Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google and MSN redirect in IE7 [Solved]

Started by yeschiro , Apr 22 2009 10:07 AM

This topic is locked

#1
yeschiro

Posted 22 April 2009 - 10:07 AM

Member

Member
58 posts

Google results redirect to different websites. It was also happening with MSN, but Yahoo is not effected. Also getting an annoying Windows - No Disk Exception when opening some programs.

I've gone throught the Malware Removal Guide. The logs are below.

Rooter Log

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:39166 Mo/Free:2976 Mo)
D:\ [CD-Rom] (Total:702 Mo/Free:631 Mo)
E:\ [CD-Rom] (Total:702 Mo/Free:631 Mo)
F:\ [CD-Rom] (Total:4 Mo/Free:0 Mo)

Wed 04/22/2009|11:52

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\wltrysvc.exe
---------- C:\WINDOWS\System32\bcmwltry.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\Program Files\LogMeIn\x86\RaMaint.exe
---------- C:\Program Files\Analog Devices\Core\smax4pnp.exe
---------- C:\WINDOWS\system32\wltray.exe
---------- C:\Program Files\LogMeIn\x86\LogMeIn.exe
---------- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
---------- C:\WINDOWS\system32\SearchIndexer.exe
---------- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
---------- C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
---------- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
---------- C:\PROGRA~1\AVG\AVG8\avgtray.exe
---------- C:\Program Files\SpyNoMore\SNM.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\DNA\btdna.exe
---------- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
---------- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
---------- C:\Program Files\Messenger\msmsgs.exe
---------- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
---------- C:\PROGRA~1\MICROS~3\rapimgr.exe
---------- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
---------- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
---------- C:\WINDOWS\System32\alg.exe
---------- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
---------- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
---------- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

C:\WINDOWS\System32\TDSSosvd.dat
==> TDSS.. <==

----------------------\\ ROOTKIT !!

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS
HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_TDSSSERV.SYS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS

----------------------\\ Suspect..

C:\Adobe Photoshop 7.0 PC.zip

----------------------\\ Cracks & Keygens..

C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Adobe Acrobat 8 Professional with keygen\Readme.txt
C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Adobe Acrobat 8 Professional with keygen\Adobe Acrobat 8 Professional\instmsia.exe
C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Adobe Acrobat 8 Professional with keygen\Adobe Acrobat 8 Professional\Setup.exe
C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Adobe Acrobat 8 Professional with keygen\Adobe Acrobat 8 Professional\WindowsInstaller-KB893803-v2-x86.exe
C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Adobe Acrobat 8 Professional with keygen\Crack\Readme.txt
C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Adobe Acrobat 8 Professional with keygen\Customer Support\CD_Info.txt
C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Elcomsoft.Advanced.PDF.Password.Recovery.v5.0.Professional-DOA\ELSOFT.ADPDFPASSRECOV.5.0.PRO\Crack\key.txt

1 - "C:\Rooter$\Rooter_1.txt" - Mon 04/20/2009|15:32
2 - "C:\Rooter$\Rooter_2.txt" - Wed 04/22/2009|11:53

----------------------\\ Scan completed at 11:53

Old Timer

OTListIt logfile created on: 4/22/2009 12:03:30 PM - Run 3
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Home Computer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 575.09 Mb Available Physical Memory | 56.22% Memory free
1.65 Gb Paging File | 1.18 Gb Available in Paging File | 71.58% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.25 Gb Total Space | 10.91 Gb Free Space | 28.52% Space Free | Partition Type: NTFS
Drive D: | 702.52 Mb Total Space | 631.53 Mb Free Space | 89.89% Space Free | Partition Type: UDF2.00
Drive E: | 702.52 Mb Total Space | 631.53 Mb Free Space | 89.89% Space Free | Partition Type: UDF2.00
Drive F: | 5.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-727E386993
Current User Name: Home Computer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\wltrysvc.exe ()
PRC - C:\WINDOWS\System32\bcmwltry.exe (Belkin Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\WINDOWS\system32\wltray.exe (Belkin Corporation)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
PRC - C:\Program Files\Roxio\Media Experience\DMXLauncher.exe ()
PRC - C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Sonic Solutions)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\SpyNoMore\SNM.exe (Illysoft LLC)
PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Microsoft ActiveSync\rapimgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe (Sonic Solutions)
PRC - C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Home Computer\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service [On_Demand | Running]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (gusvc [Auto | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (LMIMaint [Auto | Running]) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (LogMeIn [Auto | Running]) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (Macromedia Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (Macromedia)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Roxio UPnP Renderer 9 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe (Sonic Solutions)
SRV - (Roxio Upnp Server 9 [Auto | Stopped]) -- C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe (Sonic Solutions)
SRV - (RoxLiveShare9 [Auto | Stopped]) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (Sonic Solutions)
SRV - (RoxMediaDB9 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (Sonic Solutions)
SRV - (RoxWatch9 [Auto | Stopped]) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (Sonic Solutions)
SRV - (stllssvr [On_Demand | Stopped]) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (MicroVision Development, Inc.)
SRV - (wltrysvc [Auto | Running]) -- C:\WINDOWS\System32\wltrysvc.exe ()
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atinrvxx [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinrvxx.sys (ATI Technologies Inc.)
DRV - (ATITUNEP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atintuxx.sys (ATI Technologies Inc.)
DRV - (ativraxx [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinraxx.sys (ATI Technologies Inc.)
DRV - (ATIXSAudio [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinxsxx.sys (ATI Technologies Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (BCM43XX [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys (Broadcom Corporation)
DRV - (Belkin700F [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys (Belkin Corporation. )
DRV - (DLABMFSM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLABMFSM.SYS (Sonic Solutions)
DRV - (DLABOIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLACDBHM [System | Running]) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLADResM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLADResM.SYS (Sonic Solutions)
DRV - (DLAIFS_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLAOPIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLARTL_M [System | Running]) -- C:\WINDOWS\System32\Drivers\DLARTL_M.SYS (Sonic Solutions)
DRV - (DLAUDFAM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (drvmcdb [Boot | Running]) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (DRVNDDM [Auto | Running]) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (HSFHWBS2 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (LMIInfo [Auto | Running]) -- C:\Program Files\LogMeIn\x86\RaInfo.sys (LogMeIn, Inc.)
DRV - (lmimirr [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\lmimirr.sys (LogMeIn, Inc.)
DRV - (LMIRfsClientNP [Disabled | Stopped]) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (LMIRfsDriver [Auto | Running]) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (MODEMCSA [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (MVDCODEC [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinmdxx.sys (ATI Technologies Inc.)
DRV - (P16X [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\P16X.sys (Creative Technology Ltd.)
DRV - (PCDCODEC [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinpdxx.sys (ATI Technologies Inc.)
DRV - (PfModNT [Auto | Running]) -- C:\WINDOWS\system32\drivers\PfModNT.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RT2500 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RT2500.sys (Ralink Technology Inc.)
DRV - (RxFilter [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RxFilter.sys (Sonic Solutions)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (senfilt [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (usb_rndisx [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\usb8023x.sys (Microsoft Corporation)
DRV - (wceusbsh [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\wceusbsh.sys (Microsoft Corporation)
DRV - (winachsf [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O2 - BHO: (Google Toolbar Helper) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (no name) - {d7bf4552-94f1-42bd-f434-3604812c856d} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" ()
O4 - HKLM..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun (Google Inc.)
O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" (LogMeIn, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" (Sonic Solutions)
O4 - HKLM..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" (Sonic Solutions)
O4 - HKLM..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup (Illysoft LLC)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe (Belkin Corporation)
O4 - HKCU..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (BitTorrent, Inc.)
O4 - HKCU..\Run: [Diagnostic Manager] C:\DOCUME~1\HOMECO~1\LOCALS~1\Temp\1150471758.exe File not found
O4 - HKCU..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (Microsoft Corporation)
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Home Computer\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Home Computer\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1221140212726 (WUWebControl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - F:\autorun.inf () - [ CDFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[12 C:\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/22 11:50:44 | 00,021,504 | ---- | C] (Doug Knox) -- C:\DOCUME~1\HOMECO~1\Desktop\SysRestorePoint.exe
[2009/04/22 11:50:13 | 00,063,208 | ---- | C] () -- C:\DOCUME~1\HOMECO~1\Desktop\bb457097.htm
[2009/04/22 10:47:45 | 00,000,000 | ---D | C] -- C:\Program Files\HiJack This
[2009/04/22 10:43:39 | 00,000,000 | ---D | C] -- C:\DOCUME~1\HOMECO~1\Desktop\GooredFixBackups
[2009/04/22 10:20:42 | 00,000,000 | ---D | C] -- C:\Program Files\IE8
[2009/04/20 15:54:04 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\HOMECO~1\Desktop\OTListIt2.exe
[2009/04/20 15:51:45 | 02,998,034 | ---- | C] () -- C:\DOCUME~1\HOMECO~1\Desktop\ComboFix.exe
[2009/04/20 15:30:53 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/20 15:30:36 | 00,267,612 | ---- | C] () -- C:\DOCUME~1\HOMECO~1\Desktop\Rooter.exe
[2009/04/20 15:08:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/20 15:08:24 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Home Computer\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/04/20 15:08:17 | 00,000,611 | ---- | C] () -- C:\DOCUME~1\HOMECO~1\Desktop\NTREGOPT.lnk
[2009/04/20 15:08:17 | 00,000,592 | ---- | C] () -- C:\DOCUME~1\HOMECO~1\Desktop\ERUNT.lnk
[2009/04/20 15:08:16 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/20 10:06:21 | 00,000,000 | ---D | C] -- C:\Clean COmputer
[2009/04/20 09:42:31 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2009/04/20 09:42:14 | 00,000,658 | ---- | C] () -- C:\DOCUME~1\HOMECO~1\Desktop\SpyNoMore.lnk
[2009/04/20 09:42:14 | 00,000,000 | ---D | C] -- C:\Program Files\SpyNoMore
[2009/04/20 09:41:32 | 00,000,000 | ---D | C] -- C:\DOCUME~1\HOMECO~1\Desktop\Downloads
[2009/04/20 09:41:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Home Computer\Application Data\GetRightToGo
[2009/04/17 16:35:42 | 00,089,448 | ---- | C] () -- C:\WINDOWS\System32\drivers\8129abd8.sys
[2009/04/17 09:16:07 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\uniq.tll
[2009/04/16 03:06:06 | 00,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 22:39:51 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 22:39:50 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 22:39:50 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 22:39:50 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 22:39:50 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 22:39:50 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 22:39:50 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 22:39:49 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 22:39:49 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 22:38:12 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 22:38:12 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/15 22:38:12 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 18:04:02 | 00,000,155 | ---- | C] () -- C:\WINDOWS\System32\SelfDel.bat
[2009/04/15 17:49:02 | 00,109,010 | ---- | C] () -- C:\WINDOWS\System32\drivers\f0ae222a.sys
[2009/04/15 17:34:55 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AnswerWorks 5.0
[2009/04/15 17:34:45 | 00,001,565 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Quicken Home & Business 2009.lnk
[2009/04/01 15:08:59 | 00,000,000 | ---D | C] -- C:\DOCUME~1\HOMECO~1\My Documents\Storage Card
[2009/03/25 16:00:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Home Computer\Application Data\Canon
[2009/03/23 23:03:28 | 00,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2008/12/17 12:39:08 | 00,000,040 | ---- | C] () -- C:\WINDOWS\winDecrypt.INI
[2008/12/17 12:14:48 | 00,000,048 | ---- | C] () -- C:\WINDOWS\System32\pdfutil.ini
[2008/11/12 16:36:42 | 00,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/11/12 16:36:41 | 00,000,267 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/11/12 10:02:58 | 00,270,336 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/11/05 11:00:14 | 00,000,165 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2008/10/31 12:12:22 | 00,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/10/31 09:21:14 | 00,003,078 | ---- | C] () -- C:\WINDOWS\System32\bcmwlhom.ini
[2008/10/29 17:04:31 | 00,006,592 | ---- | C] () -- C:\WINDOWS\gwpreset.ini
[2008/10/29 17:04:31 | 00,000,423 | ---- | C] () -- C:\WINDOWS\goldwave.ini
[2008/10/27 16:12:04 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/09 11:49:39 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/09/09 10:14:15 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2008/04/28 13:13:33 | 00,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2008/02/04 19:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/09/27 11:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/06 11:07:30 | 00,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2006/08/16 14:47:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/08/09 05:19:50 | 00,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/08/09 05:19:50 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/08/09 02:00:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2006/07/11 15:29:00 | 00,028,672 | R--- | C] ( ) -- C:\WINDOWS\System32\DivXGraphBuilderCallback.dll
[2005/07/15 14:35:56 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 14:35:56 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/07/15 14:35:24 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/06/11 11:47:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\fpprintmon.dll
[2004/08/12 09:33:16 | 00,000,664 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/12 09:30:36 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/10/02 02:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 02:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2002/05/10 00:25:00 | 00,039,936 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2002/04/10 19:41:00 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[1999/01/22 14:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 04:00:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Files - Modified Within 30 Days ==========

[12 C:\*.tmp files]
[4 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/22 12:04:06 | 00,089,448 | ---- | M] () -- C:\WINDOWS\System32\drivers\8129abd8.sys
[2009/04/22 12:04:02 | 00,109,010 | ---- | M] () -- C:\WINDOWS\System32\drivers\f0ae222a.sys
[2009/04/22 11:50:44 | 00,021,504 | ---- | M] (Doug Knox) -- C:\DOCUME~1\HOMECO~1\Desktop\SysRestorePoint.exe
[2009/04/22 11:50:14 | 00,063,208 | ---- | M] () -- C:\DOCUME~1\HOMECO~1\Desktop\bb457097.htm
[2009/04/22 11:38:10 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/04/22 09:00:04 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/22 08:59:43 | 00,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009/04/22 08:58:51 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/22 08:58:37 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/22 08:57:28 | 04,240,656 | -H-- | M] () -- C:\DOCUME~1\HOMECO~1\Local Settings\Application Data\IconCache.db
[2009/04/20 18:06:23 | 00,424,572 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/20 18:06:22 | 00,504,054 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/20 18:06:22 | 00,070,184 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/20 15:54:05 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\HOMECO~1\Desktop\OTListIt2.exe
[2009/04/20 15:51:57 | 02,998,034 | ---- | M] () -- C:\DOCUME~1\HOMECO~1\Desktop\ComboFix.exe
[2009/04/20 15:30:37 | 00,267,612 | ---- | M] () -- C:\DOCUME~1\HOMECO~1\Desktop\Rooter.exe
[2009/04/20 15:08:24 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Home Computer\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/04/20 15:08:17 | 00,000,611 | ---- | M] () -- C:\DOCUME~1\HOMECO~1\Desktop\NTREGOPT.lnk
[2009/04/20 15:08:17 | 00,000,592 | ---- | M] () -- C:\DOCUME~1\HOMECO~1\Desktop\ERUNT.lnk
[2009/04/20 09:42:31 | 00,001,152 | ---- | M] () -- C:\WINDOWS\System32\windrv.sys
[2009/04/20 09:42:14 | 00,000,658 | ---- | M] () -- C:\DOCUME~1\HOMECO~1\Desktop\SpyNoMore.lnk
[2009/04/17 09:16:07 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\uniq.tll
[2009/04/16 17:09:06 | 00,100,885 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/16 17:09:05 | 35,181,591 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/16 17:09:05 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/16 03:06:53 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/16 03:06:06 | 00,000,206 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 18:04:02 | 00,000,155 | ---- | M] () -- C:\WINDOWS\System32\SelfDel.bat
[2009/04/15 17:38:43 | 00,000,165 | ---- | M] () -- C:\WINDOWS\Quicken.ini
[2009/04/15 17:34:45 | 00,001,565 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\Quicken Home & Business 2009.lnk
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/31 15:44:49 | 00,000,664 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/27 02:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\DOCUME~1\HOMECO~1\My Documents\calm_morning.mp3:Roxio EMC Stream
< End of report >

#2
Rorschach112

Posted 22 April 2009 - 10:19 AM

Ralphie

Retired Staff
47,710 posts

don't download cracks

Please download OTMoveIt3 by OldTimer

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services

:Reg

:Files
C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Adobe Acrobat 8 Professional with keygen
C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Elcomsoft.Advanced.PDF.Password.Recovery.v5.0.Professional-DOA\ELSOFT.ADPDFPASSRECOV.5.0.PRO\Crack

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#3
yeschiro

Posted 22 April 2009 - 01:39 PM

Member

Topic Starter
Member
58 posts

OTMoveIT

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Adobe Acrobat 8 Professional with keygen not found.
File/Folder C:\DOCUME~1\HOMECO~1\My Documents\Downloads\Elcomsoft.Advanced.PDF.Password.Recovery.v5.0.Professional-DOA\ELSOFT.ADPDFPASSRECOV.5.0.PRO\Crack not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HOMECO~1\LOCALS~1\Temp\GoogleQuickSearchBox.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HOMECO~1\LOCALS~1\Temp\WCESLog.log scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\62DEAIDY\ads[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\62DEAIDY\de[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\62DEAIDY\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\5OPLYX0F\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04222009_150046

Files moved on Reboot...
C:\DOCUME~1\HOMECO~1\LOCALS~1\Temp\GoogleQuickSearchBox.log moved successfully.
C:\DOCUME~1\HOMECO~1\LOCALS~1\Temp\WCESLog.log moved successfully.
C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\62DEAIDY\ads[1].htm moved successfully.
C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\62DEAIDY\de[1].htm moved successfully.
C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\62DEAIDY\iframe[1].htm moved successfully.
C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\Content.IE5\5OPLYX0F\iframe[1].htm moved successfully.
C:\Documents and Settings\Home Computer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.

Combofix

ComboFix 09-04-23.02 - Home Computer 04/22/2009 15:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.678 [GMT -4:00]
Running from: c:\documents and settings\Home Computer\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ovfsthylfaqukpquspvbxbhweddqumisprysev.sys
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\ovfsthcdkbpippdptrekebsycwwweqmrsqxaqp.dat
c:\windows\system32\ovfsthheehsidytdplnpujldenopeimjoguoij.dll
c:\windows\system32\ovfsthlkensuchjhjlojynleqgxbtrqpguassd.dll
c:\windows\system32\ovfsthntkiqstcqipfdftujjoubkyfqnbexbaj.dat
c:\windows\system32\ovfsthpatgpbnfpbnmryogmecahnolbqqydrsg.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthdjjpsmgfukpqestlgxrcmhpdgpecgpao
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-03-23 to 2009-04-23 )))))))))))))))))))))))))))))))
.

2009-04-22 18:43 . 2009-04-22 18:43 -------- d-----w C:\_OTMoveIt
2009-04-20 19:30 . 2009-04-22 15:53 -------- d-----w C:\Rooter$
2009-04-20 14:06 . 2009-04-20 14:53 -------- d-----w C:\Clean COmputer
2009-04-20 13:42 . 2009-04-20 13:42 1152 ----a-w c:\windows\system32\windrv.sys
2009-04-20 13:41 . 2009-04-20 13:42 -------- d-----w c:\documents and settings\Home Computer\Application Data\GetRightToGo
2009-04-17 20:35 . 2009-04-22 19:33 89448 ----a-w c:\windows\system32\drivers\8129abd8.sys
2009-04-16 07:06 . 2009-04-16 07:06 206 ----a-w c:\windows\system32\MRT.INI
2009-04-16 02:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 02:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 02:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 02:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 02:38 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 02:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 02:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 22:04 . 2009-04-15 22:04 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-15 21:49 . 2009-04-22 19:33 109010 ----a-w c:\windows\system32\drivers\f0ae222a.sys
2009-04-15 21:22 . 2009-04-15 21:22 0 ----a-w C:\LOGF02.tmp
2009-03-25 20:00 . 2009-03-25 20:00 -------- d-----w c:\documents and settings\Home Computer\Application Data\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 19:26 . 2008-10-31 13:47 -------- d-----w c:\documents and settings\Home Computer\Application Data\DNA
2009-04-22 19:12 . 2009-04-20 13:42 -------- d-----w c:\program files\SpyNoMore
2009-04-22 19:04 . 2008-10-31 13:47 -------- d-----w c:\program files\DNA
2009-04-22 15:53 . 2009-04-20 19:32 4465 ----a-w C:\Rooter.txt
2009-04-22 14:48 . 2009-04-22 14:47 -------- d-----w c:\program files\HiJack This
2009-04-22 14:44 . 2009-04-22 14:20 -------- d-----w c:\program files\IE8
2009-04-22 14:16 . 2008-10-31 14:30 -------- d-----w c:\program files\Google
2009-04-22 12:59 . 2008-10-31 14:57 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-22 12:59 . 2008-12-10 15:09 -------- d-----w c:\program files\LogMeIn
2009-04-20 19:08 . 2009-04-20 19:08 -------- d-----w c:\program files\ERUNT
2009-04-16 07:12 . 2008-10-31 13:48 -------- d-----w c:\documents and settings\Home Computer\Application Data\BitTorrent
2009-04-16 07:02 . 2008-11-12 16:20 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 21:38 . 2008-11-05 14:59 -------- d-----w c:\program files\Quicken
2009-04-15 21:34 . 2009-04-15 21:34 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-04-15 21:34 . 2008-09-09 13:44 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-15 21:22 . 2009-04-15 21:22 486 ----a-w C:\LOGF02.log
2009-03-18 20:21 . 2009-03-18 20:21 -------- d-----w c:\program files\Stentor
2009-03-09 13:06 . 2008-10-29 21:44 -------- d-----w c:\program files\Macromedia
2009-03-06 14:22 . 2004-08-12 13:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 23:36 . 2008-11-12 19:59 27858 ----a-w C:\ASLog.txt
2009-03-03 23:20 . 2009-03-03 23:17 170 ----a-w C:\ImageExport.log
2009-03-03 00:18 . 2004-08-12 13:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-12 13:19 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-12 13:21 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-12 13:27 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-12 13:25 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-12 13:17 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-12 13:33 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-12 13:28 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-12 13:25 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-12 13:27 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-12 13:28 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-29 20:47 . 2009-01-29 20:47 486 ----a-w C:\LOG477.log
2009-01-29 20:47 . 2009-01-29 20:47 0 ----a-w C:\LOG477.tmp
2008-12-17 16:27 . 2008-12-17 16:15 1024 ----a-w c:\documents and settings\All Users\Application Data\sowdp88.dat
2008-11-12 20:46 . 2008-11-03 14:23 86032 ----a-w c:\documents and settings\Home Computer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-31 39408]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-06-08 778318]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-15 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-09 413696]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2007-11-15 1212368]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-22 68592]

c:\documents and settings\Home Computer\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-11-3 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2008-12-15 97928]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-15 231704]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\DRIVERS\BLKWGDv7.sys [2006-10-18 303616]

.
Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-31 03:03]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d7bf4552-94f1-42bd-f434-3604812c856d} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8129abd8]
"ImagePath"="\SystemRoot\System32\drivers\8129abd8.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\f0ae222a]
"ImagePath"="\SystemRoot\System32\drivers\f0ae222a.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\LMIinit.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-04-22 15:36
ComboFix-quarantined-files.txt 2009-04-22 19:35

Pre-Run: 12,723,552,256 bytes free
Post-Run: 12,713,988,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

209 --- E O F --- 2009-04-16 07:07

#4
Rorschach112

Posted 22 April 2009 - 03:33 PM

Ralphie

Retired Staff
47,710 posts

hello

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\8129abd8.sys
c:\windows\system32\SelfDel.bat
c:\windows\system32\drivers\f0ae222a.sys

Folder::

Registry::

Driver::
8129abd8
f0ae222a

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#5
yeschiro

Posted 22 April 2009 - 04:05 PM

Member

Topic Starter
Member
58 posts

Combofix was detecting Sophos Anti-virus running but I did not install that on the computer and there is nothing in "Add/Remove Programs". I searched online, and I do not have any blue shield icon to disable it. I ran combofix anyway and the log is below.

ComboFix 09-04-23.02 - Home Computer 04/22/2009 17:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.435 [GMT -4:00]
Running from: c:\documents and settings\Home Computer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Home Computer\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\8129abd8.sys
c:\windows\system32\drivers\f0ae222a.sys
c:\windows\system32\SelfDel.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\8129abd8.sys
c:\windows\system32\drivers\f0ae222a.sys
c:\windows\system32\SelfDel.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_8129abd8
-------\Service_f0ae222a

((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
.

2009-04-22 18:43 . 2009-04-22 18:43 -------- d-----w C:\_OTMoveIt
2009-04-20 19:30 . 2009-04-22 15:53 -------- d-----w C:\Rooter$
2009-04-20 14:06 . 2009-04-20 14:53 -------- d-----w C:\Clean COmputer
2009-04-20 13:42 . 2009-04-20 13:42 1152 ----a-w c:\windows\system32\windrv.sys
2009-04-20 13:41 . 2009-04-20 13:42 -------- d-----w c:\documents and settings\Home Computer\Application Data\GetRightToGo
2009-04-16 07:06 . 2009-04-16 07:06 206 ----a-w c:\windows\system32\MRT.INI
2009-04-16 02:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 02:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 02:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 02:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 02:38 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 02:38 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 02:38 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:22 . 2009-04-15 21:22 0 ----a-w C:\LOGF02.tmp
2009-03-25 20:00 . 2009-03-25 20:00 -------- d-----w c:\documents and settings\Home Computer\Application Data\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 21:54 . 2008-10-31 13:47 -------- d-----w c:\program files\DNA
2009-04-22 21:54 . 2008-10-31 13:47 -------- d-----w c:\documents and settings\Home Computer\Application Data\DNA
2009-04-22 19:42 . 2008-11-03 14:23 86032 ----a-w c:\documents and settings\Home Computer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-22 19:12 . 2009-04-20 13:42 -------- d-----w c:\program files\SpyNoMore
2009-04-22 15:53 . 2009-04-20 19:32 4465 ----a-w C:\Rooter.txt
2009-04-22 14:48 . 2009-04-22 14:47 -------- d-----w c:\program files\HiJack This
2009-04-22 14:44 . 2009-04-22 14:20 -------- d-----w c:\program files\IE8
2009-04-22 14:16 . 2008-10-31 14:30 -------- d-----w c:\program files\Google
2009-04-22 12:59 . 2008-10-31 14:57 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-22 12:59 . 2008-12-10 15:09 -------- d-----w c:\program files\LogMeIn
2009-04-20 19:08 . 2009-04-20 19:08 -------- d-----w c:\program files\ERUNT
2009-04-16 07:12 . 2008-10-31 13:48 -------- d-----w c:\documents and settings\Home Computer\Application Data\BitTorrent
2009-04-16 07:02 . 2008-11-12 16:20 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 21:38 . 2008-11-05 14:59 -------- d-----w c:\program files\Quicken
2009-04-15 21:34 . 2009-04-15 21:34 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-04-15 21:34 . 2008-09-09 13:44 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-15 21:22 . 2009-04-15 21:22 486 ----a-w C:\LOGF02.log
2009-03-18 20:21 . 2009-03-18 20:21 -------- d-----w c:\program files\Stentor
2009-03-09 13:06 . 2008-10-29 21:44 -------- d-----w c:\program files\Macromedia
2009-03-06 14:22 . 2004-08-12 13:26 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 23:36 . 2008-11-12 19:59 27858 ----a-w C:\ASLog.txt
2009-03-03 23:20 . 2009-03-03 23:17 170 ----a-w C:\ImageExport.log
2009-03-03 00:18 . 2004-08-12 13:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-12 13:19 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-12 13:21 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-12 13:27 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-12 13:25 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-12 13:17 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-12 13:33 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-12 13:28 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-12 13:25 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-12 13:27 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-12 13:28 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-29 20:47 . 2009-01-29 20:47 486 ----a-w C:\LOG477.log
2009-01-29 20:47 . 2009-01-29 20:47 0 ----a-w C:\LOG477.tmp
2008-12-17 16:27 . 2008-12-17 16:15 1024 ----a-w c:\documents and settings\All Users\Application Data\sowdp88.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-22_19.33.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-12 13:26 . 2009-04-22 20:47 70184 c:\windows\system32\perfc009.dat
- 2004-08-12 13:26 . 2009-04-20 22:06 70184 c:\windows\system32\perfc009.dat
+ 2004-08-12 13:26 . 2009-04-22 20:48 424572 c:\windows\system32\perfh009.dat
- 2004-08-12 13:26 . 2009-04-20 22:06 424572 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-31 39408]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"wltray.exe"="c:\windows\system32\wltray.exe" [2005-06-08 778318]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-08-10 221184]
"DMXLauncher"="c:\program files\Roxio\Media Experience\DMXLauncher.exe" [2006-08-14 102400]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-15 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-02-09 413696]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2007-11-15 1212368]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-22 68592]

c:\documents and settings\Home Computer\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-11-3 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-27 113664]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-31 03:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-22 17:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\LMIinit.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3624)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Google\Quick Search Box\bin\1.1.1038.9122\qsb.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\searchindexer.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-04-22 18:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-22 22:00
ComboFix2.txt 2009-04-22 19:36

Pre-Run: 12,443,922,432 bytes free
Post-Run: 12,379,693,056 bytes free

219 --- E O F --- 2009-04-16 07:07

#6
Rorschach112

Posted 23 April 2009 - 03:52 AM

Ralphie

Retired Staff
47,710 posts

hello

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\system32\windrv.sys
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

#7
yeschiro

Posted 23 April 2009 - 07:51 AM

Member

Topic Starter
Member
58 posts

VirSCAN.org Scanned Report :
Scanned time : 2009/04/23 09:15:33 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : windrv.sys
File Size : 1152 byte
File Type : MS-DOS executable
MD5 : 84b46026efcb6a7901090e735464acc0
SHA1 : 4ca4981f4d1c9e14d9adaa80931bc25f1a432a4e
Online report : http://virscan.org/r...e6f88b2cea.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090423163333 2009-04-23 4.98 -
AhnLab V3 2009.04.23.02 2009.04.23 2009-04-23 4.73 -
AntiVir 7.9.0.148 7.1.3.98 2009-04-23 1.99 -
Antiy 2.0.18 20090423.2316706 2009-04-23 0.12 -
Arcavir 2009 200904231200 2009-04-23 0.02 -
Authentium 5.1.1 200904221506 2009-04-22 1.15 -
AVAST! 3.0.1 090422-0 2009-04-22 0.00 -
AVG 7.5.52.442 270.12.3/2076 2009-04-23 2.34 -
BitDefender 7.81008.2849839 7.24964 2009-04-23 2.81 -
CA (VET) 9.0.0.143 31.6.6471 2009-04-23 13.84 -
ClamAV 0.95 9277 2009-04-23 0.00 -
Comodo 3.8 1127 2009-04-22 1.15 -
CP Secure 1.1.0.715 2009.04.23 2009-04-23 8.47 -
Dr.Web 4.44.0.9170 2009.04.23 2009-04-23 4.39 -
F-Prot 4.4.4.56 20090422 2009-04-22 1.11 -
F-Secure 5.51.6100 2009.04.23.04 2009-04-23 0.03 -
Fortinet 2.81-3.117 10.312 2009-04-23 0.77 -
GData 19.4821/19.307 20090423 2009-04-23 21.34 -
ViRobot 20090423 2009.04.23 2009-04-23 2.18 -
Ikarus T3.1.01.49 2009.04.23.72619 2009-04-23 2.75 -
JiangMin 11.0.706 2009.04.23 2009-04-23 7.27 -
Kaspersky 5.5.10 2009.04.23 2009-04-23 0.07 -
KingSoft 2009.2.5.15 2009.4.23.18 2009-04-23 7.87 -
McAfee 5.3.00 5593 2009-04-22 2.76 -
Microsoft 1.4602 2009.04.23 2009-04-23 5.87 -
mks_vir 2.01 2009.04.23 2009-04-23 2.72 -
Norman 6.00.06 6.00.00 2009-04-23 10.01 -
Panda 9.05.01 2009.04.22 2009-04-22 14.99 -
Trend Micro 8.700-1004 5.982.01 2009-04-22 0.02 -
Quick Heal 10.00 2009.04.23 2009-04-23 3.75 -
Rising 20.0 21.26.33.00 2009-04-23 0.92 -
Sophos 2.85.0 4.40 2009-04-23 2.27 -
Sunbelt 5107 5107 2009-04-22 12.57 -
Symantec 1.3.0.24 20090422.005 2009-04-22 0.26 -
nProtect 20090423.01 3491828 2009-04-23 40.13 -
The Hacker 6.3.4.0 v00312 2009-04-22 1.68 -
VBA32 3.12.10.2 20090422.1747 2009-04-22 1.82 -
VirusBuster 4.5.11.10 10.105.3/1294992 2009-04-22 0.00 -

#8
Rorschach112

Posted 23 April 2009 - 12:28 PM

Ralphie

Retired Staff
47,710 posts

hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#9
yeschiro

Posted 24 April 2009 - 07:07 AM

Member

Topic Starter
Member
58 posts

I have not noticed that Google is not redirecting anymore and I have not received the No Disk Exception in 24 hours. I will keep going until my cpu is clean. Thanks in advance for all your help!

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

4/23/2009 3:19:12 PM
mbam-log-2009-04-23 (15-19-12).txt

Scan type: Quick Scan
Objects scanned: 57991
Time elapsed: 7 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_________________

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, April 24, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 23, 2009 20:23:33
Records in database: 2073015
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 90965
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 03:12:21

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ovfsthylfaqukpquspvbxbhweddqumisprysev_.sys.zip Infected: Rootkit.Win32.Agent.iuh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthlkensuchjhjlojynleqgxbtrqpguassd.dll.vir Infected: Trojan-Spy.Win32.Agent.amen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthpatgpbnfpbnmryogmecahnolbqqydrsg.dll.vir Infected: Trojan-Spy.Win32.Agent.amep 1

The selected area was scanned.

#10
Rorschach112

Posted 24 April 2009 - 07:10 AM

Ralphie

Retired Staff
47,710 posts

post a new HJT Log

#11
yeschiro

Posted 24 April 2009 - 07:36 AM

Member

Topic Starter
Member
58 posts

OTListIt logfile created on: 4/24/2009 9:23:38 AM - Run 5
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Home Computer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 501.18 Mb Available Physical Memory | 48.99% Memory free
1.65 Gb Paging File | 0.73 Gb Available in Paging File | 44.43% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.25 Gb Total Space | 11.32 Gb Free Space | 29.60% Space Free | Partition Type: NTFS
Drive D: | 702.52 Mb Total Space | 631.53 Mb Free Space | 89.89% Space Free | Partition Type: UDF2.00
Drive E: | 702.52 Mb Total Space | 631.53 Mb Free Space | 89.89% Space Free | Partition Type: UDF2.00
Drive F: | 5.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 983.02 Mb Total Space | 487.02 Mb Free Space | 49.54% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-727E386993
Current User Name: Home Computer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\wltrysvc.exe ()
PRC - C:\WINDOWS\System32\bcmwltry.exe (Belkin Corporation)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\WINDOWS\system32\wltray.exe (Belkin Corporation)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
PRC - C:\Program Files\Roxio\Media Experience\DMXLauncher.exe ()
PRC - C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Sonic Solutions)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft ActiveSync\rapimgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe (Sonic Solutions)
PRC - C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Java\jre6\bin\java.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Documents and Settings\Home Computer\Local Settings\temp\jkos-Home Computer\binaries\ScanningProcess.exe (Kaspersky Lab.)
PRC - C:\Documents and Settings\Home Computer\Local Settings\temp\jkos-Home Computer\binaries\ScanningProcess.exe (Kaspersky Lab.)
PRC - C:\Documents and Settings\Home Computer\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service [On_Demand | Running]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (gusvc [Auto | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (LMIMaint [Auto | Running]) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (LogMeIn [Auto | Running]) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (Macromedia Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (Macromedia)
SRV - (MDM [Auto | Running]) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Roxio UPnP Renderer 9 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe (Sonic Solutions)
SRV - (Roxio Upnp Server 9 [Auto | Stopped]) -- C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe (Sonic Solutions)
SRV - (RoxLiveShare9 [Auto | Stopped]) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (Sonic Solutions)
SRV - (RoxMediaDB9 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (Sonic Solutions)
SRV - (RoxWatch9 [Auto | Stopped]) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (Sonic Solutions)
SRV - (stllssvr [On_Demand | Stopped]) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (MicroVision Development, Inc.)
SRV - (wltrysvc [Auto | Running]) -- C:\WINDOWS\System32\wltrysvc.exe ()
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

========== Driver Services (SafeList) ==========

DRV - (AegisP [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys (Meetinghouse Data Communications)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (atinrvxx [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinrvxx.sys (ATI Technologies Inc.)
DRV - (ATITUNEP [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atintuxx.sys (ATI Technologies Inc.)
DRV - (ativraxx [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinraxx.sys (ATI Technologies Inc.)
DRV - (ATIXSAudio [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinxsxx.sys (ATI Technologies Inc.)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (BCM43XX [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\bcmwl5.sys (Broadcom Corporation)
DRV - (Belkin700F [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys (Belkin Corporation. )
DRV - (DLABMFSM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLABMFSM.SYS (Sonic Solutions)
DRV - (DLABOIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS (Sonic Solutions)
DRV - (DLACDBHM [System | Running]) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Sonic Solutions)
DRV - (DLADResM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLADResM.SYS (Sonic Solutions)
DRV - (DLAIFS_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS (Sonic Solutions)
DRV - (DLAOPIOM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS (Sonic Solutions)
DRV - (DLAPoolM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS (Sonic Solutions)
DRV - (DLARTL_M [System | Running]) -- C:\WINDOWS\System32\Drivers\DLARTL_M.SYS (Sonic Solutions)
DRV - (DLAUDFAM [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS (Sonic Solutions)
DRV - (DLAUDF_M [Auto | Running]) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS (Sonic Solutions)
DRV - (drvmcdb [Boot | Running]) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (DRVNDDM [Auto | Running]) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS (Sonic Solutions)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (HSFHWBS2 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (LMIInfo [Auto | Running]) -- C:\Program Files\LogMeIn\x86\RaInfo.sys (LogMeIn, Inc.)
DRV - (lmimirr [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\lmimirr.sys (LogMeIn, Inc.)
DRV - (LMIRfsClientNP [Disabled | Stopped]) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (LMIRfsDriver [Auto | Running]) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (MODEMCSA [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (MVDCODEC [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinmdxx.sys (ATI Technologies Inc.)
DRV - (P16X [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\P16X.sys (Creative Technology Ltd.)
DRV - (PCDCODEC [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\atinpdxx.sys (ATI Technologies Inc.)
DRV - (PfModNT [Auto | Running]) -- C:\WINDOWS\system32\drivers\PfModNT.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (RT2500 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RT2500.sys (Ralink Technology Inc.)
DRV - (RxFilter [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RxFilter.sys (Sonic Solutions)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (senfilt [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (usb_rndisx [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\usb8023x.sys (Microsoft Corporation)
DRV - (wceusbsh [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\wceusbsh.sys (Microsoft Corporation)
DRV - (winachsf [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\firefox\extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/23 16:09:59 | 00,000,000 | ---D | M]

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Google Toolbar Helper) - {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe" ()
O4 - HKLM..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun (Google Inc.)
O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" (LogMeIn, Inc.)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" (Sonic Solutions)
O4 - HKLM..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" (Sonic Solutions)
O4 - HKLM..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup File not found
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe (Belkin Corporation)
O4 - HKCU..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (BitTorrent, Inc.)
O4 - HKCU..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (Microsoft Corporation)
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Home Computer\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Home Computer\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1221140212726 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.su...ows-i586-jc.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - AppInit_DLLs: (avgrsstx.dll) - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - F:\autorun.inf () - [ CDFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[12 C:\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/23 16:10:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/04/23 16:09:53 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/04/23 16:08:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Home Computer\Application Data\Sun
[2009/04/23 15:11:07 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/04/22 18:00:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/04/22 15:14:29 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/04/22 15:14:25 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/04/22 15:14:19 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/04/22 15:12:49 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/04/22 15:12:49 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/04/22 15:12:49 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/04/22 15:12:49 | 00,109,568 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/04/22 15:12:49 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/04/22 15:12:49 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/04/22 15:12:49 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/04/22 15:12:49 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/04/22 15:09:52 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/04/22 14:43:30 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2009/04/22 14:42:02 | 00,389,632 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Home Computer\Desktop\OTMoveIt3.exe
[2009/04/22 11:50:44 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Home Computer\Desktop\SysRestorePoint.exe
[2009/04/22 11:50:13 | 00,063,208 | ---- | C] () -- C:\Documents and Settings\Home Computer\Desktop\bb457097.htm
[2009/04/22 10:47:45 | 00,000,000 | ---D | C] -- C:\Program Files\HiJack This
[2009/04/22 10:43:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Home Computer\Desktop\GooredFixBackups
[2009/04/22 10:20:42 | 00,000,000 | ---D | C] -- C:\Program Files\IE8
[2009/04/20 15:54:04 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Home Computer\Desktop\OTListIt2.exe
[2009/04/20 15:51:45 | 02,999,323 | R--- | C] () -- C:\Documents and Settings\Home Computer\Desktop\ComboFix.exe
[2009/04/20 15:30:53 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/20 15:30:36 | 00,267,612 | ---- | C] () -- C:\Documents and Settings\Home Computer\Desktop\Rooter.exe
[2009/04/20 15:08:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/04/20 15:08:24 | 00,000,767 | ---- | C] () -- C:\Documents and Settings\Home Computer\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/04/20 15:08:17 | 00,000,611 | ---- | C] () -- C:\Documents and Settings\Home Computer\Desktop\NTREGOPT.lnk
[2009/04/20 15:08:17 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Home Computer\Desktop\ERUNT.lnk
[2009/04/20 15:08:16 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/04/20 10:06:21 | 00,000,000 | ---D | C] -- C:\Clean COmputer
[2009/04/20 09:42:31 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\windrv.sys
[2009/04/20 09:41:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Home Computer\Desktop\Downloads
[2009/04/20 09:41:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Home Computer\Application Data\GetRightToGo
[2009/04/16 03:06:06 | 00,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 22:39:51 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 22:39:50 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 22:39:50 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 22:39:50 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 22:39:50 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 22:39:50 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 22:39:50 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 22:39:49 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 22:39:49 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 22:38:12 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 22:38:12 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/15 22:38:12 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 17:34:55 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AnswerWorks 5.0
[2009/04/15 17:34:45 | 00,001,565 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Quicken Home & Business 2009.lnk
[2009/04/01 15:08:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Home Computer\My Documents\Storage Card
[2009/03/25 16:00:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Home Computer\Application Data\Canon
[2008/12/17 12:39:08 | 00,000,040 | ---- | C] () -- C:\WINDOWS\winDecrypt.INI
[2008/12/17 12:14:48 | 00,000,048 | ---- | C] () -- C:\WINDOWS\System32\pdfutil.ini
[2008/11/12 16:36:42 | 00,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2008/11/12 16:36:41 | 00,000,267 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/11/12 10:02:58 | 00,270,336 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/11/05 11:00:14 | 00,000,165 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2008/10/31 12:12:22 | 00,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/10/31 09:21:14 | 00,003,078 | ---- | C] () -- C:\WINDOWS\System32\bcmwlhom.ini
[2008/10/29 17:04:31 | 00,006,592 | ---- | C] () -- C:\WINDOWS\gwpreset.ini
[2008/10/29 17:04:31 | 00,000,423 | ---- | C] () -- C:\WINDOWS\goldwave.ini
[2008/10/27 16:12:04 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/09 11:49:39 | 00,094,208 | ---- | C] () -- C:\WINDOWS\System32\GTW32N50.dll
[2008/09/09 10:14:15 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2008/04/28 13:13:33 | 00,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2008/02/04 19:23:10 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/09/27 11:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/06 11:07:30 | 00,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2006/08/16 14:47:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/08/09 05:19:50 | 00,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/08/09 05:19:50 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2006/08/09 02:00:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2006/07/11 15:29:00 | 00,028,672 | R--- | C] ( ) -- C:\WINDOWS\System32\DivXGraphBuilderCallback.dll
[2005/07/15 14:35:56 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 14:35:56 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/07/15 14:35:24 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/06/11 11:47:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\fpprintmon.dll
[2004/08/12 09:33:16 | 00,000,664 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/12 09:30:36 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/10/02 02:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 02:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2002/05/10 00:25:00 | 00,039,936 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2002/04/10 19:41:00 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[1999/01/22 14:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 04:00:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Files - Modified Within 30 Days ==========

[12 C:\*.tmp files]
[4 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2009/04/24 08:42:33 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/04/23 14:51:44 | 00,504,054 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/23 14:51:44 | 00,424,572 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/23 14:51:44 | 00,070,184 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/22 17:55:05 | 00,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2009/04/22 17:55:01 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/04/22 17:53:32 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/04/22 17:53:16 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/22 17:52:07 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/22 17:51:49 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/22 15:42:33 | 00,086,032 | ---- | M] () -- C:\Documents and Settings\Home Computer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/04/22 15:27:24 | 00,316,360 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/22 15:14:29 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/04/22 15:10:41 | 02,999,323 | R--- | M] () -- C:\Documents and Settings\Home Computer\Desktop\ComboFix.exe
[2009/04/22 15:00:52 | 04,320,388 | -H-- | M] () -- C:\Documents and Settings\Home Computer\Local Settings\Application Data\IconCache.db
[2009/04/22 14:42:03 | 00,389,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Home Computer\Desktop\OTMoveIt3.exe
[2009/04/22 11:50:44 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Home Computer\Desktop\SysRestorePoint.exe
[2009/04/22 11:50:14 | 00,063,208 | ---- | M] () -- C:\Documents and Settings\Home Computer\Desktop\bb457097.htm
[2009/04/21 09:58:08 | 00,109,568 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/04/20 15:54:05 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Home Computer\Desktop\OTListIt2.exe
[2009/04/20 15:30:37 | 00,267,612 | ---- | M] () -- C:\Documents and Settings\Home Computer\Desktop\Rooter.exe
[2009/04/20 15:08:24 | 00,000,767 | ---- | M] () -- C:\Documents and Settings\Home Computer\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2009/04/20 15:08:17 | 00,000,611 | ---- | M] () -- C:\Documents and Settings\Home Computer\Desktop\NTREGOPT.lnk
[2009/04/20 15:08:17 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Home Computer\Desktop\ERUNT.lnk
[2009/04/20 09:42:31 | 00,001,152 | ---- | M] () -- C:\WINDOWS\System32\windrv.sys
[2009/04/16 17:09:06 | 00,100,885 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/04/16 17:09:05 | 35,181,591 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/04/16 17:09:05 | 00,401,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/04/16 03:06:53 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/16 03:06:06 | 00,000,206 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/15 17:38:43 | 00,000,165 | ---- | M] () -- C:\WINDOWS\Quicken.ini
[2009/04/15 17:34:45 | 00,001,565 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Quicken Home & Business 2009.lnk
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/31 15:44:49 | 00,000,664 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/27 02:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Home Computer\My Documents\calm_morning.mp3:Roxio EMC Stream
< End of report >

#12
Rorschach112

Posted 24 April 2009 - 08:01 AM

Ralphie

Retired Staff
47,710 posts

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Below I have included a number of recommendations for how to protect your computer against malware infections.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.
Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

#13
yeschiro

Posted 24 April 2009 - 08:17 AM

Member

Topic Starter
Member
58 posts

While I was unistalling Combofix, it detected that Sophos Antivirus is running. Is this not an abnormal program begause I never installied it and cannot find it in the Add/Remove Programs?