Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Vundo - MalwareBytes can't remove [Solved]

Started by Cixelsyd , Apr 18 2009 07:56 PM

  • This topic is locked This topic is locked

#1
Cixelsyd
Posted 18 April 2009 - 07:56 PM

Cixelsyd

    Member

  • Member
  • PipPip
  • 82 posts
Hi,

This hit me today, I ran malwarebytes and it got rid of the SpywareDoctor stuff, but the Vundo trojan was suppose to be cleaned on reboot. I saw a similar topic and followed the instructions for the inital logs from Rooter and OTLI2. I've included these here with the malwarebytes log. Any help will be appreciated as this is my work laptop that is down.

==============Malwarebytes=================================
Malwarebytes' Anti-Malware 1.36
Database version: 2000
Windows 5.1.2600 Service Pack 3

4/18/2009 10:05:52 AM
mbam-log-2009-04-18 (10-05-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 41721
Time elapsed: 7 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8996ff8-c922-4e13-8475-29111fb8ee1c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ososarbw (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b8996ff8-c922-4e13-8475-29111fb8ee1c} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\lkomgpx.dll (Trojan.Vundo.H) -> Delete on reboot.


========================= Rooter ====================================
Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:76316 Mo/Free:2438 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Removable] (Total:503 Mo/Free:457 Mo)

Sat 04/18/2009|18:42

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\WLTRYSVC.EXE
---------- C:\WINDOWS\System32\bcmwltry.exe
---------- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
---------- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\System32\SCardSvr.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
---------- C:\Program Files\Bonjour\mDNSResponder.exe
---------- C:\Program Files\Symantec AntiVirus\DefWatch.exe
---------- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe
---------- C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
---------- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\wbem\wmiprvse.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\rundll32.exe
---------- C:\WINDOWS\system32\RUNDLL32.EXE
---------- C:\WINDOWS\stsystra.exe
---------- C:\Program Files\Dell\QuickSet\quickset.exe
---------- C:\Program Files\DellTPad\Apoint.exe
---------- C:\PROGRA~1\SYMANT~1\VPTray.exe
---------- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
---------- C:\WINDOWS\system32\WLTRAY.exe
---------- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
---------- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
---------- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
---------- C:\Program Files\iTunes\iTunesHelper.exe
---------- C:\Program Files\DellTPad\ApMsgFwd.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
---------- C:\Program Files\DellTPad\HidFind.exe
---------- C:\Program Files\DellTPad\Apntex.exe
---------- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
---------- C:\Program Files\Digital Line Detect\DLG.exe
---------- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
---------- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
---------- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
---------- C:\Program Files\iPod\bin\iPodService.exe
---------- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
---------- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
---------- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
---------- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
---------- C:\Documents and Settings\sludwick\Desktop\Logs\Rooter.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

Trojan ! .. C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\lkomgpx.dll,DllMain -

----------------------\\ Tasks

C:\WINDOWS\tasks\At1.job

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Sat 04/18/2009|18:43

----------------------\\ Scan completed at 18:43

================================== OTLI2 =======================================

OTListIt logfile created on: 4/18/2009 6:46:12 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\sludwick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 34.38 Gb Free Space | 46.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 503.47 Mb Total Space | 457.69 Mb Free Space | 90.91% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAC-JCL8WD1
Current User Name: sludwick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\WLTRYSVC.EXE ()
PRC - C:\WINDOWS\System32\bcmwltry.exe (Dell Inc.)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (Dell Inc.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe (Web Meeting)
PRC - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\WINDOWS\system32\WLTRAY.exe (Dell Inc.)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\DellTPad\HidFind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\Apntex.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Documents and Settings\sludwick\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aawservice [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (ccEvtMgr [Disabled | Stopped]) -- File not found
SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CVPND [Auto | Running]) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (DefWatch [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (FLEXnet Licensing Service [On_Demand | Running]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NICCONFIGSVC [Auto | Running]) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (Dell Inc.)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (RDIConverterPrintHelper [Auto | Running]) -- C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe (Web Meeting)
SRV - (SavRoam [On_Demand | Stopped]) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (SNDSrvc [Disabled | Stopped]) -- File not found
SRV - (SPBBCSvc [Auto | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (STacSV [Auto | Running]) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe (SigmaTel, Inc.)
SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (wltrysvc [Auto | Running]) -- C:\WINDOWS\System32\WLTRYSVC.EXE ()
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (APPDRV [System | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (b57w2k [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\b57xp32.sys (Broadcom Corporation)
DRV - (BCM43XX [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys (Broadcom Corp.)
DRV - (cercsr6 [Boot | Stopped]) -- C:\WINDOWS\System32\drivers\cercsr6.sys (Adaptec, Inc.)
DRV - (CSRBC [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\csrbcxp.sys (CSR, plc)
DRV - (CVirtA [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CVirtA.sys (Cisco Systems, Inc.)
DRV - (CVPNDRVA [Auto | Running]) -- C:\WINDOWS\system32\Drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (DNE [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dne2000.sys (Deterministic Networks, Inc.)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (guardian2 [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\oz776.sys (O2Micro)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSFHWAZL [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys (Intel Corporation)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (NAVENG [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090418.004\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090418.004\NAVEX15.SYS (Symantec Corporation)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (ohchgnbq [Boot | Running]) -- C:\WINDOWS\system32\drivers\ohchgnbq.sys (Microsoft Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SAVRTPEL [System | Running]) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SPBBCDrv [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (STHDA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (SymEvent [On_Demand | Running]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMREDRV [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SYMTDI [Disabled | Stopped]) -- C:\WINDOWS\System32\drivers\symtdi.sys (Symantec Corporation)
DRV - (tosporte [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosporte.sys (TOSHIBA Corporation)
DRV - (tosrfbd [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (tosrfbnp [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (Tosrfcom [System | Running]) -- C:\WINDOWS\System32\Drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (Tosrfhid [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys (TOSHIBA Corporation.)
DRV - (tosrfnds [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosrfnds.sys (TOSHIBA Corporation.)
DRV - (Tosrfusb [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>



O1 HOSTS File: (303487 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 browser-security.microsoft.com
O1 - Hosts: 127.0.0.1 swp2009.com
O1 - Hosts: 127.0.0.1 spyprotect2009.com
O1 - Hosts: 127.0.0.1 sp-protect2009.com
O1 - Hosts: 127.0.0.1 sys-protection.com
O1 - Hosts: 127.0.0.1 sysguard2009.com
O1 - Hosts: 127.0.0.1 os-protection.com
O1 - Hosts: 127.0.0.1 spy-protect-2009.com
O1 - Hosts: 127.0.0.1 spywprotect.com
O1 - Hosts: 127.0.0.1 adwareguard.net
O1 - Hosts: 127.0.0.1 antivirus-win.com
O1 - Hosts: 127.0.0.1 spywrprotect-2009.com
O1 - Hosts: 127.0.0.1 sysprotect.net
O1 - Hosts: 127.0.0.1 spwprotect2009.com
O1 - Hosts: 127.0.0.1 spy-protec.com
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 10459 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: () - {B8996FF8-C922-4E13-8475-29111FB8EE1C} - c:\windows\system32\lkomgpx.dll ()
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet ()
O4 - HKLM..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" (CyberLink Corp.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = Notice and Consent to Monitoring
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = [String data over 1000 bytes]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1205176248203 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-01.su...ows-i586-jc.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8D3314D6-5914-46C1-9F3D-9F14B6A305F1} http://www.mytpi.com...ectuploader.cab (eCTUploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://amexweb.webe...bex/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = taic.net
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\ososarbw: DllName - lkomgpx.dll - C:\WINDOWS\system32\lkomgpx.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O29 - HKLM SecurityProviders - (mcenspc.dll) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O33 - MountPoints2\{1e2e1f43-a72e-11dd-8565-001d604005da}\Shell\AutoRun\command - "" = E:\system\viewer\FlipVideoforPC.exe -- File not found
O33 - MountPoints2\{1e2e1f43-a72e-11dd-8565-001d604005da}\Shell\Flip Video for PC\command - "" = E:\system\viewer\FlipVideoforPC.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O34 - HKLM BootExecute: (ootExecute) - File not found
O34 - HKLM BootExecute: (settings...) - File not found
O34 - HKLM BootExecute: (on\E) - File not found

========== Files/Folders - Created Within 30 Days ==========

[7 C:\WINDOWS\*.tmp files]
[2009/04/18 18:42:55 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/18 18:42:41 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\sludwick\Desktop\OTListIt2.exe
[2009/04/18 18:42:41 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\sludwick\Desktop\Rooter.exe
[2009/04/18 18:42:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Desktop\Logs
[2009/04/18 18:10:58 | 00,096,978 | ---- | C] (Business Information Solutions) -- C:\Documents and Settings\sludwick\Desktop\VirtumundoBeGone.exe
[2009/04/18 17:48:19 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/04/18 10:43:16 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\sludwick\Desktop\HijackThis.lnk
[2009/04/18 10:43:16 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/18 10:43:11 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\sludwick\Desktop\HJTInstall.exe
[2009/04/18 09:33:22 | 00,173,456 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\sludwick\Desktop\FixVundo.exe
[2009/04/18 06:35:27 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/04/18 06:30:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\nfr.assembly
[2009/04/17 22:00:44 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/04/17 22:00:20 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/04/17 22:00:10 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/04/17 22:00:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/04/17 21:50:04 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/04/14 19:16:02 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/14 19:16:01 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/14 19:16:01 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/14 19:16:01 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/14 19:16:01 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/14 19:16:01 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/14 19:16:01 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/14 19:16:01 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/14 19:16:01 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/14 19:12:34 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/14 19:12:34 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/09 11:12:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\My Documents\MBI
[2009/04/01 23:47:32 | 00,010,296 | ---- | C] () -- C:\Documents and Settings\sludwick\My Documents\lyrics.docx
[2009/03/25 17:00:32 | 00,264,304 | ---- | C] () -- C:\Documents and Settings\sludwick\Desktop\Scan001.PDF
[2009/03/25 10:44:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Application Data\Malwarebytes
[2009/03/25 10:44:40 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/25 10:44:40 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/25 10:44:38 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/25 10:44:37 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/25 10:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/25 10:40:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\4C271126C2954828A9015910AE0C258B.TMP
[2009/03/25 02:45:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Local Settings\Application Data\quobarxz
[2009/03/25 02:45:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Application Data\quobarxz
[2009/03/22 19:25:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Application Data\Mozilla
[2009/03/22 17:29:23 | 00,000,434 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2009/03/21 07:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/03/19 11:54:23 | 00,000,095 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/12/10 16:37:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/10/09 14:01:24 | 00,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2008/10/02 00:41:11 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\6125160107.sys
[2008/10/01 23:55:33 | 00,004,182 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2008/09/05 08:33:20 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/14 08:19:44 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/05/14 08:19:42 | 00,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/04/17 09:08:56 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/04/17 09:08:44 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/02/22 11:46:31 | 00,910,304 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/02/22 11:46:31 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4831.dll
[2008/02/18 23:33:34 | 00,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2008/01/22 12:49:09 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2008/01/22 10:57:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008/01/22 10:21:02 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/01/22 10:21:02 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/01/22 10:21:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/01/22 10:20:58 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/08/07 17:02:14 | 00,182,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\symndis.sys
[2005/09/02 15:44:08 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 22:30:20 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/08/04 03:00:00 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\vkeajkm.dll
[2004/08/04 03:00:00 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\lkomgpx.dll
[2004/08/04 03:00:00 | 00,000,582 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 03:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/07/20 18:04:02 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 15:43:28 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[7 C:\WINDOWS\*.tmp files]
[2009/04/18 18:40:32 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\sludwick\Desktop\Rooter.exe
[2009/04/18 18:18:39 | 00,526,710 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/18 18:18:39 | 00,445,096 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/18 18:18:39 | 00,072,554 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/18 18:16:38 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sludwick\Desktop\OTListIt2.exe
[2009/04/18 18:14:48 | 00,063,434 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/04/18 18:14:42 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/18 18:13:56 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/18 18:13:44 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/18 18:12:33 | 04,829,320 | -H-- | M] () -- C:\Documents and Settings\sludwick\Local Settings\Application Data\IconCache.db
[2009/04/18 17:55:54 | 00,096,978 | ---- | M] (Business Information Solutions) -- C:\Documents and Settings\sludwick\Desktop\VirtumundoBeGone.exe
[2009/04/18 17:42:45 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2009/04/18 10:43:16 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\sludwick\Desktop\HijackThis.lnk
[2009/04/18 10:40:58 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\sludwick\Desktop\HJTInstall.exe
[2009/04/18 09:31:54 | 00,173,456 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\sludwick\Desktop\FixVundo.exe
[2009/04/18 06:35:27 | 00,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ndis.sys
[2009/04/18 06:35:27 | 00,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/04/18 06:30:05 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\nfr.assembly
[2009/04/17 22:00:44 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/04/17 21:46:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/15 15:04:43 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/10 22:37:46 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\sludwick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 07:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/01 23:47:32 | 00,010,296 | ---- | M] () -- C:\Documents and Settings\sludwick\My Documents\lyrics.docx
[2009/03/26 23:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/25 17:00:34 | 00,264,304 | ---- | M] () -- C:\Documents and Settings\sludwick\Desktop\Scan001.PDF
[2009/03/25 10:44:40 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/25 08:17:39 | 00,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2009/03/21 07:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/21 07:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll

========== LOP Check ==========

[2009/04/17 22:00:10 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/04/17 22:00:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/09/03 16:34:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/10/29 08:35:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/10/29 08:36:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2008/01/22 12:46:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2008/01/22 10:33:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2008/12/19 21:05:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/01/16 00:16:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2008/10/02 00:04:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2009/03/10 17:52:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/03/25 10:44:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/09/14 12:12:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/04/15 15:02:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2008/09/10 12:33:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/03/19 11:44:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/01/22 11:24:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/03/19 11:05:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/01/22 10:35:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
[2008/01/22 11:55:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/03/25 10:44:42 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\sludwick\Application Data
[2009/02/18 12:35:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Adobe
[2008/11/26 12:30:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Apple Computer
[2008/10/02 00:41:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Corel
[2008/09/03 14:40:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Dell
[2008/09/10 16:14:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Google
[2008/12/10 16:55:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\ICAClient
[2008/09/03 14:39:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Identities
[2008/09/10 12:27:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Macromedia
[2009/03/25 10:44:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Malwarebytes
[2009/02/23 22:14:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\sludwick\Application Data\Microsoft
[2009/02/13 17:50:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Move Networks
[2009/03/22 19:25:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Mozilla
[2009/03/25 02:45:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\quobarxz
[2009/04/17 14:01:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Skype
[2009/04/17 08:20:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\skypePM
[2008/09/12 07:56:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Sun
[2009/01/30 14:04:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Web Meeting
[2008/11/21 11:00:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\webex
[2009/04/17 21:46:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2009/04/18 17:42:45 | 00,000,434 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2004/08/04 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/04/18 18:13:56 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


=============================== Extras.txt from OTLI =============================

OTListIt Extras logfile created on: 4/18/2009 6:46:13 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\sludwick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 34.38 Gb Free Space | 46.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 503.47 Mb Total Space | 457.69 Mb Free Space | 90.91% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAC-JCL8WD1
Current User Name: sludwick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"80:TCP" = 80:TCP:*:Enabled:dll32
"7171:TCP" = 7171:TCP:*:Enabled:dll32

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype (Skype Technologies S.A.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook (Microsoft Corporation)
C:\WINDOWS\svcho.exe:*:Enabled:enable File not found
C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype (Skype Technologies S.A.)
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour (Apple Inc.)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{10E1FC7C-AB9E-4851-AEC7-8A189A1E7281}" = LogoEase
"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{465DC07E-3390-401A-A190-6078D73AB4C6}" = CorelDRAW Graphics Suite 12
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{4C271126-C295-4828-A901-5910AE0C258B}" = Cisco Systems VPN Client 5.0.03.0530
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{82CA0A0C-A3EC-4167-B694-909205B2EDEC}" = muvee Plugin 1.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{903A0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Standard 2003
"{90530409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Standard 2003
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{94FE0F65-26F1-4AAF-A772-1B6484564DAE}" = InterCall Web Meeting
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC76BA86-1033-F400-BA7E-000000000003}" = Adobe Acrobat 8 Standard - English, Français, Deutsch
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD65CAC7-6D63-4D56-BED0-B610281256DF}" = CorelDRAW Graphics Suite 12 Setup Files
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}" = Broadcom Gigabit Integrated Controller
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = AusLogics Disk Defrag
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"ActiveTouchMeetingClient" = WebEx
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"Free FLV Converter_is1" = Free FLV Converter V 6.2.0
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{343D8DE3-AE1F-431A-830C-B66352E8CA12}" = OZ776 SCR Driver V1.1.3.9
"LineupDominator_is1" = LineupDominator Version 4.0a Full
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PROHYBRIDR" = 2007 Microsoft Office system
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/18/2009 8:38:02 PM | Computer Name = SAC-JCL8WD1 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/18/2009 8:44:08 PM | Computer Name = SAC-JCL8WD1 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/18/2009 8:44:09 PM | Computer Name = SAC-JCL8WD1 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 4/18/2009 8:45:00 PM | Computer Name = SAC-JCL8WD1 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/18/2009 8:46:44 PM | Computer Name = SAC-JCL8WD1 | Source = MsiInstaller | ID = 11706
Description = Product: Cisco Systems VPN Client 5.0.03.0530 -- Error 1706. No valid
source could be found for product Cisco Systems VPN Client 5.0.03.0530. Windows
Installer cannot continue.

Error - 4/18/2009 9:13:56 PM | Computer Name = SAC-JCL8WD1 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/18/2009 9:13:57 PM | Computer Name = SAC-JCL8WD1 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 4/18/2009 9:14:39 PM | Computer Name = SAC-JCL8WD1 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 4/18/2009 9:16:22 PM | Computer Name = SAC-JCL8WD1 | Source = MsiInstaller | ID = 11706
Description = Product: Cisco Systems VPN Client 5.0.03.0530 -- Error 1706. No valid
source could be found for product Cisco Systems VPN Client 5.0.03.0530. Windows
Installer cannot continue.

Error - 4/18/2009 9:45:31 PM | Computer Name = SAC-JCL8WD1 | Source = Application Hang | ID = 1002
Description = Hanging application OTListIt2.exe, version 2.0.14.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 10/23/2008 6:29:32 PM | Computer Name = SAC-JCL8WD1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 10949
seconds with 180 seconds of active time. This session ended with a crash.

Error - 12/8/2008 12:09:28 PM | Computer Name = SAC-JCL8WD1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 4938
seconds with 1320 seconds of active time. This session ended with a crash.

Error - 3/31/2009 10:37:53 AM | Computer Name = SAC-JCL8WD1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 327
seconds with 180 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/18/2009 8:01:38 PM | Computer Name = SAC-JCL8WD1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 120 minutes. NtpClient has no source of accurate
time.

Error - 4/18/2009 8:44:02 PM | Computer Name = SAC-JCL8WD1 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 4/18/2009 8:44:08 PM | Computer Name = SAC-JCL8WD1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain TAIC due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 4/18/2009 8:44:33 PM | Computer Name = SAC-JCL8WD1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 4/18/2009 8:44:58 PM | Computer Name = SAC-JCL8WD1 | Source = Service Control Manager | ID = 7024
Description = The Symantec SPBBCSvc service terminated with service-specific error
4294967295 (0xFFFFFFFF).

Error - 4/18/2009 8:59:33 PM | Computer Name = SAC-JCL8WD1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 4/18/2009 9:13:56 PM | Computer Name = SAC-JCL8WD1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain TAIC due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 4/18/2009 9:14:20 PM | Computer Name = SAC-JCL8WD1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 4/18/2009 9:14:46 PM | Computer Name = SAC-JCL8WD1 | Source = Service Control Manager | ID = 7024
Description = The Symantec SPBBCSvc service terminated with service-specific error
4294967295 (0xFFFFFFFF).

Error - 4/18/2009 9:29:21 PM | Computer Name = SAC-JCL8WD1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.


< End of report >
  • 0

Advertisements

#2
heir
Posted 19 April 2009 - 08:50 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Hello Cixelsyd !

Welcome to the site! :) My nickname is heir and I'll be helping clean up your computer. :)

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal and Spyware Removal.
  • Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
  • When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
  • Make sure you reply to this thread using the Add Reply button: Posted Image

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.


Step 1.
ComboFix:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 2.
Lop S&D:

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here and save it to the desktop

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Step 3.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • The content of C:\lopR.txt from step 2.

  • 0

#3
Cixelsyd
Posted 19 April 2009 - 03:13 PM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Hi Hier,

I really appreciate the help. I've followed your instructions and am including the log files below.

=======================COMBO FIX LOG===========================================

ComboFix 09-04-20.01 - sludwick 04/19/2009 13:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3016 [GMT -7:00]
Running from: c:\documents and settings\sludwick\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sludwick\Local Settings\Temporary Internet Files\webex.ini
c:\windows\system32\nfr.assembly
c:\windows\system32\tb.dr

.
((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-19 01:42 . 2009-04-19 01:43 -------- d-----w C:\Rooter$
2009-04-19 00:48 . 2009-04-19 00:48 -------- d-----w C:\VundoFix Backups
2009-04-18 13:35 . 2009-04-18 13:35 213120 -c--a-w c:\windows\system32\dllcache\ndis.sys
2009-04-18 05:00 . 2009-04-18 05:00 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-15 02:16 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 02:16 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 02:16 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 02:16 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 02:16 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 02:16 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 02:16 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 02:16 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 02:16 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 02:12 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 02:12 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-03-25 17:44 . 2009-03-25 17:44 -------- d-----w c:\documents and settings\sludwick\Application Data\Malwarebytes
2009-03-25 17:44 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 17:44 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-25 17:44 . 2009-03-25 17:44 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-25 17:40 . 2009-03-25 17:55 -------- d-----w c:\windows\4C271126C2954828A9015910AE0C258B.TMP
2009-03-25 09:45 . 2009-03-25 09:45 -------- d-----w c:\documents and settings\sludwick\Local Settings\Application Data\quobarxz
2009-03-25 09:45 . 2009-03-25 09:45 -------- d-----w c:\documents and settings\sludwick\Application Data\quobarxz
2009-03-24 05:59 . 2009-03-24 05:59 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\quobarxz
2009-03-24 05:59 . 2009-03-24 05:59 -------- d-----w c:\documents and settings\NetworkService\Application Data\quobarxz
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 01:43 . 2009-04-19 01:43 3842 ----a-w C:\Rooter.txt
2009-04-19 01:38 . 2009-04-19 00:48 272 ----a-w C:\VundoFix.txt
2009-04-18 17:43 . 2009-04-18 17:43 -------- d-----w c:\program files\Trend Micro
2009-04-18 13:48 . 2009-03-25 17:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 13:35 . 2004-08-04 10:00 213120 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-18 05:00 . 2009-04-18 05:00 -------- d-----w c:\program files\iTunes
2009-04-18 05:00 . 2009-04-18 05:00 -------- d-----w c:\program files\iPod
2009-04-18 05:00 . 2008-10-29 15:35 -------- d-----w c:\program files\Common Files\Apple
2009-04-18 04:58 . 2008-10-29 15:36 -------- d-----w c:\program files\QuickTime
2009-04-18 04:50 . 2009-04-18 04:50 -------- d-----w c:\program files\Bonjour
2009-04-17 21:01 . 2008-09-10 19:33 -------- d-----w c:\documents and settings\sludwick\Application Data\Skype
2009-04-17 15:20 . 2008-09-10 19:36 -------- d-----w c:\documents and settings\sludwick\Application Data\skypePM
2009-04-15 22:02 . 2008-09-03 23:11 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-28 14:03 . 2009-03-07 02:05 -------- d-----w c:\program files\Common
2009-03-23 18:57 . 2008-01-22 18:24 -------- d-----w c:\program files\Symantec AntiVirus
2009-03-19 23:32 . 2008-10-29 15:37 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 18:44 . 2009-03-19 18:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-19 18:44 . 2009-03-19 18:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-19 18:05 . 2009-03-19 17:26 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-11 00:52 . 2008-01-22 18:26 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-11 00:49 . 2008-01-22 18:26 -------- d-----w c:\program files\Lavasoft
2009-03-11 00:49 . 2009-03-11 00:49 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 02:37 . 2008-03-10 19:47 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-20 18:09 . 2004-08-04 10:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-18 23:14 . 2009-02-18 23:04 -------- d-----w c:\program files\Free FLV Converter
2009-02-17 10:14 . 2009-02-18 23:04 278528 ----a-w c:\windows\system32\TubeFinder.exe
2009-02-14 00:52 . 2008-01-22 17:21 63434 ----a-w c:\windows\system32\nvModes.dat
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-03-30 01:21 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-03-30 01:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-10-17 17:03 . 2008-10-17 17:03 60744 ----a-w c:\documents and settings\sludwick\g2mdlhlpx.exe
2008-10-02 07:41 . 2008-09-11 14:56 70408 ----a-w c:\documents and settings\sludwick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-03-10 20:14 . 2008-03-10 20:14 64200 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-01-22 17:39 . 2008-01-22 17:39 12328 ----a-w c:\documents and settings\TAIC Employee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 22:04 . 2008-10-02 07:41 56 --sh--r c:\windows\system32\6125160107.sys
2008-10-09 22:04 . 2008-10-02 06:55 4182 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-05-14 16:11 . 2008-05-14 16:11 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051420080515\index.dat
.

------- Sigcheck -------

[7] 2004-08-04 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-14 07:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-04-18 13:35 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-18 13:35 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8996FF8-C922-4E13-8475-29111FB8EE1C}]
2004-08-04 10:00 105472 ----a-w c:\windows\system32\lkomgpx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-07 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-21 1228800]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-17 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-17 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-22 50688]
VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-9-3 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ososarbw]
2004-08-04 10:00 105472 ----a-w c:\windows\system32\lkomgpx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-28 116464]
S0 ohchgnbq;ohchgnbq;c:\windows\system32\drivers\ohchgnbq.sys [2004-08-04 23424]
S2 RDIConverterPrintHelper;RDI Document Conversion Helper;c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe [2008-10-01 64888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ojqxmmgh

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e2e1f43-a72e-11dd-8565-001d604005da}]
\Shell\AutoRun\command - e:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - e:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-19 c:\windows\Tasks\At1.job
- c:\windows\system32\lkomgpx.dll [2004-08-04 10:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {8D3314D6-5914-46C1-9F3D-9F14B6A305F1} - hxxp://www.mytpi.com/mytpi05/eval/ectuploader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 13:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
Completion time: 2009-04-19 13:58
ComboFix-quarantined-files.txt 2009-04-19 20:58

Pre-Run: 36,928,909,312 bytes free
Post-Run: 36,914,229,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

210 --- E O F --- 2009-04-15 22:04

================================== LOPR LOG ========================================


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel® Core™2 Duo CPU T7300 @ 2.00GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A04
USER : sludwick ( Not Administrator ! )
BOOT : Normal boot
Antivirus : Symantec AntiVirus Corporate Edition 10.1.5.5000 (Not Activated)
C:\ (Local Disk) - NTFS - Total:74 Go (Free:34 Go)
D:\ (CD or DVD)
F:\ (USB) - FAT - Total:503 Mo (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Sun 04/19/2009|14:07 )

--------------------\\ Listing folders in APPLIC~1

[09/03/2008|04:34] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Adobe
[02/22/2008|12:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Dell
[02/22/2008|12:02] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[05/14/2008|08:17] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> InstallShield
[05/13/2008|06:31] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[04/17/2009|10:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[09/03/2008|04:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[10/29/2008|08:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[10/29/2008|08:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[01/22/2008|12:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CyberLink
[01/22/2008|10:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dell
[12/19/2008|09:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> FLEXnet
[01/16/2009|12:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[10/02/2008|12:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[03/10/2009|05:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[03/25/2009|10:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[09/14/2008|12:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[04/15/2009|03:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft Help
[09/10/2008|12:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Skype
[03/19/2009|11:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[01/22/2008|11:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[03/19/2009|11:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[01/22/2008|10:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> UIB
[01/22/2008|11:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[01/22/2008|12:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[01/22/2008|12:05] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[01/22/2008|12:05] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft
[03/22/2009|07:28] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Mozilla
[03/23/2009|10:59] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> quobarxz

[02/18/2009|12:35] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Adobe
[11/26/2008|12:30] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Apple Computer
[10/02/2008|12:41] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Corel
[09/03/2008|02:40] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Dell
[09/10/2008|04:14] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Google
[12/10/2008|04:55] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> ICAClient
[09/03/2008|02:39] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Identities
[09/10/2008|12:27] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Macromedia
[03/25/2009|10:44] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Malwarebytes
[02/23/2009|10:14] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Microsoft
[02/13/2009|05:50] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Move Networks
[03/22/2009|07:25] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Mozilla
[03/25/2009|02:45] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> quobarxz
[04/17/2009|02:01] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Skype
[04/17/2009|08:20] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> skypePM
[09/12/2008|07:56] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Sun
[01/30/2009|02:04] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> Web Meeting
[11/21/2008|11:00] C:\DOCUME~1\sludwick\APPLIC~1\<DIR> webex

[01/22/2008|11:26] C:\DOCUME~1\TAICEM~1\APPLIC~1\<DIR> Auslogics
[01/22/2008|12:46] C:\DOCUME~1\TAICEM~1\APPLIC~1\<DIR> CyberLink
[01/22/2008|10:33] C:\DOCUME~1\TAICEM~1\APPLIC~1\<DIR> Dell
[01/22/2008|12:10] C:\DOCUME~1\TAICEM~1\APPLIC~1\<DIR> Identities
[01/22/2008|10:27] C:\DOCUME~1\TAICEM~1\APPLIC~1\<DIR> InstallShield
[01/22/2008|10:27] C:\DOCUME~1\TAICEM~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[04/18/2009 05:42 PM][--a------] C:\WINDOWS\tasks\At1.job
[04/17/2009 09:46 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[04/19/2009 01:58 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/04/2004 03:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[11/01/2008|09:01] C:\Program Files\<DIR> 3ivx
[09/03/2008|04:28] C:\Program Files\<DIR> Adobe
[10/29/2008|08:36] C:\Program Files\<DIR> Apple Software Update
[01/22/2008|11:26] C:\Program Files\<DIR> AusLogics Disk Defrag
[04/17/2009|09:50] C:\Program Files\<DIR> Bonjour
[01/22/2008|12:17] C:\Program Files\<DIR> Broadcom
[01/22/2008|11:27] C:\Program Files\<DIR> CCleaner
[09/03/2008|05:31] C:\Program Files\<DIR> Cisco Systems
[10/17/2008|10:03] C:\Program Files\<DIR> Citrix
[03/28/2009|07:03] C:\Program Files\<DIR> Common
[04/19/2009|01:56] C:\Program Files\<DIR> Common Files
[01/22/2008|12:02] C:\Program Files\<DIR> ComPlus Applications
[01/22/2008|10:57] C:\Program Files\<DIR> CONEXANT
[10/02/2008|12:03] C:\Program Files\<DIR> Corel
[01/22/2008|11:34] C:\Program Files\<DIR> CyberLink
[01/22/2008|10:33] C:\Program Files\<DIR> Dell
[01/22/2008|10:33] C:\Program Files\<DIR> DellTPad
[01/22/2008|10:56] C:\Program Files\<DIR> Digital Line Detect
[02/18/2009|04:14] C:\Program Files\<DIR> Free FLV Converter
[01/16/2009|12:20] C:\Program Files\<DIR> Google
[11/01/2008|09:01] C:\Program Files\<DIR> InstallShield Installation Information
[01/22/2008|12:14] C:\Program Files\<DIR> Intel
[01/30/2009|02:02] C:\Program Files\<DIR> InterCall Web Meeting
[04/15/2009|03:28] C:\Program Files\<DIR> Internet Explorer
[04/17/2009|10:00] C:\Program Files\<DIR> iPod
[04/17/2009|10:00] C:\Program Files\<DIR> iTunes
[09/12/2008|07:56] C:\Program Files\<DIR> Java
[03/10/2009|05:49] C:\Program Files\<DIR> Lavasoft
[09/10/2008|11:00] C:\Program Files\<DIR> LineupDominator
[09/30/2008|02:49] C:\Program Files\<DIR> LogoEase
[04/18/2009|06:48] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[03/19/2009|11:41] C:\Program Files\<DIR> Messenger
[03/10/2008|12:17] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2
[01/22/2008|12:06] C:\Program Files\<DIR> microsoft frontpage
[09/05/2008|08:35] C:\Program Files\<DIR> Microsoft Office
[02/25/2009|07:37] C:\Program Files\<DIR> Microsoft Silverlight
[09/03/2008|04:17] C:\Program Files\<DIR> Microsoft Visual Studio
[09/03/2008|04:17] C:\Program Files\<DIR> Microsoft Works
[09/03/2008|04:15] C:\Program Files\<DIR> Microsoft.NET
[05/14/2008|08:51] C:\Program Files\<DIR> Movie Maker
[03/10/2008|01:14] C:\Program Files\<DIR> MSBuild
[01/22/2008|12:01] C:\Program Files\<DIR> MSN
[01/22/2008|12:02] C:\Program Files\<DIR> MSN Gaming Zone
[01/22/2008|12:21] C:\Program Files\<DIR> MSXML 4.0
[03/10/2008|12:03] C:\Program Files\<DIR> MSXML 6.0
[11/01/2008|09:01] C:\Program Files\<DIR> muvee Technologies
[05/14/2008|08:48] C:\Program Files\<DIR> NetMeeting
[01/22/2008|10:19] C:\Program Files\<DIR> O2Micro OZ776 SCR Driver
[01/22/2008|12:02] C:\Program Files\<DIR> Online Services
[05/14/2008|08:48] C:\Program Files\<DIR> Outlook Express
[04/17/2009|09:58] C:\Program Files\<DIR> QuickTime
[03/10/2008|01:11] C:\Program Files\<DIR> Reference Assemblies
[01/22/2008|10:25] C:\Program Files\<DIR> SigmaTel
[09/10/2008|12:33] C:\Program Files\<DIR> Skype
[03/19/2009|11:44] C:\Program Files\<DIR> Spybot - Search & Destroy
[01/22/2008|11:24] C:\Program Files\<DIR> Symantec
[03/23/2009|11:57] C:\Program Files\<DIR> Symantec AntiVirus
[01/22/2008|10:48] C:\Program Files\<DIR> Toshiba
[04/18/2009|10:43] C:\Program Files\<DIR> Trend Micro
[01/22/2008|12:10] C:\Program Files\<DIR> Uninstall Information
[03/10/2008|12:02] C:\Program Files\<DIR> Windows Media Connect 2
[05/14/2008|08:48] C:\Program Files\<DIR> Windows Media Player
[05/14/2008|08:48] C:\Program Files\<DIR> Windows NT
[01/22/2008|12:04] C:\Program Files\<DIR> WindowsUpdate
[01/22/2008|12:06] C:\Program Files\<DIR> xerox

--------------------\\ Listing Folders in C:\Program Files\Common Files

[09/03/2008|04:34] C:\Program Files\Common Files\<DIR> Adobe
[04/17/2009|10:00] C:\Program Files\Common Files\<DIR> Apple
[10/02/2008|12:03] C:\Program Files\Common Files\<DIR> Corel
[10/02/2008|12:03] C:\Program Files\Common Files\<DIR> DESIGNER
[09/03/2008|05:31] C:\Program Files\Common Files\<DIR> Deterministic Networks
[01/30/2009|02:02] C:\Program Files\Common Files\<DIR> ICWM
[10/02/2008|12:03] C:\Program Files\Common Files\<DIR> InstallShield
[09/12/2008|07:55] C:\Program Files\Common Files\<DIR> Java
[09/03/2008|04:34] C:\Program Files\Common Files\<DIR> Macrovision Shared
[10/02/2008|12:03] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/04/2004|03:00] C:\Program Files\Common Files\<DIR> Mozilla Shared
[01/22/2008|12:03] C:\Program Files\Common Files\<DIR> MSSoap
[11/01/2008|09:01] C:\Program Files\Common Files\<DIR> muvee Technologies
[01/22/2008|03:55] C:\Program Files\Common Files\<DIR> ODBC
[01/22/2008|12:03] C:\Program Files\Common Files\<DIR> Services
[09/10/2008|12:33] C:\Program Files\Common Files\<DIR> Skype
[01/22/2008|03:55] C:\Program Files\Common Files\<DIR> SpeechEngines
[01/22/2008|11:25] C:\Program Files\Common Files\<DIR> Symantec Shared
[09/03/2008|04:12] C:\Program Files\Common Files\<DIR> System
[03/10/2009|05:49] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 56 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 14:09:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

C:\WINDOWS\Tasks\At1.job



[F:2][D:0]-> C:\DOCUME~1\sludwick\Cookies
[F:2][D:0]-> C:\DOCUME~1\sludwick\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sun 04/19/2009|14:09 - Option : [1]

--------------------\\ Scan completed at 14:09:42

Thanks again for your help...looking forward to the next steps...
  • 0

#4
heir
Posted 19 April 2009 - 05:49 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's fix this then.

Step 1.
OTL-fix:

Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O1 - Hosts: 127.0.0.1 browser-security.microsoft.com
O2 - BHO: () - {B8996FF8-C922-4E13-8475-29111FB8EE1C} - c:\windows\system32\lkomgpx.dll ()
O4 - HKLM..\Run: [] File not found
O20 - Winlogon\Notify\ososarbw: DllName - lkomgpx.dll - C:\WINDOWS\system32\lkomgpx.dll ()
O33 - MountPoints2\{1e2e1f43-a72e-11dd-8565-001d604005da}\Shell\AutoRun\command - "" = E:\system\viewer\FlipVideoforPC.exe -- File not found
O33 - MountPoints2\{1e2e1f43-a72e-11dd-8565-001d604005da}\Shell\Flip Video for PC\command - "" = E:\system\viewer\FlipVideoforPC.exe -- File not found
[2004/08/04 03:00:00 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\vkeajkm.dll
[2004/08/04 03:00:00 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\lkomgpx.dll
[2009/04/18 17:42:45 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\WINDOWS\svcho.exe=-
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

Step 2.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

KillAll::
Atjob::
File::
c:\windows\system32\lkomgpx.dll
c:\windows\system32\drivers\ohchgnbq.sys
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8996FF8-C922-4E13-8475-29111FB8EE1C}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ososarbw]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e2e1f43-a72e-11dd-8565-001d604005da}]
NetSvc::
ojqxmmgh
Driver::
ojqxmmgh
ohchgnbq
Dirlook::
c:\documents and settings\sludwick\Local Settings\Application Data\quobarxz
c:\documents and settings\sludwick\Application Data\quobarxz
c:\documents and settings\NetworkService\Local Settings\Application Data\quobarxz
c:\documents and settings\NetworkService\Application Data\quobarxz

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.
Things I would like to see in your reply:


  • The content of the fixlog from OTL2 in step 1.
  • The content of C:\ComboFix.txt from step 2.
  • Information on how your computer is running now.

  • 0

#5
Cixelsyd
Posted 19 April 2009 - 07:43 PM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Hi,

Thanks for the quick reply.

Ok... I ran OTListIt2, copied the code you provided and clicked RunFix.

I eventually got the following error message

"The application or DLL c:\windows\system32\vkeajkm.dll is not a valid windows image. Please check this against your installation diskette."

There was an OK button I hit it and the same message came up 2 more times then the system continued and said Processing Complete.

No files opened though, and then it said a reboot is required so I had it reboot.

When it rebooted, I got the following message:

OTListIT2.exe Bad Image (this was in the title bar of the dialog box)

and then the same error message as above. I clicked ok, popped up again, clicked ok..

I then got this message

"Access violation 0054B2E9 in module 'OTListIt2.exe'. Read of address 00000000"

I clicked ok and then OTList2 opened... but no txt files.

I then closed OTListIt2

I am getting ready to run the ComboFix.exe now

just wanted to update.
  • 0

#6
Cixelsyd
Posted 19 April 2009 - 08:29 PM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
So, even with the error and no log file, I went with step 2 and 3. While ComboFix was running, the same DLL error came up and the access violation. OTList2 opened, but I closed it. Once it was done running, ComboFix rebooted the system.

On startup, it got the same error about the DLL, and then the access violation, but ComboFix was preparing the report.

Then I got a box that said "Error" in the title bar, and then a "! [bleep]" message and OK button. Not good... I clicked ok... it came up again, ok again.

During this time, OTList2 opened again. I closed it.

Also, I guess my virus scan was scheduled to run... before I could stop it, it found the following:

Trojan.Neprodoor!inf

I stopped the scan and closed it.

ComboFix finished what it was doing... and I have the contents of the report.

I ran the virus scan (Symantec) Quick Scan and that virus came up...

Action: Partial
Count: 2
Filename: ndis.sys
Location: c:\windows\system32\drivers

Said it cleaned risk and quarentined it.

I rebooted... no errors at start up.

A folder called Common opens up, but I think that is from an older malware issue that I think was fixed... not sure how to get rid of that common folder.

Boot up was quick, but I still cannot use internet explorer. It says IE cannot display the webpage.

Not sure if you want me to scan with malwarebytes or OTL again. Let me know.

Thanks....






=========== OTListIt2 Log ==================

While it finished processing it got an error and never produced the report so I could save it. Does it save to the drive?

=========== ComboFix Log =======================================

ComboFix 09-04-20.01 - sludwick 04/19/2009 19:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3029 [GMT -7:00]
Running from: c:\documents and settings\sludwick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sludwick\Desktop\cfscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\ohchgnbq.sys
c:\windows\system32\lkomgpx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ohchgnbq.sys
c:\windows\system32\lkomgpx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OHCHGNBQ
-------\Legacy_OJQXMMGH
-------\Service_ohchgnbq



(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\NetworkService\Application Data\quobarxz ----

2009-03-24 05:59 . 2009-03-24 05:59 570 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\localstore.rdf
2009-03-24 05:59 . 2009-03-24 05:59 9268 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\pluginreg.dat
2009-03-24 05:59 . 2009-03-24 05:59 2048 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\webappsstore.sqlite
2009-03-24 05:59 . 2009-03-24 05:59 4096 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\formhistory.sqlite
2009-03-24 05:59 . 2009-03-24 05:59 131072 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\places.sqlite
2009-03-24 05:59 . 2009-03-24 05:59 0 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\places.sqlite-journal
2009-03-24 05:59 . 2009-03-24 05:59 16384 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\key3.db
2009-03-24 05:59 . 2009-03-24 06:00 65536 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\cert8.db
2009-03-24 05:59 . 2009-03-24 05:59 16384 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\secmod.db
2009-03-24 05:59 . 2009-03-24 06:00 2048 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\cookies.sqlite
2009-03-24 05:59 . 2009-03-24 05:59 2048 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\permissions.sqlite
2009-03-24 05:59 . 2009-03-24 05:59 367 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\prefs.js
2009-03-24 05:59 . 2009-03-24 05:59 127820 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\compreg.dat
2009-03-24 05:59 . 2009-03-24 05:59 96173 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\xpti.dat
2009-03-24 05:59 . 2009-03-24 05:59 207 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\Profiles\a5m6btjr.default\compatibility.ini
2009-03-24 05:59 . 2009-03-24 05:59 111 ----a-w c:\documents and settings\NetworkService\Application Data\quobarxz\profiles.ini

---- Directory of c:\documents and settings\NetworkService\Local Settings\Application Data\quobarxz ----

2009-03-24 05:59 . 2009-03-24 06:00 32768 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\quobarxz\Profiles\a5m6btjr.default\urlclassifier3.sqlite
2009-03-24 05:59 . 2009-03-24 05:59 438116 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\quobarxz\Profiles\a5m6btjr.default\XPC.mfl

---- Directory of c:\documents and settings\sludwick\Application Data\quobarxz ----

2009-03-25 09:45 . 2009-03-25 09:45 570 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\localstore.rdf
2009-03-25 09:45 . 2009-03-25 09:45 9268 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\pluginreg.dat
2009-03-25 09:45 . 2009-03-25 09:45 2048 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\webappsstore.sqlite
2009-03-25 09:45 . 2009-03-25 09:45 4096 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\formhistory.sqlite
2009-03-25 09:45 . 2009-03-25 09:45 131072 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\places.sqlite
2009-03-25 09:45 . 2009-03-25 09:45 0 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\places.sqlite-journal
2009-03-25 09:45 . 2009-03-25 09:45 16384 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\key3.db
2009-03-25 09:45 . 2009-03-25 09:46 65536 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\cert8.db
2009-03-25 09:45 . 2009-03-25 09:45 16384 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\secmod.db
2009-03-25 09:45 . 2009-03-25 09:46 2048 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\cookies.sqlite
2009-03-25 09:45 . 2009-03-25 09:45 2048 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\permissions.sqlite
2009-03-25 09:45 . 2009-03-25 09:45 367 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\prefs.js
2009-03-25 09:45 . 2009-03-25 09:45 127820 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\compreg.dat
2009-03-25 09:45 . 2009-03-25 09:45 96173 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\xpti.dat
2009-03-25 09:45 . 2009-03-25 09:45 207 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\Profiles\r77vlz94.default\compatibility.ini
2009-03-25 09:45 . 2009-03-25 09:45 111 ----a-w c:\documents and settings\sludwick\Application Data\quobarxz\profiles.ini

---- Directory of c:\documents and settings\sludwick\Local Settings\Application Data\quobarxz ----

2009-03-25 09:45 . 2009-03-25 09:46 32768 ----a-w c:\documents and settings\sludwick\Local Settings\Application Data\quobarxz\Profiles\r77vlz94.default\urlclassifier3.sqlite
2009-03-25 09:45 . 2009-03-25 09:45 438116 ----a-w c:\documents and settings\sludwick\Local Settings\Application Data\quobarxz\Profiles\r77vlz94.default\XPC.mfl


------- Sigcheck -------

[7] 2004-08-04 10:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-14 07:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-04-18 13:35 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-18 13:35 213120 5DE5E1B16E2A2EADA03ECE536EE8D721 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-19_20.57.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 10:00 . 2009-04-19 02:36 72554 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2009-04-20 01:33 72554 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2004-08-04 10:00 23424 c:\windows\system32\drivers\vijardsy.sys
+ 2004-08-04 10:00 . 2009-04-20 02:05 23424 c:\windows\system32\drivers\vijardsy.sys
+ 2009-03-25 17:40 . 2009-04-20 01:14 45056 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla51.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 45056 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla51.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla39.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla39.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla38.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla38.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla37.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla37.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla36.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla36.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla35.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla35.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla33.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla33.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla27.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla27.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla26.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla26.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla25.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla25.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla24.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla24.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla23.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla23.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla22.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla22.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla21.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla21.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla18.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla18.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 29480 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 26421 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCall.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 26421 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCall.dll
- 2004-08-04 10:00 . 2009-04-19 02:36 445096 c:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2009-04-20 01:33 445096 c:\windows\system32\perfh009.dat
- 2009-03-25 17:55 . 2009-04-19 02:12 125719 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla50.dll
+ 2009-03-25 17:55 . 2009-04-20 01:14 125719 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla50.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 110799 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla49.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 110799 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla49.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 116956 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla48.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 116956 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla48.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 110936 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla47.dll
- 2009-03-25 17:40 . 2009-04-19 01:15 110936 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla47.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 110797 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla46.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 110797 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla46.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 110500 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla44.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 110500 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla44.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 111260 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla43.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 111260 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla43.dll
- 2009-03-25 17:40 . 2009-04-19 02:12 111269 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla42.dll
+ 2009-03-25 17:40 . 2009-04-20 01:14 111269 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla42.dll
+ 2009-03-25 17:55 . 2009-04-20 01:14 111476 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla41.dll
- 2009-03-25 17:55 . 2009-04-19 02:12 111476 c:\windows\4C271126C2954828A9015910AE0C258B.TMP\WiseCustomCalla41.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-07 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-29 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-29 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-21 1228800]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-21 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-17 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-17 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-17 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-29 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-19 303104]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-22 50688]
VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2008-9-3 6144]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - OHCHGNBQ
.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {8D3314D6-5914-46C1-9F3D-9F14B6A305F1} - hxxp://www.mytpi.com/mytpi05/eval/ectuploader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 19:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ohchgnbq]
"ImagePath"="system32\drivers\ohchgnbq.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\windows\system32\msiexec.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-04-20 19:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 02:13
ComboFix2.txt 2009-04-19 20:58

Pre-Run: 36,937,416,704 bytes free
Post-Run: 36,839,497,728 bytes free

268 --- E O F --- 2009-04-15 22:04
  • 0

#7
Cixelsyd
Posted 19 April 2009 - 11:15 PM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
I reran OTList2 as I did originally to scan the system... I've attached that log here. This is not the log on the pass where I put in the code fix... that never generated a log... This is after a reboot, removing the virus that was found and rebooting again.

Also, I tried resetting explorer to factory settings but still no internet.

Here is the log.

OTListIt logfile created on: 4/19/2009 9:58:23 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\sludwick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 34.33 Gb Free Space | 46.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SAC-JCL8WD1
Current User Name: sludwick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\WLTRYSVC.EXE ()
PRC - C:\WINDOWS\System32\bcmwltry.exe (Dell Inc.)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
PRC - C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
PRC - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (Dell Inc.)
PRC - C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe (Web Meeting)
PRC - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\HidFind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\Apntex.exe (Alps Electric Co., Ltd.)
PRC - C:\WINDOWS\system32\WLTRAY.exe (Dell Inc.)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Documents and Settings\sludwick\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aawservice [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (ccEvtMgr [Disabled | Stopped]) -- File not found
SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CVPND [Auto | Running]) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.)
SRV - (DefWatch [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation)
SRV - (FLEXnet Licensing Service [On_Demand | Running]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE (Symantec Corporation)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NICCONFIGSVC [Auto | Running]) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (Dell Inc.)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (RDIConverterPrintHelper [Auto | Running]) -- C:\Program Files\Common Files\ICWM\Printer\RDIConverterService.exe (Web Meeting)
SRV - (SavRoam [On_Demand | Stopped]) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec)
SRV - (SNDSrvc [Disabled | Stopped]) -- File not found
SRV - (SPBBCSvc [Auto | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (Symantec Corporation)
SRV - (STacSV [Auto | Running]) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe (SigmaTel, Inc.)
SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (wltrysvc [Auto | Running]) -- C:\WINDOWS\System32\WLTRYSVC.EXE ()
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (APPDRV [System | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (b57w2k [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\b57xp32.sys (Broadcom Corporation)
DRV - (BCM43XX [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys (Broadcom Corp.)
DRV - (cercsr6 [Boot | Stopped]) -- C:\WINDOWS\System32\drivers\cercsr6.sys (Adaptec, Inc.)
DRV - (CSRBC [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\csrbcxp.sys (CSR, plc)
DRV - (CVirtA [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\CVirtA.sys (Cisco Systems, Inc.)
DRV - (CVPNDRVA [Auto | Running]) -- C:\WINDOWS\system32\Drivers\CVPNDRVA.sys (Cisco Systems, Inc.)
DRV - (DNE [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dne2000.sys (Deterministic Networks, Inc.)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (guardian2 [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\oz776.sys (O2Micro)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSFHWAZL [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (ialm [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys (Intel Corporation)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (NAVENG [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090419.005\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090419.005\NAVEX15.SYS (Symantec Corporation)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (SAVRTPEL [System | Running]) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys (Symantec Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SPBBCDrv [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (STHDA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (SymEvent [On_Demand | Running]) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMREDRV [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (SYMTDI [Disabled | Stopped]) -- C:\WINDOWS\System32\drivers\symtdi.sys (Symantec Corporation)
DRV - (tosporte [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosporte.sys (TOSHIBA Corporation)
DRV - (tosrfbd [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (tosrfbnp [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (Tosrfcom [System | Running]) -- C:\WINDOWS\System32\Drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (Tosrfhid [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys (TOSHIBA Corporation.)
DRV - (tosrfnds [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosrfnds.sys (TOSHIBA Corporation.)
DRV - (Tosrfusb [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>



O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet ()
O4 - HKLM..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" (CyberLink Corp.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation)
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = Notice and Consent to Monitoring
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = [String data over 1000 bytes]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} http://support.dell....iler/SysPro.CAB (SysProWmi Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1205176248203 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-01.su...ows-i586-jc.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8D3314D6-5914-46C1-9F3D-9F14B6A305F1} http://www.mytpi.com...ectuploader.cab (eCTUploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://amexweb.webe...bex/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = taic.net
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O34 - HKLM BootExecute: (ootExecute) - File not found
O34 - HKLM BootExecute: (settings...) - File not found
O34 - HKLM BootExecute: (on\E) - File not found

========== Files/Folders - Created Within 30 Days ==========

[7 C:\WINDOWS\*.tmp files]
[2009/04/19 19:14:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/04/19 18:22:32 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/04/19 14:07:01 | 00,000,000 | ---D | C] -- C:\Lop SD
[2009/04/19 13:54:53 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/04/19 13:54:51 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/04/19 13:54:46 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/04/19 13:53:14 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/04/19 13:53:14 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/04/19 13:53:14 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/04/19 13:53:14 | 00,108,544 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/04/19 13:53:14 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/04/19 13:53:14 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/04/19 13:53:14 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/04/19 13:53:14 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/04/19 13:53:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/19 13:53:03 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/04/19 13:49:30 | 00,530,106 | ---- | C] () -- C:\Documents and Settings\sludwick\Desktop\LopSD.exe
[2009/04/19 13:49:24 | 02,997,438 | R--- | C] () -- C:\Documents and Settings\sludwick\Desktop\ComboFix.exe
[2009/04/18 18:42:55 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/18 18:42:41 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\sludwick\Desktop\OTListIt2.exe
[2009/04/18 18:42:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Desktop\Logs
[2009/04/18 17:48:19 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/04/18 10:43:16 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/18 06:35:27 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/04/17 22:00:44 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/04/17 22:00:20 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/04/17 22:00:10 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/04/17 22:00:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/04/17 21:50:04 | 00,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2009/04/14 19:16:02 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/14 19:16:01 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/14 19:16:01 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/14 19:16:01 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/14 19:16:01 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/14 19:16:01 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/14 19:16:01 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/14 19:16:01 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/14 19:16:01 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/14 19:12:34 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/14 19:12:34 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/09 11:12:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\My Documents\MBI
[2009/04/01 23:47:32 | 00,010,296 | ---- | C] () -- C:\Documents and Settings\sludwick\My Documents\lyrics.docx
[2009/03/25 17:00:32 | 00,264,304 | ---- | C] () -- C:\Documents and Settings\sludwick\Desktop\Scan001.PDF
[2009/03/25 10:44:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Application Data\Malwarebytes
[2009/03/25 10:44:40 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/25 10:44:40 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/25 10:44:38 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/25 10:44:37 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/25 10:44:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/25 10:40:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\4C271126C2954828A9015910AE0C258B.TMP
[2009/03/25 02:45:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Local Settings\Application Data\quobarxz
[2009/03/25 02:45:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Application Data\quobarxz
[2009/03/22 19:25:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\sludwick\Application Data\Mozilla
[2009/03/21 07:06:58 | 00,989,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll
[2009/03/19 11:54:23 | 00,000,095 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/12/10 16:37:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/10/09 14:01:24 | 00,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2008/10/02 00:41:11 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\6125160107.sys
[2008/10/01 23:55:33 | 00,004,182 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2008/09/05 08:33:20 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/05/14 08:19:44 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/05/14 08:19:42 | 00,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/04/17 09:08:56 | 00,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2008/04/17 09:08:44 | 00,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2008/02/22 11:46:31 | 00,910,304 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/02/22 11:46:31 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4831.dll
[2008/02/18 23:33:34 | 00,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2008/01/22 12:49:09 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2008/01/22 10:57:39 | 00,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008/01/22 10:21:02 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/01/22 10:21:02 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/01/22 10:21:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/01/22 10:20:58 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/08/07 17:02:14 | 00,182,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\symndis.sys
[2005/09/02 15:44:08 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 22:30:20 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/08/04 03:00:00 | 00,023,424 | ---- | C] () -- C:\WINDOWS\System32\drivers\vijardsy.sys
[2004/08/04 03:00:00 | 00,000,582 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 03:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/07/20 18:04:02 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 15:43:28 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[7 C:\WINDOWS\*.tmp files]
[2009/04/19 19:30:21 | 00,526,710 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/19 19:30:21 | 00,445,096 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/19 19:30:21 | 00,072,554 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/19 19:26:53 | 00,063,434 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2009/04/19 19:26:49 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/19 19:26:14 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/19 19:26:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/19 19:24:57 | 04,831,922 | -H-- | M] () -- C:\Documents and Settings\sludwick\Local Settings\Application Data\IconCache.db
[2009/04/19 19:09:09 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/19 19:09:01 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/19 19:05:09 | 00,023,424 | ---- | M] () -- C:\WINDOWS\System32\drivers\vijardsy.sys
[2009/04/19 13:54:53 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/04/19 13:48:38 | 00,530,106 | ---- | M] () -- C:\Documents and Settings\sludwick\Desktop\LopSD.exe
[2009/04/19 13:13:08 | 02,997,438 | R--- | M] () -- C:\Documents and Settings\sludwick\Desktop\ComboFix.exe
[2009/04/18 18:16:38 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sludwick\Desktop\OTListIt2.exe
[2009/04/18 06:35:27 | 00,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ndis.sys
[2009/04/18 06:35:27 | 00,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/04/17 22:00:44 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/04/17 21:46:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/15 15:04:43 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/10 22:37:46 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\sludwick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 07:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/01 23:47:32 | 00,010,296 | ---- | M] () -- C:\Documents and Settings\sludwick\My Documents\lyrics.docx
[2009/03/26 23:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/25 17:00:34 | 00,264,304 | ---- | M] () -- C:\Documents and Settings\sludwick\Desktop\Scan001.PDF
[2009/03/25 10:44:40 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/25 08:17:39 | 00,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2009/03/21 07:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/03/21 07:06:58 | 00,989,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kernel32.dll

========== LOP Check ==========

[2009/04/17 22:00:10 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/04/17 22:00:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/09/03 16:34:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/10/29 08:35:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/10/29 08:36:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2008/01/22 12:46:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2008/01/22 10:33:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2008/12/19 21:05:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/01/16 00:16:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2008/10/02 00:04:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2009/03/10 17:52:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/03/25 10:44:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/09/14 12:12:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/04/15 15:02:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2008/09/10 12:33:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/03/19 11:44:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/01/22 11:24:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/03/19 11:05:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/01/22 10:35:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
[2008/01/22 11:55:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/03/25 10:44:42 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\sludwick\Application Data
[2009/02/18 12:35:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Adobe
[2008/11/26 12:30:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Apple Computer
[2008/10/02 00:41:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Corel
[2008/09/03 14:40:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Dell
[2008/09/10 16:14:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Google
[2008/12/10 16:55:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\ICAClient
[2008/09/03 14:39:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Identities
[2008/09/10 12:27:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Macromedia
[2009/03/25 10:44:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Malwarebytes
[2009/02/23 22:14:43 | 00,000,000 | --SD | M] -- C:\Documents and Settings\sludwick\Application Data\Microsoft
[2009/02/13 17:50:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Move Networks
[2009/03/22 19:25:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Mozilla
[2009/03/25 02:45:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\quobarxz
[2009/04/17 14:01:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Skype
[2009/04/17 08:20:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\skypePM
[2008/09/12 07:56:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Sun
[2009/01/30 14:04:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\Web Meeting
[2008/11/21 11:00:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\sludwick\Application Data\webex
[2009/04/17 21:46:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/04 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/04/19 19:26:14 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
  • 0

#8
Cixelsyd
Posted 19 April 2009 - 11:22 PM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
I just ran Malwarebytes and it found something called AGProtect... did not find the Vondu.h, so we traded? haha... anyway, here is the log... anxious to get this fixed so I can attend the university and find out more about all this stuff.

Malwarebytes' Anti-Malware 1.36
Database version: 2000
Windows 5.1.2600 Service Pack 3

4/19/2009 10:17:25 PM
mbam-log-2009-04-19 (22-17-25).txt

Scan type: Quick Scan
Objects scanned: 80580
Time elapsed: 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#9
heir
Posted 20 April 2009 - 12:38 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Please do only what I ask you to!
The analysis is done manually (my brain - and resources on the Internet) - I don't want to get it overloaded. :)
Running other tools then I ask you to makes it more difficult for me to get a grip on whats happening on your computer

I need to process the information so far.
I'll get back to you
  • 0

#10
Cixelsyd
Posted 20 April 2009 - 12:42 AM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Sorry about that... Got a little anxious... and I did post alot of info.

Standing by.
  • 0

Advertisements

#11
heir
Posted 20 April 2009 - 01:15 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
You need to make sure that your protection softwares are disabled permanently when running tools.
Here and here are guides on how to do that
You can manually re-enable them when the tools have finished running.


Step 1.
Filescan:

As you can't use IE use FF but the copy to clipboard won't work. Just mark the result with the mouse right-click copy it and paste the result back here.

  • Using Internet Explorer please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • c:\windows\system32\drivers\vijardsy.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Step 2.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6F,63,68,65,63,6B,20,61,75,74,6F,\
  63,68,6B,20,2A,5C,30,6C,73,64,65,6C,65,74,65,00,00

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 3.
Things I would like to see in your reply:

  • The result from the filescan in step 1.
  • The content of C:\ComboFix.txt from step 2.
  • Information on how your computer is running now.

  • 0

#12
Cixelsyd
Posted 20 April 2009 - 01:20 AM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
What's FF? Is that Firefox? I think I only have IE on my machine... I'm on my desktop now.
  • 0

#13
Cixelsyd
Posted 20 April 2009 - 01:22 AM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Also, the Anti-Virus I have is Symantec... The Auto-Protect got infected I believe, as it no longer operates.

Is that all I need to disable? The auto Protect?

Thanks
  • 0

#14
heir
Posted 20 April 2009 - 01:34 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

What's FF? Is that Firefox? I think I only have IE on my machine... I'm on my desktop now.

Sorry for using acronyms like FF. Yes that's Firefox.
What I don't understand is that you were stating (in your PM to me) that Internet Explorer isn't working.
What browser are you using?
What ever browser you're using use that one to scan the file and post the result.

Also, the Anti-Virus I have is Symantec... The Auto-Protect got infected I believe, as it no longer operates.

Is that all I need to disable? The auto Protect?

I don't understand fully.
Is the Auto-Protect function in Symantec not functioning as it should?

Any way the protection softwares need to be disabled. Make sure they are when you are asked to disable them.
  • 0

#15
Cixelsyd
Posted 20 April 2009 - 01:44 AM

Cixelsyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 82 posts
Sorry for the confusion Heir,

The problem is on my laptop... I've been using my desktop to post. All the downloads and code you have had me use, I've put on a thumbdrive and passed between my desktop and laptop. I believe my internet connect is fine, as the antivirus did get a new update today. But when I launch IE, it says "Internet Explorer cannot display the webpage". I don't have Firefox on it... to my knowledge... it's just IE.

The Symantec AutoProtect is not working as it should. I had a malware problem recently... spydoctor2009, or something like that... Malwarebytes fixed it... but the AutoProtect stopped working... haven't had a chance to look at it.

I've disabled the scanner entirely... but still have no IE access.

How do you want me to proceed.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP