Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

java.exe and javaw.exe runtime errors [Solved]

Started by jherokee , Feb 28 2010 03:41 PM

  • This topic is locked This topic is locked

#1
jherokee
Posted 28 February 2010 - 03:41 PM

jherokee

    Member

  • Member
  • PipPip
  • 27 posts
Hi,

I have been working with the Applications Techs for just about a month now on a JRE/JVM issue. I noticed that I could not run any JVM applets off webpages. Then I noticed I couldn't install or remove JRE. For all the details, please see attached link to that topic.

http://www.geekstogo...em-t267341.html

They suggest that now it is time to talk to the Malware techs, you, to see if you can help figure out what is wrong. "We believe it is time to check for malware because there seems to be no reason for what is going on."

So, they directed me to go through the Malware and Spyware Cleaning Guide, which I have. After I ran all the tools as detailed below, I still have the JVM problem, ie, I can go to java.com, and try to test my JVM and the webpage will hang the browser window. Most of the page will load, and maybe even the applet will load, but somewhere between start and finish, the applet will never execute and the page will hang. I have duplicated these results on another website, one that is truly of interest to run for me.

Here's my Malware history, so far.

Downloaded and successfully ran TFC.
Downloaded and successfully ran ERUNT.
Downloaded and successfully ran MBAM.

Did a quick and a full scan.

Here are the MBAM log #1:
++++++++++++++++++++++++++++++++++++++

Malwarebytes' Anti-Malware 1.44
Database version: 3802
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/27/2010 10:11:16 AM
mbam-log-2010-02-27 (10-11-16).txt

Scan type: Quick Scan
Objects scanned: 136067
Time elapsed: 7 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h8srtshsyst.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTlnscmywhkr.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll (Rootkit.Trace) -> Quarantined and deleted successfully.

++++++++++++++++++++++++++++++++++++++++++

MBAM Log #2:

++++++++++++++++++++++++++++++++++++++++++
Malwarebytes' Anti-Malware 1.44
Database version: 3802
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2/27/2010 3:18:07 PM
mbam-log-2010-02-27 (15-18-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 295105
Time elapsed: 1 hour(s), 45 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


+++++++++++++++++++++++++++++++++++++++++++

I had been using MS Security Essentials for AV SW. But yesterday I uninstallled it and installed Avast.

Did a quick and a full scan.
Avast Log #1:
I can't seem to paste the Avast logs here. The first one found four threats that it moved "to Chest", Action successful.
- Threat: Win32:Malware-gen
- Threat: Win32:Jifas-DE[Trj]
- Threat: Win32:Jifas-DE[Trj]
- Threat: Win32:Jifas-DE[Trj]

I ran the full Avast scan twice more and both times it found no viruses.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I ran GMER. Here is the GMER log:
ark.txt

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-28 06:44:36
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Boromir\LOCALS~1\Temp\pgtdrpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB117FC5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB117FB16]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB11800CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB117FFF4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB117F6EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB117FBF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB117F62C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB117F690]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB117FD10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB1180198]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB117FCD0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB117FE50]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB118C4FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB118C322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB118C45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdePort0 sdcplh.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sdcplh.sys
Device \Driver\atapi \Device\Ide\IdePort1 sdcplh.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sdcplh.sys

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Finally, here are the two logs from OTL

OTL.txt

OTL logfile created on: 2/28/2010 6:46:43 AM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Boromir\Desktop\ComputerSoftware\MalwareForum G2G
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 30.63 Gb Free Space | 27.40% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ARWEN
Current User Name: Boromir
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/28 06:45:58 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boromir\Desktop\ComputerSoftware\MalwareForum G2G\OTL.exe
PRC - [2010/02/24 19:11:56 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/02/13 18:22:23 | 001,181,328 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/02/11 13:01:36 | 001,988,144 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\Setup\avast.setup
PRC - [2010/02/11 11:53:42 | 002,756,488 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/02/01 06:21:07 | 000,788,880 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/01/11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/08 21:29:44 | 000,240,992 | ---- | M] (Microsoft Corp.) -- C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
PRC - [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/08/07 17:15:06 | 000,311,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
PRC - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/07/17 11:12:14 | 000,288,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
PRC - [2009/04/20 09:10:48 | 000,084,464 | ---- | M] () -- C:\Program Files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/12 22:47:04 | 005,890,560 | ---- | M] (M.Dev Software) -- C:\Program Files\ZipGenius 6\zipgenius.exe
PRC - [2007/09/29 02:56:34 | 000,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2007/09/20 07:51:46 | 000,853,288 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
PRC - [2006/02/10 07:56:12 | 000,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2004/10/20 03:47:54 | 000,098,304 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
PRC - [2004/10/20 02:40:46 | 000,118,784 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
PRC - [2002/08/29 05:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2002/03/21 21:41:56 | 000,094,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Keyboard\type32.exe


========== Modules (SafeList) ==========

MOD - [2010/02/28 06:45:58 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boromir\Desktop\ComputerSoftware\MalwareForum G2G\OTL.exe
MOD - [2009/11/21 08:51:04 | 000,471,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\AppPatch\aclayers.dll
MOD - [2008/04/13 17:12:05 | 000,065,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\shimeng.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/02/24 19:11:56 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2010/02/13 18:22:23 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/09/21 15:36:02 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/08/23 14:00:06 | 000,136,120 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/01/09 06:46:25 | 001,122,304 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe -- (RoxMediaDB11)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/08/14 00:25:24 | 000,367,088 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUpnpService11.exe -- (Roxio Upnp Server 11)
SRV - [2008/08/14 00:25:20 | 000,313,840 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUPnPRenderer11.exe -- (Roxio UPnP Renderer 11)
SRV - [2008/08/14 00:24:06 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe -- (RoxLiveShare11)
SRV - [2008/08/14 00:24:02 | 000,170,480 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe -- (RoxWatch11)
SRV - [2007/10/15 08:15:08 | 000,382,248 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2007/09/29 02:56:34 | 000,483,328 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007/09/20 07:51:46 | 000,853,288 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - [2005/04/03 23:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/10/20 03:47:54 | 000,098,304 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor)
SRV - [2004/10/20 02:40:46 | 000,118,784 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -- (PhotoshopElementsDeviceConnect)
SRV - [2004/04/21 21:10:00 | 000,516,096 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...TDF&PC=SUN1&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {27182e60-b5f3-411c-b545-b44205977502}:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://www.bing.com/...TDF&PC=SUN1&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/01/24 16:10:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/13 08:48:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 17:14:00 | 000,000,000 | ---D | M]

[2010/02/13 08:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Mozilla\Extensions
[2010/02/24 19:23:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Mozilla\Firefox\Profiles\9sdbysgq.default\extensions
[2010/02/16 20:27:51 | 000,002,176 | ---- | M] () -- C:\Documents and Settings\Boromir\Application Data\Mozilla\Firefox\Profiles\9sdbysgq.default\searchplugins\bing.xml
[2010/02/24 19:23:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2002/08/29 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No CLSID value found.
O2 - BHO: (MSN Toolbar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [CPMonitor] C:\Program Files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe ()
O4 - HKLM..\Run: [IntelliType] C:\Program Files\Microsoft Hardware\Keyboard\type32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSN Toolbar] C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe (Microsoft Corp.)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1191100832104 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D3538D36-EEDA-4BC7-9C8D-8C1D066EBC56} http://hp.sonic.com/...cActivation.dll (SonicActivator Class)
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.micr...04/clearadj.cab (CTAdjust Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Boromir\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Boromir\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/29 11:53:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3661c15e-da5e-11db-b492-000ea690216f}\Shell - "" = AutoRun
O33 - MountPoints2\{3661c15e-da5e-11db-b492-000ea690216f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3661c15e-da5e-11db-b492-000ea690216f}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{53f62038-e96e-11db-b49a-000ea690216f}\Shell - "" = AutoRun
O33 - MountPoints2\{53f62038-e96e-11db-b49a-000ea690216f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{53f62038-e96e-11db-b49a-000ea690216f}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f0c561f4-961b-11db-ab86-000ea690216f}\Shell - "" = AutoRun
O33 - MountPoints2\{f0c561f4-961b-11db-ab86-000ea690216f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f0c561f4-961b-11db-ab86-000ea690216f}\Shell\AutoRun\command - "" = D:\Setup.EXE -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/01/20 08:50:48 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: Ip6FwHlp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (55735438412873728)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/27 10:35:44 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/02/27 10:35:43 | 000,162,512 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/02/27 10:35:42 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/02/27 10:35:40 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/02/27 10:35:38 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/02/27 10:35:38 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/02/27 10:35:38 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/02/27 10:35:26 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/02/27 10:35:26 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/02/27 10:35:16 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/02/27 10:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/02/27 09:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boromir\Application Data\Malwarebytes
[2010/02/27 09:47:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/27 09:47:00 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/27 09:47:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/27 09:46:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/27 09:42:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/27 09:41:40 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/02/25 18:28:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boromir\.FamilySearchIndexing
[2010/02/03 20:53:15 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/27 22:48:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/27 22:40:27 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/27 22:40:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/15 18:26:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/03 15:13:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2006/02/19 03:28:56 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll

========== Files - Modified Within 14 Days ==========

[2010/02/28 06:22:09 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/02/28 00:22:36 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/02/27 18:23:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/02/27 17:23:31 | 000,000,428 | ---- | M] () -- C:\WINDOWS\zipgenius.xml
[2010/02/27 17:10:29 | 000,001,173 | ---- | M] () -- C:\Documents and Settings\Boromir\Application Data\mainhst.zgh
[2010/02/27 13:22:33 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/27 13:22:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/02/27 13:20:02 | 000,012,642 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/27 13:18:10 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/27 13:17:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/27 13:16:46 | 006,291,456 | ---- | M] () -- C:\Documents and Settings\Boromir\NTUSER.DAT
[2010/02/27 13:16:46 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Boromir\ntuser.ini
[2010/02/27 10:35:45 | 000,001,741 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/02/27 10:35:39 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/02/27 09:47:05 | 000,000,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/27 09:41:43 | 000,000,633 | ---- | M] () -- C:\Documents and Settings\Boromir\Desktop\ERUNT.lnk
[2010/02/27 07:25:06 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6ECB3094-5C9E-4906-826A-E5ADEAB0D698}.job
[2010/02/20 19:26:41 | 000,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/15 15:49:38 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/14 21:12:06 | 000,001,939 | ---- | M] () -- C:\Documents and Settings\Boromir\Desktop\FamilySearch Indexing.lnk

========== Files Created - No Company Name ==========

[2010/02/27 10:35:45 | 000,001,741 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/02/27 09:47:05 | 000,000,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/27 09:41:43 | 000,000,633 | ---- | C] () -- C:\Documents and Settings\Boromir\Desktop\ERUNT.lnk
[2010/02/20 19:26:41 | 000,263,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/15 15:48:08 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/02/14 21:12:06 | 000,001,939 | ---- | C] () -- C:\Documents and Settings\Boromir\Desktop\FamilySearch Indexing.lnk
[2010/02/13 12:21:46 | 000,146,760 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/25 19:56:05 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/01/23 10:17:27 | 000,016,725 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\h8srtmainqt.dll
[2009/11/17 19:48:50 | 000,001,173 | ---- | C] () -- C:\Documents and Settings\Boromir\Application Data\mainhst.zgh
[2009/11/14 10:50:41 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/01/19 12:20:14 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/01/10 18:49:15 | 000,000,043 | ---- | C] () -- C:\WINDOWS\hpfccopy.INI
[2008/01/09 07:45:29 | 000,003,312 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/05/07 22:47:47 | 000,000,059 | ---- | C] () -- C:\WINDOWS\LTDLG13N.INI
[2007/02/12 19:21:28 | 000,548,864 | ---- | C] () -- C:\WINDOWS\System32\hpgtg400.dll
[2006/09/23 09:25:43 | 000,040,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\sdcplh.sys
[2006/06/04 09:08:06 | 000,000,312 | ---- | C] () -- C:\WINDOWS\topo4.INI
[2005/10/17 10:03:50 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\fusioncache.dat
[2005/07/19 19:17:34 | 000,000,157 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2005/03/21 12:44:22 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2004/07/11 13:20:37 | 000,048,128 | ---- | C] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/07/10 19:23:17 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\FASTWiz.log
[2004/07/10 19:23:17 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\FASTWiz.html
[2004/01/31 13:35:36 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/01/31 12:55:14 | 000,000,520 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/30 15:29:25 | 000,000,209 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/01/30 15:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll
[2004/01/20 13:14:15 | 000,004,428 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/01/20 12:59:48 | 000,000,042 | ---- | C] () -- C:\WINDOWS\AcrobatSetupStatus.ini
[2004/01/20 12:54:16 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/01/20 09:23:18 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/09/02 15:51:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\idecoi.dll
[2002/11/14 12:58:04 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2002/11/14 12:58:04 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2002/11/14 12:58:02 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2002/11/14 12:58:02 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2002/11/14 12:58:02 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll

========== LOP Check ==========

[2010/02/27 10:35:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/25 20:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2009/10/11 11:37:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2005/04/27 21:57:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates
[2007/04/18 18:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RootsMagic
[2009/01/03 17:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2009/01/03 13:16:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2009/11/14 11:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/10/17 09:47:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/02/01 06:16:36 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2007/09/29 14:52:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\GARMIN
[2008/03/22 16:55:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\gtk-2.0
[2009/11/17 19:32:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Helios
[2004/07/10 22:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Jasc
[2007/05/07 22:19:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\RootsMagic
[2009/10/24 12:25:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Scooter Software
[2009/11/17 20:11:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\ZipGenius
[2010/02/28 06:22:09 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/02/27 13:22:31 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/02/27 18:23:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/02/28 00:22:36 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/02/27 13:22:33 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/02/27 07:25:06 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6ECB3094-5C9E-4906-826A-E5ADEAB0D698}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/09/04 09:44:14 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/03 11:32:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/09/04 09:44:14 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2009/01/03 11:32:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 05:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/09/04 09:44:14 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/03 11:32:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2002/08/29 05:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys
[2004/09/04 09:44:14 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2009/01/03 11:32:06 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2002/08/29 05:00:00 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2004/01/13 12:36:00 | 000,063,744 | ---- | M] (NVIDIA Corporation) MD5=06F86506555644CBA020CD2CFFE28668 -- C:\TAC\Drivers\Chipset\NVIDIA\nForce 4.24\IDE\WinXP\NvAtaBus.sys
[2004/01/28 13:11:00 | 000,063,744 | ---- | M] (NVIDIA Corporation) MD5=4B7A1230820ED27834050CB32A0E3B64 -- C:\TAC\Drivers\Chipset\NVIDIA\nForce 4.24\IDE\Win2K\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2002/01/01 12:13:01 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2002/01/01 12:13:01 | 000,602,112 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2002/01/01 12:13:01 | 000,397,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Boromir\My Documents\Slideshow.dmsm:Roxio EMC Stream
< End of report >

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Extras.txt

OTL Extras logfile created on: 2/28/2010 6:46:43 AM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Boromir\Desktop\ComputerSoftware\MalwareForum G2G
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 71.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 30.63 Gb Free Space | 27.40% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ARWEN
Current User Name: Boromir
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" = C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- File not found
"C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe" = C:\Program Files\Photo Story 3 for Windows\PhotoStory3.exe:*:Enabled:Photo Story 3 for Windows -- (Microsoft Corp.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Eclipse\eclipse.exe" = C:\Program Files\Eclipse\eclipse.exe:*:Enabled:eclipse -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = MSN Toolbar
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{15AEA3B1-BBEF-4460-8F98-8CB91819A180}" = MSDN Library - July 2005
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{17B66E83-1BC9-11D5-A54A-0090278A1BB8}" = Microsoft FrontPage Client - English
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1D53B6F9-E66E-42D8-A221-4FF8AC134FD7}" = Roxio Activation Module
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20610409-CA18-41A6-9E21-A93AE82EE7C5}" = Visual Studio .NET Professional 2003 - English
"{21ABEA96-CCAB-4C40-8699-6BDFEC5FD63C}" = EMC 11 Content
"{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{2B618178-930B-46FA-9C93-0AE2EEB89EBC}" = DocProc
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3383136B-4F86-4F05-8612-DD4BB16A1EAE}" = Roxio Central
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{38D56396-298F-4874-B4EC-16B530B07879}" = HP Scanjet G4000 series 8.0
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{523DF39E-DF7D-488F-8022-783946571033}" = Nero 8 Essentials
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{5414086B-AE06-4332-8A59-26FF0F630D1B}" = Garmin Trip and Waypoint Manager v3
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5B3FB6D4-1B88-413D-8DE7-A7E2D58DE5B2}" = TOPO! 4
"{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69F56014-2C48-4885-8D72-0E069F89647F}" = Roxio Creator 2009 Special Edition
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{7919D8D9-69FB-4E94-B330-04C4AF251867}" = Roxio Creator 2009 Special Edition
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83FC2D98-CB55-4E05-82C1-EDC8A4E8EDD2}" = Garmin MapSource
"{851C67EF-068A-4060-9EF5-2E3DDCD68382}" = Adobe Photoshop Elements 3.0
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{87E91B85-9A4A-4B1E-930E-3429D146FEB3}" = ScannerCopy
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{996EC44B-38E1-4898-8E47-3EE3D15F2712}" = Garmin WebUpdater
"{9DE006A5-B384-4EDE-A760-0F217136B9EA}" = Microsoft IntelliType Pro 2.2
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{A65F7CF8-6F76-40CE-B44D-D5A89D9881C7}" = MSN Toolbar Platform
"{A75949C3-DC28-42CA-9C56-24C002B93D89}" = Garmin City Navigator North America v8
"{AA749D64-3741-4D5F-B804-B0BC05D179D1}" = Roxio CinePlayer
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.0
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AD4203ED-7683-435E-B436-C299773A9936}" = MapSource - US Topo v3.02
"{AF9E97C1-7431-426D-A8D5-ABE40995C0B1}" = DirectX 9 Runtime
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0FE37FA-0886-4B66-B01B-76CF70FB77AB}" = Roxio CinePlayer Decoder Pack
"{C1704101-D142-42A4-83E5-F938F13DBD94}" = hpg4000QFolder
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4D24FE5-FAB3-4FE2-AFFC-623955F4DF3A}" = Visual Studio.NET Baseline - English
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Try And Buy
"{D7A6C517-11F2-419F-B5BB-27772B939698}" = NvMixer
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E622695B-3A22-4774-993D-318049488C0B}" = LDS Scriptures CD-ROM Resource Edition
"{EC3B598C-1151-4191-B5B4-A9072ADE6259}_is1" = ZipGenius 6 (6.0.3.1150)
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F8A3C1B6-D2E0-4CE1-80A2-555D6F71C639}" = Microsoft Search Enhancement Pack
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FD7F3626-80DE-4E99-A11D-0BFB4350A00C}" = hpG4000
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"audcle" = Plus! MP3 Audio Converter LE
"avast5" = avast! Free Antivirus
"BeyondCompare3_is1" = Beyond Compare Version 3.1.7
"CCleaner" = CCleaner
"Church Organization Information 3.0" = Church Organization Information 3.0
"drmtool.inf" = Personal License Update Wizard for Windows Media Player
"ERUNT_is1" = ERUNT 1.1j
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPOCR" = OCR Software by I.R.I.S 8.0
"ie7" = Windows Internet Explorer 7
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mmmusic" = Movie Maker Background Music Files
"mmsounds" = Movie Maker Sound Effects
"mmtitle" = Movie Maker Title Images
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"mplibwiz.inf" = Media Library Management Wizard
"mpxlswiz.inf" = Windows Media Player Playlist Import to Excel Wizard
"mpxptray.inf" = Windows Media Player Tray Control
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"RootsMagic_is1" = RootsMagic 3.2.4.0
"Sweepi_is1" = Sweepi 5.2.20
"Visual Studio .NET Professional 2003 - English" = Microsoft Visual Studio .NET Professional 2003 - English
"wa2wmp" = Windows Media Player Skin Importer
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinGimp-2.0_is1" = GIMP 2.4.2
"WMBK2" = Windows Media Bonus Pack for Windows XP
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"FamilySearch Indexing" = FamilySearch Indexing
"Uninstall FamilySearch Indexing" = Uninstall FamilySearch Indexing

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/18/2010 8:14:18 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00005875.

Error - 2/18/2010 8:15:42 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application java.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00005875.

Error - 2/18/2010 8:15:47 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application java.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00005875.

Error - 2/18/2010 8:28:00 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00004e46.

Error - 2/20/2010 10:29:36 PM | Computer Name = ARWEN | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.6856.0, faulting module
mso.dll, version 10.0.6858.0, fault address 0x0000d102.

Error - 2/24/2010 10:13:43 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application java.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00005875.

Error - 2/24/2010 10:32:04 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application java.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00005875.

Error - 2/25/2010 9:28:53 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00005875.

Error - 2/27/2010 3:09:43 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00005875.

Error - 2/27/2010 8:03:11 PM | Computer Name = ARWEN | Source = Application Error | ID = 1000
Description = Faulting application javaw.exe, version 6.0.180.7, faulting module
java.dll, version 6.0.180.7, fault address 0x00005875.

[ System Events ]
Error - 2/27/2010 4:16:09 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 2/27/2010 4:16:09 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 2/27/2010 4:16:09 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/27/2010 4:16:09 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7034
Description = The Nero BackItUp Scheduler 3 service terminated unexpectedly. It
has done this 1 time(s).

Error - 2/27/2010 4:16:09 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/27/2010 4:16:09 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7034
Description = The Photoshop Elements Device Connect service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/27/2010 4:16:10 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7034
Description = The Adobe Active File Monitor service terminated unexpectedly. It
has done this 1 time(s).

Error - 2/27/2010 4:16:10 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7034
Description = The SeaPort service terminated unexpectedly. It has done this 1 time(s).

Error - 2/27/2010 4:16:10 PM | Computer Name = ARWEN | Source = Service Control Manager | ID = 7031
Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
10000 milliseconds: Restart the service.

Error - 2/27/2010 4:18:17 PM | Computer Name = ARWEN | Source = ati2mtag | ID = 45062
Description = CRT invalid display type


< End of report >
  • 0

Advertisements

#2
Rorschach112
Posted 28 February 2010 - 03:45 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
O33 - MountPoints2\{3661c15e-da5e-11db-b492-000ea690216f}\Shell - "" = AutoRun
O33 - MountPoints2\{3661c15e-da5e-11db-b492-000ea690216f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3661c15e-da5e-11db-b492-000ea690216f}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{53f62038-e96e-11db-b49a-000ea690216f}\Shell - "" = AutoRun
O33 - MountPoints2\{53f62038-e96e-11db-b49a-000ea690216f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{53f62038-e96e-11db-b49a-000ea690216f}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\{f0c561f4-961b-11db-ab86-000ea690216f}\Shell - "" = AutoRun
O33 - MountPoints2\{f0c561f4-961b-11db-ab86-000ea690216f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f0c561f4-961b-11db-ab86-000ea690216f}\Shell\AutoRun\command - "" = D:\Setup.EXE -- File not found

:Services

:Reg

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done



Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix\ComboFix.txt log in your next reply.
  • 0

#3
jherokee
Posted 01 March 2010 - 09:26 PM

jherokee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hey...

While the combofix was running, I noticed it said McAfee Enterprise was running. I did an uninstall on this AV software at least a month ago. Subsequently I installed MS Security Essentials. Since my time here, I uninstalled MS SE and installed Avast. I am surprised combofix said that McAfee still running. Do you recommend that I do something special to get rid of McAfee.

Anyway, here's my combofix log:

ComboFix 10-03-01.01 - Boromir 03/01/2010 20:08:26.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.739 [GMT -7:00]
Running from: c:\documents and settings\Boromir\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\h8srtmainqt.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-1727634634-1116989636-3975533155-1003
c:\recycler\S-1-5-21-1993962763-1343024091-839522115-1003
c:\recycler\S-1-5-21-2114866986-467918930-1703796125-1003
c:\recycler\S-1-5-21-2932558280-1937614191-285007267-1003

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-02 02:32 . 2010-03-02 02:32 -------- d-----w- C:\_OTL
2010-02-28 22:24 . 2010-02-28 22:24 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-28 22:24 . 2010-02-28 22:24 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-02-28 22:24 . 2010-02-28 22:24 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-02-28 22:23 . 2010-02-28 22:23 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-02-28 22:23 . 2010-02-28 22:23 221408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2010-02-28 22:23 . 2010-02-28 22:23 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-02-28 22:23 . 2010-02-28 22:23 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-02-28 22:23 . 2010-02-28 22:23 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-28 22:22 . 2010-02-28 22:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-28 22:22 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-27 17:35 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-27 17:35 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-27 17:35 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-27 17:35 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-27 17:35 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-27 17:35 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-27 17:35 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-27 17:35 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-27 17:35 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-27 17:35 . 2010-02-27 17:35 -------- d-----w- c:\program files\Alwil Software
2010-02-27 17:35 . 2010-02-27 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-27 16:47 . 2010-02-27 16:47 -------- d-----w- c:\documents and settings\Boromir\Application Data\Malwarebytes
2010-02-27 16:47 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 16:47 . 2010-02-27 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-27 16:47 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 16:46 . 2010-02-27 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 16:41 . 2010-02-27 16:41 -------- d-----w- c:\program files\ERUNT
2010-02-26 01:28 . 2010-02-26 01:28 -------- d-----w- c:\documents and settings\Boromir\.FamilySearchIndexing
2010-02-13 19:21 . 2010-02-13 19:21 146760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-13 15:48 . 2010-02-13 15:48 0 ----a-w- c:\windows\nsreg.dat
2010-02-13 15:48 . 2010-02-13 15:48 -------- d-----w- c:\documents and settings\Boromir\Local Settings\Application Data\Mozilla
2010-02-03 03:28 . 2010-02-03 03:30 -------- d-----w- c:\documents and settings\Boromir\.SunDownloadManager
2010-02-02 04:08 . 2010-02-25 02:12 -------- d-----w- c:\program files\Common Files\Java
2010-02-02 03:48 . 2010-02-02 03:48 -------- d-sh--w- c:\documents and settings\Ella\IECompatCache
2010-02-01 17:05 . 2010-02-28 22:23 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-01 13:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-01 13:22 . 2010-02-28 22:24 884176 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-01 13:22 . 2010-02-28 22:23 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-01 13:22 . 2010-02-28 22:23 211064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-01 13:22 . 2010-02-28 22:23 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-01 13:22 . 2010-02-28 22:23 562272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-01 13:22 . 2010-02-28 22:23 390320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-01 13:22 . 2010-02-28 22:23 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-01 13:22 . 2010-02-01 13:22 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-02-01 13:21 . 2010-02-28 22:23 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-01 13:21 . 2010-02-28 22:23 329048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-01 13:21 . 2010-02-28 22:23 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-01 13:21 . 2010-02-28 22:23 961984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-01 13:21 . 2010-02-14 01:22 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-01 13:21 . 2010-02-28 22:23 835312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-01 13:21 . 2010-02-28 22:23 842992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-01 13:21 . 2010-02-28 22:23 1593320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-01 13:21 . 2010-02-28 22:23 815184 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-01 13:21 . 2010-02-28 22:23 1229232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 22:22 . 2010-01-25 03:18 -------- d-----w- c:\program files\Lavasoft
2010-02-25 02:11 . 2010-01-24 23:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 16:16 . 2010-01-30 18:19 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-13 19:14 . 2004-08-07 13:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-13 18:10 . 2009-01-03 22:13 -------- d-----w- c:\documents and settings\Boromir\Application Data\Roxio
2010-02-03 03:18 . 2009-11-14 17:54 -------- d-----w- c:\program files\Java
2010-01-30 17:45 . 2010-01-30 17:45 503808 ----a-w- c:\documents and settings\Boromir\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5ecda33f-n\msvcp71.dll
2010-01-30 17:45 . 2010-01-30 17:45 499712 ----a-w- c:\documents and settings\Boromir\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5ecda33f-n\jmc.dll
2010-01-30 17:45 . 2010-01-30 17:45 348160 ----a-w- c:\documents and settings\Boromir\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5ecda33f-n\msvcr71.dll
2010-01-30 17:45 . 2010-01-30 17:45 61440 ----a-w- c:\documents and settings\Boromir\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-52abe329-n\decora-sse.dll
2010-01-30 17:45 . 2010-01-30 17:45 12800 ----a-w- c:\documents and settings\Boromir\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-52abe329-n\decora-d3d.dll
2010-01-28 05:00 . 2010-01-25 14:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-28 04:58 . 2010-01-25 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-28 04:40 . 2010-01-26 02:56 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-01-27 05:13 . 2010-01-27 05:13 249856 ------w- c:\windows\Setup1.exe
2010-01-27 05:13 . 2010-01-27 05:13 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-27 05:12 . 2010-01-27 05:11 -------- d-----w- c:\documents and settings\Ella\Application Data\ZipGenius
2010-01-27 04:52 . 2010-01-27 04:52 503808 ----a-w- c:\documents and settings\Ella\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3fdbb661-n\msvcp71.dll
2010-01-27 04:52 . 2010-01-27 04:52 499712 ----a-w- c:\documents and settings\Ella\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3fdbb661-n\jmc.dll
2010-01-27 04:52 . 2010-01-27 04:52 348160 ----a-w- c:\documents and settings\Ella\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3fdbb661-n\msvcr71.dll
2010-01-27 04:52 . 2010-01-27 04:52 61440 ----a-w- c:\documents and settings\Ella\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-44d386a6-n\decora-sse.dll
2010-01-27 04:52 . 2010-01-27 04:52 12800 ----a-w- c:\documents and settings\Ella\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-44d386a6-n\decora-d3d.dll
2010-01-27 04:51 . 2008-10-18 16:04 -------- d-----w- c:\documents and settings\Ella\Application Data\U3
2010-01-26 13:20 . 2010-01-26 13:20 -------- d-----w- c:\program files\AVG
2010-01-26 12:30 . 2010-01-25 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-26 03:00 . 2010-01-26 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-01-26 02:55 . 2010-01-26 02:55 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-01-25 16:28 . 2010-01-23 22:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-25 16:00 . 2004-01-29 18:53 -------- d-----w- c:\program files\McAfee
2010-01-25 03:20 . 2010-01-25 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-24 23:11 . 2010-01-24 23:09 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-01-24 23:10 . 2010-01-24 23:10 -------- d-----w- c:\program files\Microsoft
2010-01-24 23:10 . 2010-01-24 23:10 -------- d-----w- c:\program files\MSN Toolbar
2010-01-24 23:06 . 2010-01-24 23:06 152576 ----a-w- c:\documents and settings\Ella\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-24 23:05 . 2010-01-24 23:05 79488 ----a-w- c:\documents and settings\Ella\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-24 04:45 . 2010-01-24 04:45 -------- d-----w- c:\documents and settings\Ella\Application Data\Helios
2010-01-24 01:56 . 2010-01-24 01:56 -------- d-----w- c:\documents and settings\Ella\Application Data\Nero
2010-01-24 01:50 . 2006-11-16 17:08 66192 ----a-w- c:\documents and settings\Ella\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-23 22:32 . 2010-01-23 22:28 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-23 22:22 . 2010-01-23 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-23 19:38 . 2010-01-23 19:38 3584 ----a-r- c:\documents and settings\Boromir\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-23 19:38 . 2010-01-23 19:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-01-23 19:37 . 2009-10-31 04:44 -------- d-----w- c:\program files\MSECACHE
2010-01-15 02:01 . 2004-01-29 23:36 -------- d-----w- c:\program files\Microsoft Games
2010-01-14 06:22 . 2010-01-14 06:12 -------- d-----w- c:\program files\McAfee2010
2010-01-14 05:54 . 2004-09-04 17:00 66192 ----a-w- c:\documents and settings\Boromir\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2002-08-29 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-01-20 15:47 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-08-29 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-08-29 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe" [2009-04-20 84464]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisableAutoRestart]
2008-04-14 00:12 146432 ----a-w- c:\windows\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 09:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 22:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 22:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [1/20/2004 9:21 AM 75520]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/1/2010 6:22 AM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/27/2010 10:35 AM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/27/2010 10:35 AM 19024]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/20/2004 3:47 AM 98304]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1229232]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/20/2004 2:40 AM 118784]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]
S3 1d3c1bb4-7c3e-42d2-86cc-8ef5f19a5586;1d3c1bb4-7c3e-42d2-86cc-8ef5f19a5586;\??\d:\cds300\cds300.dll --> d:\cds300\cds300.dll [?]
S3 38d02b41-ff9a-45d8-9502-61d6ed5df3d2;38d02b41-ff9a-45d8-9502-61d6ed5df3d2;\??\d:\cds300\cds300.dll --> d:\cds300\cds300.dll [?]
S3 DVXUSBKS;DVXCEL Streaming Class Driver;c:\windows\system32\drivers\DVXUSBKS.sys [9/11/2004 9:31 AM 46397]
S3 DVXUSBLD;DVXUSBLD;c:\windows\system32\drivers\DVXUSBLD.SYS [9/11/2004 9:31 AM 65241]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [3/3/2009 8:58 PM 1122304]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 22:23]

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-03-02 c:\windows\Tasks\User_Feed_Synchronization-{6ECB3094-5C9E-4906-826A-E5ADEAB0D698}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.totallyawesome.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D3538D36-EEDA-4BC7-9C8D-8C1D066EBC56} - hxxp://hp.sonic.com/SonicActivation.dll
FF - ProfilePath - c:\documents and settings\Boromir\Application Data\Mozilla\Firefox\Profiles\9sdbysgq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 20:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-01 20:17:41
ComboFix-quarantined-files.txt 2010-03-02 03:17

Pre-Run: 32,226,136,064 bytes free
Post-Run: 32,189,071,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A71DD5C3062394F82420A8A3A89C658E
  • 0

#4
Rorschach112
Posted 02 March 2010 - 06:21 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SecCenter::
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

KillAll::

Folder::
c:\documents and settings\All Users\Application Data\McAfee
c:\program files\McAfee

Driver::
1d3c1bb4-7c3e-42d2-86cc-8ef5f19a5586
38d02b41-ff9a-45d8-9502-61d6ed5df3d2

File::
d:\cds300\cds300.dll
d:\cds300\cds300.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#5
jherokee
Posted 02 March 2010 - 07:23 PM

jherokee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hello Rorschach,

Here's the combofix.txt results from the latest combofix run.



ComboFix 10-03-02.02 - Boromir 03/02/2010 18:01:02.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.744 [GMT -7:00]
Running from: c:\documents and settings\Boromir\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Boromir\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"d:\cds300\cds300.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_1d3c1bb4-7c3e-42d2-86cc-8ef5f19a5586
-------\Service_38d02b41-ff9a-45d8-9502-61d6ed5df3d2


((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-02 02:32 . 2010-03-02 02:32 -------- d-----w- C:\_OTL
2010-02-28 22:24 . 2010-02-28 22:24 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-28 22:22 . 2010-02-28 22:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-27 17:35 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-27 17:35 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-27 17:35 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-27 17:35 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-27 17:35 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-27 17:35 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-27 17:35 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-27 17:35 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-27 17:35 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-27 17:35 . 2010-02-27 17:35 -------- d-----w- c:\program files\Alwil Software
2010-02-27 17:35 . 2010-02-27 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-27 16:47 . 2010-02-27 16:47 -------- d-----w- c:\documents and settings\Boromir\Application Data\Malwarebytes
2010-02-27 16:47 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 16:47 . 2010-02-27 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-27 16:47 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 16:46 . 2010-02-27 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 16:41 . 2010-02-27 16:41 -------- d-----w- c:\program files\ERUNT
2010-02-26 01:28 . 2010-02-26 01:28 -------- d-----w- c:\documents and settings\Boromir\.FamilySearchIndexing
2010-02-13 19:21 . 2010-02-13 19:21 146760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-13 15:48 . 2010-02-13 15:48 0 ----a-w- c:\windows\nsreg.dat
2010-02-13 15:48 . 2010-02-13 15:48 -------- d-----w- c:\documents and settings\Boromir\Local Settings\Application Data\Mozilla
2010-02-03 03:28 . 2010-02-03 03:30 -------- d-----w- c:\documents and settings\Boromir\.SunDownloadManager
2010-02-02 04:08 . 2010-02-25 02:12 -------- d-----w- c:\program files\Common Files\Java
2010-02-02 03:48 . 2010-02-02 03:48 -------- d-sh--w- c:\documents and settings\Ella\IECompatCache
2010-02-01 17:05 . 2010-02-28 22:23 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-01 13:22 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 22:22 . 2010-01-25 03:18 -------- d-----w- c:\program files\Lavasoft
2010-02-25 02:11 . 2010-01-24 23:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 16:16 . 2010-01-30 18:19 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-13 19:14 . 2004-08-07 13:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-13 18:10 . 2009-01-03 22:13 -------- d-----w- c:\documents and settings\Boromir\Application Data\Roxio
2010-02-03 03:18 . 2009-11-14 17:54 -------- d-----w- c:\program files\Java
2010-01-28 05:00 . 2010-01-25 14:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-28 04:58 . 2010-01-25 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-28 04:40 . 2010-01-26 02:56 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-01-27 05:13 . 2010-01-27 05:13 249856 ------w- c:\windows\Setup1.exe
2010-01-27 05:13 . 2010-01-27 05:13 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-01-27 05:12 . 2010-01-27 05:11 -------- d-----w- c:\documents and settings\Ella\Application Data\ZipGenius
2010-01-27 04:51 . 2008-10-18 16:04 -------- d-----w- c:\documents and settings\Ella\Application Data\U3
2010-01-26 13:20 . 2010-01-26 13:20 -------- d-----w- c:\program files\AVG
2010-01-26 03:00 . 2010-01-26 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-01-26 02:55 . 2010-01-26 02:55 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-01-25 16:28 . 2010-01-23 22:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-25 03:20 . 2010-01-25 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-24 23:11 . 2010-01-24 23:09 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-01-24 23:10 . 2010-01-24 23:10 -------- d-----w- c:\program files\Microsoft
2010-01-24 23:10 . 2010-01-24 23:10 -------- d-----w- c:\program files\MSN Toolbar
2010-01-24 04:45 . 2010-01-24 04:45 -------- d-----w- c:\documents and settings\Ella\Application Data\Helios
2010-01-24 01:56 . 2010-01-24 01:56 -------- d-----w- c:\documents and settings\Ella\Application Data\Nero
2010-01-24 01:50 . 2006-11-16 17:08 66192 ----a-w- c:\documents and settings\Ella\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-23 22:32 . 2010-01-23 22:28 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-23 22:22 . 2010-01-23 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-23 19:38 . 2010-01-23 19:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-01-23 19:37 . 2009-10-31 04:44 -------- d-----w- c:\program files\MSECACHE
2010-01-15 02:01 . 2004-01-29 23:36 -------- d-----w- c:\program files\Microsoft Games
2010-01-14 06:22 . 2010-01-14 06:12 -------- d-----w- c:\program files\McAfee2010
2010-01-14 05:54 . 2004-09-04 17:00 66192 ----a-w- c:\documents and settings\Boromir\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:50 . 2002-08-29 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2004-01-20 15:47 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2002-08-29 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2002-08-29 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-03-02_03.14.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 01:10 . 2010-03-03 01:10 16384 c:\windows\Temp\Perflib_Perfdata_35c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 131072]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe" [2008-08-14 240112]
"CPMonitor"="c:\program files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe" [2009-04-20 84464]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisableAutoRestart]
2008-04-14 00:12 146432 ----a-w- c:\windows\regedit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 09:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 22:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 22:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 fasttrak;fasttrak;c:\windows\system32\drivers\Fasttrak.sys [1/20/2004 9:21 AM 75520]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/1/2010 6:22 AM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/27/2010 10:35 AM 162512]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/20/2004 3:47 AM 98304]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/27/2010 10:35 AM 19024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1229232]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/20/2004 2:40 AM 118784]
S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 12:25 AM 367088]
S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 12:24 AM 309744]
S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 12:24 AM 170480]
S3 DVXUSBKS;DVXCEL Streaming Class Driver;c:\windows\system32\drivers\DVXUSBKS.sys [9/11/2004 9:31 AM 46397]
S3 DVXUSBLD;DVXUSBLD;c:\windows\system32\drivers\DVXUSBLD.SYS [9/11/2004 9:31 AM 65241]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 12:25 AM 313840]
S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [3/3/2009 8:58 PM 1122304]
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 22:23]

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-03-02 c:\windows\Tasks\User_Feed_Synchronization-{6ECB3094-5C9E-4906-826A-E5ADEAB0D698}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.totallyawesome.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {D3538D36-EEDA-4BC7-9C8D-8C1D066EBC56} - hxxp://hp.sonic.com/SonicActivation.dll
FF - ProfilePath - c:\documents and settings\Boromir\Application Data\Mozilla\Firefox\Profiles\9sdbysgq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 18:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2396)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-02 18:19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-03 01:19
ComboFix2.txt 2010-03-02 03:17

Pre-Run: 32,139,833,344 bytes free
Post-Run: 31,992,893,440 bytes free

- - End Of File - - 460CF6C2EEA030EFFFB4F2299180ADC2
  • 0

#6
Rorschach112
Posted 03 March 2010 - 06:08 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#7
jherokee
Posted 03 March 2010 - 11:16 PM

jherokee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hello,

I ran TFC.

I ran Malwarebyte's Anti-Malware and I will include the log here. It did not find anything to clean, as far as I could tell.

I then tried to go to the kapersky website to run the online AV scan. I tried this several times. Every time the brower would hang as it tried to load the page. One time I got a java.exe (or javaw.exe) popup error window, just like I do when I try to test my JVM at java.com. I waited for the kapersky page to load for at least 7 minutes before giving up.

Here is my MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3823
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/3/2010 9:55:25 PM
mbam-log-2010-03-03 (21-55-25).txt

Scan type: Quick Scan
Objects scanned: 136834
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
Rorschach112
Posted 04 March 2010 - 05:41 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
try this

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the Licence agreement and click on next
  • It will by default install it to your desktop folder.Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • Hidden Startup Objects
  • System Memory
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


Leave the rest of the settings as they appear as default.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#9
jherokee
Posted 05 March 2010 - 09:10 AM

jherokee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hey Rorschach,

I successfully got the Kapersky Scan to run. It looks like it detected "Trojans".

I clicked the "report" button and it displayed a report. However, I could not find an option to save the resulting report to a file.

So, instead I did a frame grab of the report and saved it as a jpg. I have attached the jpg here. Please let me know if you can't see the jpg report file, OK?

Please let me know if this will suffice, and if not, let me know what I can do to save the report to a file.

Also, I didn't see a Kapersky option to "neutralize", rather, all I saw was an option to "delete" (which was reccommended) and a second option to ____ (which I can't remember exactly, but it was something like skip the delete).

I appreciate your help. What should I do next?

Attached Thumbnails

  • kas2.jpg

  • 0

#10
Rorschach112
Posted 05 March 2010 - 09:28 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
you can leave those alone

[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  • 0

#11
jherokee
Posted 05 March 2010 - 07:52 PM

jherokee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Here is the report file from today's OTL Quick Scan:

OTL logfile created on: 3/5/2010 6:38:40 PM - Run 2
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Boromir\Desktop\ComputerSoftware\MalwareForum G2G
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 29.42 Gb Free Space | 26.32% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ARWEN
Current User Name: Boromir
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/28 15:23:32 | 000,815,184 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2010/02/28 15:23:31 | 001,229,232 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2010/02/28 06:45:58 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boromir\Desktop\ComputerSoftware\MalwareForum G2G\OTL.exe
PRC - [2010/02/24 19:11:56 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2010/02/11 11:53:42 | 002,756,488 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/01/11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/18 08:58:00 | 000,040,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2009/12/08 21:29:44 | 000,240,992 | ---- | M] (Microsoft Corp.) -- C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
PRC - [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/07/17 11:12:14 | 000,288,080 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
PRC - [2009/04/20 09:10:48 | 000,084,464 | ---- | M] () -- C:\Program Files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe
PRC - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/29 02:56:34 | 000,483,328 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2007/09/20 07:51:46 | 000,853,288 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
PRC - [2006/02/10 07:56:12 | 000,479,232 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
PRC - [2004/10/20 03:47:54 | 000,098,304 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
PRC - [2004/10/20 02:40:46 | 000,118,784 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
PRC - [2002/08/29 05:00:00 | 000,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2002/03/21 21:41:56 | 000,094,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Hardware\Keyboard\type32.exe


========== Modules (SafeList) ==========

MOD - [2010/02/28 06:45:58 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Boromir\Desktop\ComputerSoftware\MalwareForum G2G\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/28 15:23:31 | 001,229,232 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/02/24 19:11:56 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/02/11 11:53:39 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/09/21 15:36:02 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 18:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/08/23 14:00:06 | 000,136,120 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/08/07 17:15:06 | 000,242,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/01/09 06:46:25 | 001,122,304 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe -- (RoxMediaDB11)
SRV - [2008/12/12 10:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/08/14 00:25:24 | 000,367,088 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUpnpService11.exe -- (Roxio Upnp Server 11)
SRV - [2008/08/14 00:25:20 | 000,313,840 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio Creator 2009 Special Edition\Digital Home 11\RoxioUPnPRenderer11.exe -- (Roxio UPnP Renderer 11)
SRV - [2008/08/14 00:24:06 | 000,309,744 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe -- (RoxLiveShare11)
SRV - [2008/08/14 00:24:02 | 000,170,480 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe -- (RoxWatch11)
SRV - [2007/10/15 08:15:08 | 000,382,248 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService)
SRV - [2007/09/29 02:56:34 | 000,483,328 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007/09/20 07:51:46 | 000,853,288 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3)
SRV - [2005/04/03 23:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/10/20 03:47:54 | 000,098,304 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor)
SRV - [2004/10/20 02:40:46 | 000,118,784 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -- (PhotoshopElementsDeviceConnect)
SRV - [2004/04/21 21:10:00 | 000,516,096 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...TDF&PC=SUN1&q="
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {27182e60-b5f3-411c-b545-b44205977502}:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://www.bing.com/...TDF&PC=SUN1&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/01/24 16:10:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/13 08:48:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 17:14:00 | 000,000,000 | ---D | M]

[2010/02/13 08:48:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Mozilla\Extensions
[2010/02/24 19:23:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Mozilla\Firefox\Profiles\9sdbysgq.default\extensions
[2010/02/16 20:27:51 | 000,002,176 | ---- | M] () -- C:\Documents and Settings\Boromir\Application Data\Mozilla\Firefox\Profiles\9sdbysgq.default\searchplugins\bing.xml
[2010/02/24 19:23:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/03/03 21:30:12 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (MSN Toolbar BHO) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [CPMonitor] C:\Program Files\Roxio Creator 2009 Special Edition\5.0\CPMonitor.exe ()
O4 - HKLM..\Run: [IntelliType] C:\Program Files\Microsoft Hardware\Keyboard\type32.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSN Toolbar] C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe (Microsoft Corp.)
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatchTray11.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1191100832104 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D3538D36-EEDA-4BC7-9C8D-8C1D066EBC56} http://hp.sonic.com/...cActivation.dll (SonicActivator Class)
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.micr...04/clearadj.cab (CTAdjust Class)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Boromir\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Boromir\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/29 11:53:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/04 19:59:22 | 000,315,408 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\5293467.sys
[2010/03/04 19:59:22 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\52934671.sys
[2010/03/04 19:59:22 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\52934672.sys
[2010/03/04 19:59:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boromir\Desktop\Virus Removal Tool
[2010/03/03 21:41:29 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/01 19:41:26 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/01 19:40:27 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/01 19:40:27 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/01 19:40:27 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/01 19:40:27 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/01 19:36:41 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/01 19:32:10 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/02/28 15:24:03 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/02/28 15:22:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/02/27 10:35:44 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/02/27 10:35:43 | 000,162,512 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/02/27 10:35:42 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/02/27 10:35:40 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/02/27 10:35:38 | 000,100,432 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/02/27 10:35:38 | 000,094,800 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/02/27 10:35:38 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/02/27 10:35:26 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/02/27 10:35:26 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\avastSS.scr
[2010/02/27 10:35:16 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/02/27 10:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/02/27 09:47:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boromir\Application Data\Malwarebytes
[2010/02/27 09:47:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/27 09:47:00 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/27 09:47:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/27 09:46:59 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/27 09:42:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/27 09:41:40 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/02/25 18:28:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Boromir\.FamilySearchIndexing
[2010/02/03 20:53:15 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/01/27 22:48:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/01/27 22:40:27 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/01/27 22:40:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/01/15 18:26:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/03 15:13:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Roxio
[2006/02/19 03:28:56 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll

========== Files - Modified Within 14 Days ==========

[2010/03/05 18:35:28 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6ECB3094-5C9E-4906-826A-E5ADEAB0D698}.job
[2010/03/05 18:34:06 | 000,012,642 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/05 18:25:50 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/03/05 18:24:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/05 18:24:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/05 18:23:28 | 006,291,456 | ---- | M] () -- C:\Documents and Settings\Boromir\NTUSER.DAT
[2010/03/05 18:23:28 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Boromir\ntuser.ini
[2010/03/05 07:52:04 | 000,074,699 | ---- | M] () -- C:\Documents and Settings\Boromir\Desktop\kas2.jpg
[2010/03/05 07:50:31 | 000,072,064 | ---- | M] () -- C:\Documents and Settings\Boromir\Desktop\kas.jpg
[2010/03/03 21:30:31 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/03 21:30:12 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/02 19:06:26 | 000,000,428 | ---- | M] () -- C:\WINDOWS\zipgenius.xml
[2010/03/02 19:02:57 | 000,000,254 | ---- | M] () -- C:\Documents and Settings\Boromir\jobq.dat
[2010/03/02 19:00:26 | 000,001,939 | ---- | M] () -- C:\Documents and Settings\Boromir\Desktop\FamilySearch Indexing.lnk
[2010/03/01 19:41:33 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/28 20:12:39 | 000,048,128 | ---- | M] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/28 15:24:02 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/02/28 15:23:58 | 000,015,880 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2010/02/28 15:22:21 | 000,000,908 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/02/27 17:10:29 | 000,001,173 | ---- | M] () -- C:\Documents and Settings\Boromir\Application Data\mainhst.zgh
[2010/02/27 10:35:45 | 000,001,741 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/02/27 10:35:39 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/02/27 09:47:05 | 000,000,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/20 19:26:41 | 000,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2010/03/05 07:52:04 | 000,074,699 | ---- | C] () -- C:\Documents and Settings\Boromir\Desktop\kas2.jpg
[2010/03/05 07:50:30 | 000,072,064 | ---- | C] () -- C:\Documents and Settings\Boromir\Desktop\kas.jpg
[2010/03/02 19:02:57 | 000,000,254 | ---- | C] () -- C:\Documents and Settings\Boromir\jobq.dat
[2010/03/01 19:41:33 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/01 19:41:29 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/01 19:40:27 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/01 19:40:27 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/01 19:40:27 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/01 19:40:27 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/01 19:40:27 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/28 15:22:21 | 000,000,908 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/02/27 10:35:45 | 000,001,741 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/02/27 09:47:05 | 000,000,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/20 19:26:41 | 000,263,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/13 12:21:46 | 000,146,760 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/25 19:56:05 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2009/11/17 19:48:50 | 000,001,173 | ---- | C] () -- C:\Documents and Settings\Boromir\Application Data\mainhst.zgh
[2009/11/14 10:50:41 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/01/19 12:20:14 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/01/10 18:49:15 | 000,000,043 | ---- | C] () -- C:\WINDOWS\hpfccopy.INI
[2008/01/09 07:45:29 | 000,003,312 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/05/07 22:47:47 | 000,000,059 | ---- | C] () -- C:\WINDOWS\LTDLG13N.INI
[2007/02/12 19:21:28 | 000,548,864 | ---- | C] () -- C:\WINDOWS\System32\hpgtg400.dll
[2006/09/23 09:25:43 | 000,040,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\sdcplh.sys
[2006/06/04 09:08:06 | 000,000,312 | ---- | C] () -- C:\WINDOWS\topo4.INI
[2005/10/17 10:03:50 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\fusioncache.dat
[2005/07/19 19:17:34 | 000,000,157 | ---- | C] () -- C:\WINDOWS\matlab.ini
[2005/03/21 12:44:22 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A5W.INI
[2004/07/11 13:20:37 | 000,048,128 | ---- | C] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2004/07/10 19:23:17 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\FASTWiz.log
[2004/07/10 19:23:17 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Boromir\Local Settings\Application Data\FASTWiz.html
[2004/01/31 13:35:36 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/01/31 12:55:14 | 000,000,520 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/30 15:29:25 | 000,000,209 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2004/01/30 15:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll
[2004/01/20 13:14:15 | 000,004,428 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/01/20 12:59:48 | 000,000,042 | ---- | C] () -- C:\WINDOWS\AcrobatSetupStatus.ini
[2004/01/20 12:54:16 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/01/20 09:23:18 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/09/02 15:51:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\idecoi.dll

========== LOP Check ==========

[2010/02/27 10:35:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/01/25 20:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2009/10/11 11:37:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2005/04/27 21:57:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates
[2007/04/18 18:16:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RootsMagic
[2009/01/03 17:41:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2009/01/03 13:16:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2009/11/14 11:57:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/02/28 15:22:27 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2009/10/17 09:47:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2007/09/29 14:52:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\GARMIN
[2008/03/22 16:55:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\gtk-2.0
[2009/11/17 19:32:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Helios
[2004/07/10 22:13:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Jasc
[2007/05/07 22:19:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\RootsMagic
[2009/10/24 12:25:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\Scooter Software
[2009/11/17 20:11:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Boromir\Application Data\ZipGenius
[2010/03/05 18:25:50 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/03/05 18:35:28 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6ECB3094-5C9E-4906-826A-E5ADEAB0D698}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Boromir\My Documents\Slideshow.dmsm:Roxio EMC Stream
< End of report >
  • 0

#12
Rorschach112
Posted 07 March 2010 - 06:59 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.



  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.



Below I have included a number of recommendations for how to protect your computer against malware infections.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • TFC - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
    Here


    If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
    • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
jherokee
Posted 08 March 2010 - 10:04 PM

jherokee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thanks for your help getting this machine clean. I appreciate your time and expertise.

A few questions about your reccommendations:
- I am confused about when and how the various programs work.
Spyblaster, Spyguard, Avast, Ad-Aware.

Avast runs in the background, all the time, and doesn't need any interaction.

What about Spyblaster, Spyguard, Adware. If installed do they run in the background and need not interaction? Or are they duplicating functionality and I should only have one installed? I already installed, but am not opposed to un-installing Ad-aware.

In the process of getting this computer clean, you had me install Malwarebytes. This sounds like a duplicate of the above programs. If I have MBAM installed, is it running all the time?

Can you see my confusion? What do you reccommend? I would rely on your expertise for advice.

- When do I run ERUNT or recovery console?

- What about File Hippo?
  • 0

#14
Rorschach112
Posted 09 March 2010 - 05:24 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You can remove ad-aware its not that good

SpywareGuard runs in the background, SpywareBlaster you need to run and update yourself

MBAM wont run all the time. These programs can work fine together


Run ERUNT every few months or if you are doing a big update to your PC. Don't touch the recovery console


FileHippo run once a week
  • 0

#15
Rorschach112
Posted 15 March 2010 - 06:49 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP