-17 20:48 . 2009-11-05 08:30 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091216.001\Scxpx86.dll
2009-12-17 20:48 . 2009-11-05 08:30 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091216.001\IDSxpx86.dll
2009-12-17 20:48 . 2009-11-05 08:30 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091216.001\IDSXpx86.sys
2009-12-17 20:48 . 2009-11-05 08:30 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091216.001\IDSviA64.sys
2009-12-17 20:48 . 2009-11-05 08:30 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091216.001\IDSvix86.sys
2009-12-04 23:57 . 2009-12-04 23:57 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 21:56 . 2009-10-24 19:53 117760 ----a-w- c:\documents and settings\Bryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-19 15:31 . 2009-10-24 19:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-14 04:49 . 2008-09-10 02:46 -------- d-----w- c:\documents and settings\Bryan\Application Data\Move Networks
2009-12-05 01:25 . 2009-10-24 21:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 23:14 . 2009-10-24 21:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 23:13 . 2009-10-24 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-16 18:58 . 2009-11-16 17:20 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-16 18:58 . 2009-11-16 17:20 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-16 18:58 . 2009-11-16 17:20 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-16 18:58 . 2009-11-16 17:20 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-16 18:58 . 2009-11-16 17:20 -------- d-----w- c:\program files\Symantec
2009-11-16 18:57 . 2009-11-16 17:20 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2009-11-16 18:55 . 2006-05-23 01:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-16 17:19 . 2009-11-16 17:19 1294680 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-11-03 20:46 . 2009-08-25 22:36 -------- d-----w- c:\program files\Java
2009-11-03 20:45 . 2009-11-03 20:45 152576 ----a-w- c:\documents and settings\Bryan\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-29 07:45 . 2004-08-27 21:40 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 03:11 . 2006-05-20 03:40 44296 ----a-w- c:\documents and settings\Bryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-24 21:49 . 2009-10-24 21:48 -------- d-----w- c:\program files\ERUNT
2009-10-24 19:51 . 2009-10-24 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-24 19:51 . 2009-10-24 19:51 -------- d-----w- c:\documents and settings\Bryan\Application Data\SUPERAntiSpyware.com
2009-10-24 19:49 . 2009-10-24 19:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-24 19:25 . 2004-08-27 23:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-24 19:25 . 2006-12-19 03:12 -------- d-----w- c:\program files\Pinnacle
2009-10-24 18:56 . 2009-03-30 23:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-24 18:56 . 2009-03-30 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-21 05:38 . 2004-08-27 21:40 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-27 21:40 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-14 03:36 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-14 03:36 . 2009-10-14 03:35 1407680 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-13 10:30 . 2004-08-27 21:40 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-27 21:40 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-27 21:40 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17 . 2009-08-25 22:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:57 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 21:57 . 2004-08-27 21:40 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:56 . 2004-08-27 21:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-09-27 02:09 . 2009-09-27 02:09 1686272 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 90112]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-03-11 147456]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-09-06 36864]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-07-23 341232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Bryan\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-10 122880]
MySQL System Tray Monitor.lnk - c:\program files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe [2007-5-8 1026048]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-16 51984]
PowerReg Scheduler.exe [2007-12-3 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-10 122880]
PKZIP Attachments Status.lnk - c:\program files\PKWARE\PKZIPM\9.00.0010\PKTray.exe [2006-11-12 169552]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-4-7 663552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LXSUPMON"=c:\windows\system32\LXSUPMON.EXE RUN
"PinnacleDriverCheck"=c:\windows\system32\PSDrvCheck.exe -CheckReg
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [11/16/2009 11:58 AM 310320]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00B\cchpx86.sys [11/16/2009 11:57 AM 482432]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [11/16/2009 11:58 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/16/2009 2:00 AM 102448]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
S3 WTOGSKWBN;WTOGSKWBN;c:\docume~1\Bryan\LOCALS~1\Temp\WTOGSKWBN.exe --> c:\docume~1\Bryan\LOCALS~1\Temp\WTOGSKWBN.exe [?]
S3 XEGJGVPRC;XEGJGVPRC;c:\docume~1\Bryan\LOCALS~1\Temp\XEGJGVPRC.exe --> c:\docume~1\Bryan\LOCALS~1\Temp\XEGJGVPRC.exe [?]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
TCP: {A3DBBCEF-36FF-43F8-A347-F6E9B4CC0A8E} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\2klw6kkj.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Bryan\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Bryan\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" \"MySQL\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3758444144-2336854130-2296049936-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1112)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-22 20:37:20
ComboFix-quarantined-files.txt 2009-12-23 03:37

Pre-Run: 129,905,635,328 bytes free
Post-Run: 129,865,469,952 bytes free

- - End Of File - - 80A85F142A3D853B2E9BD1F73A2D8EF9

Edited by Vacine, 23 December 2009 - 09:55 AM.

  • 0

#12
hammerman
Posted 23 December 2009 - 11:34 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\docume~1\Bryan\LOCALS~1\Temp\WTOGSKWBN.exe
c:\docume~1\Bryan\LOCALS~1\Temp\XEGJGVPRC.exe

Folder::

Registry::

Driver::
WTOGSKWBN
XEGJGVPRC


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#13
Vacine
Posted 23 December 2009 - 10:07 PM

Vacine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi hammerman,

Nothing strange happened this time.

--- COMBOFIX LOG ---

ComboFix 09-12-20.08 - Bryan 12/23/2009 20:23:18.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1497 [GMT -7:00]
Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bryan\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\docume~1\Bryan\LOCALS~1\Temp\WTOGSKWBN.exe"
"c:\docume~1\Bryan\LOCALS~1\Temp\XEGJGVPRC.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BHDRVX86
-------\Legacy_WTOGSKWBN
-------\Legacy_XEGJGVPRC
-------\Service_BHDrvx86
-------\Service_WTOGSKWBN
-------\Service_XEGJGVPRC


((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-23 15:35 . 2009-12-23 15:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-12-23 15:35 . 2009-12-23 15:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-23 15:35 . 2009-12-23 15:35 -------- d-----w- c:\program files\Symantec
2009-12-23 15:34 . 2009-12-23 15:34 -------- d-----w- c:\windows\system32\drivers\NIS
2009-12-23 15:34 . 2009-12-23 15:34 -------- d-----w- c:\program files\Norton Internet Security
2009-12-23 15:33 . 2009-12-23 15:33 -------- d-----w- c:\program files\NortonInstaller
2009-12-23 03:58 . 2009-12-23 03:58 -------- d-----w- c:\program files\Norton Support
2009-12-22 02:52 . 2009-12-22 02:52 -------- d-----w- C:\_OTS
2009-12-22 02:43 . 2009-12-22 02:43 1365 ----a-w- C:\mbr.exe
2009-12-20 00:02 . 2009-12-20 00:54 -------- d-----w- C:\ArtGalleryV3Work

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 16:28 . 2006-05-23 01:28 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-23 15:44 . 2009-12-24 03:09 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091223.024\NAVEX15.SYS
2009-12-23 15:44 . 2009-12-24 03:09 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091223.024\NAVEX32A.DLL
2009-12-23 15:44 . 2009-12-24 03:09 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091223.024\NAVENG.SYS
2009-12-23 15:44 . 2009-12-24 03:09 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091223.024\EECTRL.SYS
2009-12-23 15:44 . 2009-12-24 03:09 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091223.024\CCERASER.DLL
2009-12-23 15:44 . 2009-12-24 03:09 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091223.024\ECMSVR32.DLL
2009-12-23 15:44 . 2009-12-24 03:09 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091223.024\NAVENG32.DLL
2009-12-23 15:44 . 2009-12-24 03:09 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20091223.024\ERASER.SYS
2009-12-23 15:35 . 2009-12-23 15:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-23 15:35 . 2009-12-23 15:35 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-23 15:34 . 2009-04-28 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-23 15:28 . 2009-09-20 01:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-20 21:56 . 2009-12-19 15:33 52224 ----a-w- c:\documents and settings\Bryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-20 21:56 . 2009-10-24 19:53 117760 ----a-w- c:\documents and settings\Bryan\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-19 15:31 . 2009-10-24 19:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-14 04:49 . 2008-09-10 02:46 -------- d-----w- c:\documents and settings\Bryan\Application Data\Move Networks
2009-12-05 04:54 . 2009-12-05 04:54 529456 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx86.sys
2009-12-05 04:54 . 2009-12-05 04:54 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHRules.dll
2009-12-05 04:54 . 2009-12-05 04:54 1405840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHEngine.dll
2009-12-05 04:54 . 2009-12-05 04:54 668720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\BHDrvx64.sys
2009-12-05 04:54 . 2009-12-05 04:54 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20091205.001\bbRGen.dll
2009-12-05 01:25 . 2009-10-24 21:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 23:57 . 2009-12-04 23:57 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 23:14 . 2009-10-24 21:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 23:13 . 2009-10-24 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-16 17:18 . 2009-04-28 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-16 04:17 . 2006-05-21 04:31 -------- d-----w- c:\program files\trueSpace5
2009-11-15 01:17 . 2009-09-27 02:09 143976 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\uninstall.exe
2009-11-15 01:17 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\plugins\npqmp071701000002.dll
2009-11-15 01:17 . 2009-11-15 01:16 1794456 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe
2009-11-08 16:22 . 2009-11-08 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-11-08 16:22 . 2009-11-08 16:22 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.4.20.2.dll
2009-11-07 01:07 . 2009-12-23 15:35 893296 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\CLT\cltLMSx.dll
2009-11-03 20:46 . 2009-08-25 22:36 -------- d-----w- c:\program files\Java
2009-11-03 20:45 . 2009-11-03 20:45 152576 ----a-w- c:\documents and settings\Bryan\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-29 07:45 . 2004-08-27 21:40 916480 ------w- c:\windows\system32\wininet.dll
2009-10-29 02:31 . 2009-12-23 15:35 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
2009-10-28 22:37 . 2009-12-23 15:45 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSvix86.sys
2009-10-28 22:37 . 2009-12-23 15:45 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-12-23 15:45 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091217.002\Scxpx86.dll
2009-10-28 22:37 . 2009-12-23 15:45 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSxpx86.dll
2009-10-28 22:37 . 2009-12-23 15:45 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSviA64.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-27 03:11 . 2006-05-20 03:40 44296 ----a-w- c:\documents and settings\Bryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 05:38 . 2004-08-27 21:40 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-27 21:40 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-14 03:36 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-14 03:36 . 2009-10-14 03:35 1407680 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-13 10:30 . 2004-08-27 21:40 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-27 21:40 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-27 21:40 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 11:17 . 2009-08-25 22:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 02:54 . 2009-12-23 15:35 466480 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20090911.001\IDSVia64.sys
2009-10-09 02:54 . 2009-12-23 15:35 342576 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20090911.001\IDSVix86.sys
2009-10-09 02:54 . 2009-12-23 15:35 329080 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20090911.001\IDSxpx86.sys
2009-10-09 02:54 . 2009-12-23 15:35 732536 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20090911.001\Scxpx86.dll
2009-10-09 02:54 . 2009-12-23 15:35 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20090911.001\IDSxpx86.dll
2009-10-08 21:57 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 21:57 . 2004-08-27 21:40 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:56 . 2004-08-27 21:40 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-05 17:34 . 2009-12-23 15:35 929648 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\OCS\hsplayer.dll
2009-10-01 09:19 . 2009-12-23 15:35 164216 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
2009-09-27 02:09 . 2009-09-27 02:09 1686272 ----a-w- c:\documents and settings\Bryan\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 90112]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"VTTrayp"="VTtrayp.exe" [2005-03-11 147456]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2001-09-06 36864]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-07-23 341232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Bryan\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-10 122880]
MySQL System Tray Monitor.lnk - c:\program files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe [2007-5-8 1026048]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-16 51984]
PowerReg Scheduler.exe [2007-12-3 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-10 122880]
PKZIP Attachments Status.lnk - c:\program files\PKWARE\PKZIPM\9.00.0010\PKTray.exe [2006-11-12 169552]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-4-7 663552]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LXSUPMON"=c:\windows\system32\LXSUPMON.EXE RUN
"PinnacleDriverCheck"=c:\windows\system32\PSDrvCheck.exe -CheckReg
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1101000.013\SymDS.sys [12/23/2009 8:35 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1101000.013\SymEFA.sys [12/23/2009 8:35 AM 171056]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1101000.013\cchpx86.sys [12/23/2009 8:35 AM 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 8:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 8:24 PM 74480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1101000.013\Ironx86.sys [12/23/2009 8:35 AM 114736]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [12/23/2009 8:35 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/23/2009 8:44 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20091217.002\IDSXpx86.sys [12/23/2009 8:45 AM 329592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 8:24 PM 7408]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
TCP: {A3DBBCEF-36FF-43F8-A347-F6E9B4CC0A8E} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\2klw6kkj.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Bryan\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Bryan\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" \"MySQL\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3758444144-2336854130-2296049936-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\VTTimer.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-12-23 20:41:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-24 03:40
ComboFix2.txt 2009-12-23 03:37

Pre-Run: 129,570,836,480 bytes free
Post-Run: 129,527,947,264 bytes free

- - End Of File - - EB328800BB9964807F1A88A9699451EB
  • 0

#14
hammerman
Posted 24 December 2009 - 07:49 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
How's your computer running? Are you still getting redirected?
  • 0

#15
Vacine
Posted 24 December 2009 - 01:24 PM

Vacine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi hammerman,

Thanks again for all your help.

No redirections so far. I haven't used the computer much though. I'll report again later to confirm no redirections, hopefully.

You have a Merry Christmas or whatever you do in this season.

Vacine
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP