Google redirect virus :( [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Google redirect virus :( [Solved]

#1 keepitundercover

Group: Member
Posts: 15
Joined: 16-October 09

Posted 16 October 2009 - 06:48 PM

Hi there, I have some nasty virus business going on.

I don't think I need to explain the symptoms, as I see you already have several topics on this problem. Here are my HiJackThis, Malwarebytes, RootRepeal and OTL logs...

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:19 PM, on 10/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Xerox\Scan_Utility\xrxzipui.exe
C:\WINDOWS\system32\xWD35bgnd.exe
C:\Program Files\Nuance\PaperPort\pptd40nt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Nuance\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nuance\PaperPort\xdcla.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ivy\Local Settings\Temporary Internet Files\Content.IE5\IW4N7IFC\stinger1001624[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: DeskBandHelper Class - {9E0B5480-4FF0-4FEE-818B-D4DB0F220D64} - C:\Program Files\LexisNexis\PCLaw\plietool.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PCLaw Web Timer - {0E1230F8-EA50-42A9-983C-D22ABC2EED4B} - C:\Program Files\LexisNexis\PCLaw\plietool.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [XeroxScanUtility] C:\Program Files\Xerox\Scan_Utility\xrxzipui.exe 1
O4 - HKLM\..\Run: [XeroxEndeavorBackgroundTask] C:\WINDOWS\system32\xWD35bgnd.exe 1
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Nuance\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\Nuance\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\Nuance\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Image Retriever.lnk = C:\Program Files\Nuance\PaperPort\xdcla.exe
O4 - Global Startup: Panasonic Communications Utility.lnk = C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\Program Files\LexisNexis\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\Program Files\LexisNexis\PCLaw\plietool.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\Program Files\LexisNexis\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\Program Files\LexisNexis\PCLaw\plietool.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PLUpdate - http://www.pclaw.com/PLUpdate.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\MEERA~1.VAN\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://secure.cdot.ca/vdesk/terminal/urTer...,2007,0223,0314
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://secure.cdot.ca/vdesk/terminal/msrdp...sion=5,2,3790,0
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://secure.cdot.ca/vdesk/terminal/urxho...,2007,0223,0312
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vancouverlaw
O17 - HKLM\Software\..\Telephony: DomainName = vancouverlaw
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vancouverlaw
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vancouverlaw
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11360 bytes

MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 5.1.2600 Service Pack 3

10/16/2009 6:44:26 PM
mbam-log-2009-10-16 (18-44-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 215149
Time elapsed: 46 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/16 19:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xF75FA000 Size: 85344 File Visible: No Signed: -
Status: -

Name: drvnddm.sys
Image Path: C:\WINDOWS\system32\drivers\drvnddm.sys
Address: 0xF78A9000 Size: 38240 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE5CD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C9B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xEDD25000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xF7C77000 Size: 5568 File Visible: No Signed: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xF7B39000 Size: 23488 File Visible: No Signed: -
Status: -

Name: tfsnboio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnboio.sys
Address: 0xF7A89000 Size: 25824 File Visible: No Signed: -
Status: -

Name: tfsncofs.sys
Image Path: C:\WINDOWS\system32\dla\tfsncofs.sys
Address: 0xF78F9000 Size: 34784 File Visible: No Signed: -
Status: -

Name: tfsndrct.sys
Image Path: C:\WINDOWS\system32\dla\tfsndrct.sys
Address: 0xF7D78000 Size: 4064 File Visible: No Signed: -
Status: -

Name: tfsndres.sys
Image Path: C:\WINDOWS\system32\dla\tfsndres.sys
Address: 0xF7D77000 Size: 2176 File Visible: No Signed: -
Status: -

Name: tfsnifs.sys
Image Path: C:\WINDOWS\system32\dla\tfsnifs.sys
Address: 0xEE477000 Size: 86528 File Visible: No Signed: -
Status: -

Name: tfsnopio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnopio.sys
Address: 0xEE5AD000 Size: 15168 File Visible: No Signed: -
Status: -

Name: tfsnpool.sys
Image Path: C:\WINDOWS\system32\dla\tfsnpool.sys
Address: 0xF7CA1000 Size: 6304 File Visible: No Signed: -
Status: -

Name: tfsnudf.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudf.sys
Address: 0xEE45E000 Size: 98656 File Visible: No Signed: -
Status: -

Name: tfsnudfa.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudfa.sys
Address: 0xEE445000 Size: 100544 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86c50890

==EOF==

OTL log:

OTL logfile created on: 10/16/2009 7:04:05 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\ivy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.98 Mb Total Physical Memory | 443.20 Mb Available Physical Memory | 43.67% Memory free
2.38 Gb Paging File | 2.06 Gb Available in Paging File | 86.27% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.22 Gb Total Space | 39.24 Gb Free Space | 55.10% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive O: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive P: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive R: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive X: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive Y: | 33.07 Gb Total Space | 22.06 Gb Free Space | 66.72% Space Free | Partition Type: NTFS
Drive Z: | 931.50 Gb Total Space | 704.58 Gb Free Space | 75.64% Space Free | Partition Type: NTFS

Computer Name: LAWYER03
Current User Name: ivy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/10/16 18:14:26 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ivy\Desktop\OTL.exe
PRC - [2008/04/14 14:05:48 | 00,430,080 | ---- | M] (Xerox Corporation) -- C:\Program Files\Xerox\Scan_Utility\xrxzipui.exe
PRC - [2008/04/14 13:59:54 | 00,080,896 | ---- | M] () -- C:\WINDOWS\System32\xWD35bgnd.exe
PRC - [2008/04/14 05:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/02/28 15:37:56 | 00,266,240 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\PaperPort\xdcla.exe
PRC - [2007/06/27 12:17:40 | 00,029,984 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\PaperPort\pptd40nt.exe
PRC - [2007/06/27 11:58:44 | 00,079,136 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\OmniPageSE4\OpwareSE4.exe
PRC - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2006/05/12 15:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe
PRC - [2006/05/09 21:49:08 | 00,176,128 | ---- | M] (Panasonic Communications Co., Ltd.) -- C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe
PRC - [2005/09/20 10:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxpers.exe
PRC - [2005/09/20 10:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\hkcmd.exe
PRC - [2005/04/17 13:30:48 | 00,085,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/04/17 13:30:40 | 01,706,176 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/04/17 13:30:32 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/04/08 16:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/04/08 16:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/04/08 16:52:30 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/10/14 12:42:54 | 01,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/03/18 10:33:26 | 00,892,928 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\iTouch.exe
PRC - [2003/06/19 21:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2002/11/21 10:50:00 | 00,037,888 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\em_exec.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/04/14 05:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/01/21 14:12:35 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])
SRV - [2006/05/12 15:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4 [Auto | Running])
SRV - [2005/04/17 13:30:42 | 00,124,608 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2005/04/17 13:30:40 | 01,706,176 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2005/04/17 13:30:32 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2005/04/08 16:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2005/04/08 16:54:50 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2005/04/08 16:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2005/04/05 12:17:22 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2005/03/30 22:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
SRV - [2004/07/14 23:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2003/12/17 11:59:48 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc [On_Demand | Stopped])
SRV - [2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2003/06/19 21:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (DeskBandHelper Class) - {9E0B5480-4FF0-4FEE-818B-D4DB0F220D64} - C:\Program Files\LexisNexis\PCLaw\plietool.dll (LexisNexis®, a division of Reed Elsevier Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (PCLaw Web Timer) - {0E1230F8-EA50-42A9-983C-D22ABC2EED4B} - C:\Program Files\LexisNexis\PCLaw\plietool.dll (LexisNexis®, a division of Reed Elsevier Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\Nuance\PaperPort\IndexSearch.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\Logi_MwX.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\Nuance\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\Nuance\PaperPort\pptd40nt.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PPort11reminder] C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [XeroxEndeavorBackgroundTask] C:\WINDOWS\System32\xWD35bgnd.exe ()
O4 - HKLM..\Run: [XeroxScanUtility] C:\Program Files\Xerox\Scan_Utility\xrxzipui.exe (Xerox Corporation)
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Retriever.lnk = C:\Program Files\Nuance\PaperPort\xdcla.exe (Nuance Communications, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Panasonic Communications Utility.lnk = C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe (Panasonic Communications Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\Program Files\LexisNexis\PCLaw\plietool.dll (LexisNexis®, a division of Reed Elsevier Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\Program Files\LexisNexis\PCLaw\plietool.dll (LexisNexis®, a division of Reed Elsevier Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\DOCUME~1\MEERA~1.VAN\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab (F5 Networks Auto Update)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://secure.cdot.ca/vdesk/terminal/urTer...,2007,0223,0314 (F5 Networks SSLTunnel)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab (HouseCall Control)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} https://secure.cdot.ca/vdesk/terminal/msrdp...sion=5,2,3790,0 (Microsoft RDP Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://secure.cdot.ca/vdesk/terminal/urxho...,2007,0223,0312 (F5 Networks Host Control)
O16 - DPF: PLUpdate http://www.pclaw.com/PLUpdate.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vancouverlaw
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\System32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[1 C:\*.tmp files]
[2009/10/16 11:59:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/16 11:59:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ivy\Application Data\Malwarebytes
[2009/10/16 17:58:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ivy\Application Data\Real
[2009/10/16 11:59:03 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/16 17:34:34 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/10/16 18:14:20 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ivy\Desktop\OTL.exe
[2009/10/16 17:51:47 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/10/16 17:25:35 | 00,000,000 | ---D | C] -- C:\HiJackThis
[2009/10/16 16:40:09 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/10/16 11:59:05 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/16 11:59:03 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files - Modified Within 14 Days ==========

[1 C:\*.tmp files]
[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/10/16 18:14:26 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ivy\Desktop\OTL.exe
[2009/10/16 18:05:50 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/10/16 18:03:42 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\ivy\Desktop\settings.dat
[2009/10/16 17:34:35 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\ivy\Desktop\HijackThis.lnk
[2009/10/16 16:57:52 | 00,000,031 | ---- | M] () -- C:\dev.ini
[2009/10/16 16:56:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/16 16:56:36 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/10/16 16:56:35 | 10,643,57888 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/16 16:55:58 | 04,768,656 | -H-- | M] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\IconCache.db
[2009/10/16 12:13:11 | 00,019,562 | ---- | M] () -- C:\Program Files\Common Files\esihoder.ban
[2009/10/16 12:13:11 | 00,019,475 | ---- | M] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\urecalod.dll
[2009/10/16 12:13:11 | 00,018,861 | ---- | M] () -- C:\Documents and Settings\ivy\Application Data\olohep.lib
[2009/10/16 12:13:11 | 00,017,603 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\tydoheqe.pif
[2009/10/16 12:13:11 | 00,015,016 | ---- | M] () -- C:\WINDOWS\jevav._dl
[2009/10/16 12:13:11 | 00,015,006 | ---- | M] () -- C:\WINDOWS\xyge.vbs
[2009/10/16 12:13:11 | 00,013,985 | ---- | M] () -- C:\WINDOWS\ryko.bat
[2009/10/16 12:13:11 | 00,013,739 | ---- | M] () -- C:\Program Files\Common Files\bafuhywubi.sys
[2009/10/16 12:13:11 | 00,013,380 | ---- | M] () -- C:\Program Files\Common Files\ivyzivoli.lib
[2009/10/16 12:13:11 | 00,013,115 | ---- | M] () -- C:\Documents and Settings\ivy\Application Data\mytiki.bin
[2009/10/16 12:13:11 | 00,012,153 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\ihuvur.com
[2009/10/16 12:13:11 | 00,011,769 | ---- | M] () -- C:\WINDOWS\kuzuset.bin
[2009/10/16 12:13:11 | 00,011,323 | ---- | M] () -- C:\WINDOWS\zihic.dat
[2009/10/16 12:13:11 | 00,011,134 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\ezuvave.exe
[2009/10/16 12:13:11 | 00,010,272 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\ikorowy.dll
[2009/10/16 12:13:10 | 00,019,275 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\ymoram.com
[2009/10/16 12:13:10 | 00,018,762 | ---- | M] () -- C:\Documents and Settings\ivy\Application Data\fajy.pif
[2009/10/16 12:13:10 | 00,015,169 | ---- | M] () -- C:\Documents and Settings\ivy\Application Data\ysyx._sy
[2009/10/16 12:13:10 | 00,013,720 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\useboh._sy
[2009/10/16 12:13:10 | 00,012,924 | ---- | M] () -- C:\Program Files\Common Files\zuboz.lib
[2009/10/16 12:13:10 | 00,010,365 | ---- | M] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\adegugisew.reg
[2009/10/16 12:13:10 | 00,010,243 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\mynolohoh.inf
[2009/10/16 11:59:08 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/15 18:29:03 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/09 12:27:36 | 00,161,344 | ---- | M] () -- C:\Documents and Settings\ivy\My Documents\enf03-appC-eng.pdf

========== Files - No Company Name ==========
[2009/10/16 18:03:42 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\ivy\Desktop\settings.dat
[2009/10/16 17:34:35 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\ivy\Desktop\HijackThis.lnk
[2009/10/16 16:56:35 | 10,643,57888 | -HS- | C] () -- C:\hiberfil.sys
[2009/10/16 12:13:11 | 00,019,562 | ---- | C] () -- C:\Program Files\Common Files\esihoder.ban
[2009/10/16 12:13:11 | 00,019,475 | ---- | C] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\urecalod.dll
[2009/10/16 12:13:11 | 00,018,861 | ---- | C] () -- C:\Documents and Settings\ivy\Application Data\olohep.lib
[2009/10/16 12:13:11 | 00,017,603 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\tydoheqe.pif
[2009/10/16 12:13:11 | 00,015,016 | ---- | C] () -- C:\WINDOWS\jevav._dl
[2009/10/16 12:13:11 | 00,015,006 | ---- | C] () -- C:\WINDOWS\xyge.vbs
[2009/10/16 12:13:11 | 00,013,985 | ---- | C] () -- C:\WINDOWS\ryko.bat
[2009/10/16 12:13:11 | 00,013,739 | ---- | C] () -- C:\Program Files\Common Files\bafuhywubi.sys
[2009/10/16 12:13:11 | 00,013,380 | ---- | C] () -- C:\Program Files\Common Files\ivyzivoli.lib
[2009/10/16 12:13:11 | 00,013,115 | ---- | C] () -- C:\Documents and Settings\ivy\Application Data\mytiki.bin
[2009/10/16 12:13:11 | 00,012,153 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\ihuvur.com
[2009/10/16 12:13:11 | 00,011,769 | ---- | C] () -- C:\WINDOWS\kuzuset.bin
[2009/10/16 12:13:11 | 00,011,323 | ---- | C] () -- C:\WINDOWS\zihic.dat
[2009/10/16 12:13:11 | 00,011,134 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\ezuvave.exe
[2009/10/16 12:13:11 | 00,010,272 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\ikorowy.dll
[2009/10/16 12:13:10 | 00,019,275 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ymoram.com
[2009/10/16 12:13:10 | 00,018,762 | ---- | C] () -- C:\Documents and Settings\ivy\Application Data\fajy.pif
[2009/10/16 12:13:10 | 00,015,169 | ---- | C] () -- C:\Documents and Settings\ivy\Application Data\ysyx._sy
[2009/10/16 12:13:10 | 00,013,720 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\useboh._sy
[2009/10/16 12:13:10 | 00,012,924 | ---- | C] () -- C:\Program Files\Common Files\zuboz.lib
[2009/10/16 12:13:10 | 00,010,365 | ---- | C] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\adegugisew.reg
[2009/10/16 12:13:10 | 00,010,243 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mynolohoh.inf
[2009/10/16 11:59:08 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/09 12:27:36 | 00,161,344 | ---- | C] () -- C:\Documents and Settings\ivy\My Documents\enf03-appC-eng.pdf
[2009/09/15 15:51:55 | 00,026,160 | ---- | C] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/14 12:06:23 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\ivy\Application Data\DESKTOP.INI
[2009/09/14 12:06:18 | 04,768,656 | -H-- | C] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\IconCache.db
[2009/02/04 14:30:37 | 00,031,948 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/02/04 14:27:29 | 00,909,312 | ---- | C] () -- C:\WINDOWS\System32\xrx_xml2.dll
[2009/02/04 14:27:28 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\xlibeay.dll
[2009/02/04 14:27:28 | 00,364,544 | ---- | C] () -- C:\WINDOWS\System32\xipinterp.dll
[2009/02/04 14:27:28 | 00,274,432 | ---- | C] () -- C:\WINDOWS\System32\xiputil.dll
[2009/02/04 14:27:28 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xipsup.dll
[2009/02/04 14:27:28 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\xi.dll
[2009/02/04 14:27:28 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\xesup.dll
[2009/02/04 14:27:28 | 00,025,088 | ---- | C] () -- C:\WINDOWS\System32\xipxml.dll
[2009/02/04 14:27:27 | 03,051,520 | ---- | C] () -- C:\WINDOWS\System32\xeng.dll
[2009/02/04 14:27:26 | 01,310,720 | ---- | C] () -- C:\WINDOWS\System32\xeext.dll
[2009/02/04 14:27:24 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\lcms.dll
[2009/02/04 14:27:23 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\documentio.dll
[2009/02/04 14:27:23 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\diotifffx.dll
[2007/03/05 14:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/12/08 04:02:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/11/29 20:36:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\tstcln32.INI
[2005/12/01 23:13:59 | 00,000,823 | ---- | C] () -- C:\WINDOWS\tsc.ini
[2005/12/01 23:13:58 | 00,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2005/12/01 23:13:07 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/11/07 16:30:18 | 00,001,397 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/11/01 17:36:39 | 00,000,691 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/08/26 15:14:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/05/24 15:22:13 | 00,000,125 | ---- | C] () -- C:\WINDOWS\PLREMOTE.INI
[2005/05/16 18:48:40 | 00,000,206 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2005/05/16 17:57:38 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/04/27 12:24:21 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/04/27 12:16:48 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/04/27 12:11:49 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/27 11:43:46 | 00,000,370 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/01/28 06:08:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 15:25:56 | 00,000,884 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/11 15:15:00 | 00,000,752 | ---- | C] () -- C:\WINDOWS\WIN.INI
[2004/08/11 15:07:24 | 00,000,227 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI
[2004/08/11 15:07:12 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
[2003/01/07 13:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/01 17:17:50 | 00,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2002/07/04 16:05:34 | 00,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2001/12/14 14:34:46 | 00,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[1999/07/23 14:46:48 | 00,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 11:53:20 | 00,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1979/12/31 22:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2009/10/16 12:13:10 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/03/10 16:47:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2005/04/27 11:41:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/02/04 14:32:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2007/10/09 12:57:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/02/04 14:28:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xerox
[2009/10/16 17:58:38 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\ivy\Application Data
[2009/09/14 12:16:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ivy\Application Data\Xerox
[2005/04/27 12:10:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ivy\Application Data\You've Got Pictures Screensaver
[2009/09/02 06:20:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/04 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\DESKTOP.INI
[2009/10/16 16:56:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/14 05:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll
[1 C:\WINDOWS\system32\*.tmp files]

< %systemroot%\system32\scecli.dll >
[2008/04/14 05:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll
[1 C:\WINDOWS\system32\*.tmp files]

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
< End of report >

Extras log:

OTL Extras logfile created on: 10/16/2009 7:04:06 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\ivy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.98 Mb Total Physical Memory | 443.20 Mb Available Physical Memory | 43.67% Memory free
2.38 Gb Paging File | 2.06 Gb Available in Paging File | 86.27% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.22 Gb Total Space | 39.24 Gb Free Space | 55.10% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive O: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive P: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive R: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive X: | 68.35 Gb Total Space | 0.93 Gb Free Space | 1.36% Space Free | Partition Type: NTFS
Drive Y: | 33.07 Gb Total Space | 22.06 Gb Free Space | 66.72% Space Free | Partition Type: NTFS
Drive Z: | 931.50 Gb Total Space | 704.58 Gb Free Space | 75.64% Space Free | Partition Type: NTFS

Computer Name: LAWYER03
Current User Name: ivy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe" = C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe:*:Enabled:Panasonic Communications Utility -- (Panasonic Communications Co., Ltd.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- File not found
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{036AA4D4-6D32-11D4-9875-00105ACE7734}" = Logitech iTouch Software
"{0E0BFA25-9DC6-4539-9A56-B159AD6E9C0C}" = PCLaw MSXML V4 SP2 Redistributable
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{332CC6BF-E6C7-48EE-BA3D-435E576AD67F}" = PaperPort Image Printer
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.75
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5A633ED0-E5D7-4D65-AB8D-53ED43510284}" = Symantec AntiVirus
"{695603EE-5D13-4406-A034-B1346652CC4D}" = Windows Firewall Setting Tool
"{6E179C77-7335-458D-9537-4F4EAC0181ED}" = Photo Click
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}" = Apple Software Update
"{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}" = Dell Media Experience
"{AC76BA86-1033-0000-BA7E-000000000003}" = Adobe Acrobat 8 Standard
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{BB846332-E67D-46FD-912E-69B11CD16041}" = Image Retriever 7
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DEA90EEC-CA16-4092-9604-25B2ACC5273B}" = Communications Utility
"{E7598D8B-4795-44D3-A77E-90582106E6A8}" = ScanSoft OmniPage SE 4
"{F85A759A-DDA5-45C5-97BC-464F15D0DB2A}" = ScanSoft PaperPort 11
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 8 Standard" = Adobe Acrobat 8.1.2 Standard
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"DellSupport" = Dell Support 5.0.0 (630)
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"InstallShield_{695603EE-5D13-4406-A034-B1346652CC4D}" = Panasonic Windows Firewall Setting Tool
"InstallShield_{DEA90EEC-CA16-4092-9604-25B2ACC5273B}" = Panasonic Communications Utility
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PCLaw" = LexisNexis PCLaw
"PCLaw Quick Tour and Lessons" = PCLaw Quick Tour and Lessons
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealVNC_is1" = VNC Free Edition 4.1.2
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WorkgroupShareClient" = WorkgroupShare Client
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xerox_Scan_Utility" = Xerox Scan Driver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/16/2009 3:01:43 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Packed.Generic.255 in File: C:\DOCUME~1\ivy\LOCALS~1\TEMPOR~1\Content.IE5\HOKV4JM3\UNAOOF~1.HTM
by: Auto-Protect scan. Action: Delete succeeded. Action Description: The file
was deleted successfully.

Error - 10/16/2009 3:01:43 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Packed.Generic.255 in File: C:\Documents and
Settings\ivy\Local Settings\Temporary Internet Files\Content.IE5\HOKV4JM3\unaooftg[1].htm
by: Auto-Protect scan. Action: Delete succeeded : Access denied. Action Description:
The file was deleted successfully.

Error - 10/16/2009 3:01:44 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Packed.Generic.255 in File: C:\DOCUME~1\ivy\LOCALS~1\TEMPOR~1\Content.IE5\HOKV4JM3\UNAOOF~1.HTM
by: Auto-Protect scan. Action: Delete succeeded : Access denied. Action Description:
The file was deleted successfully.

Error - 10/16/2009 3:01:59 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Packed.Generic.255 in File: C:\iytcqy.exe
by: Auto-Protect scan. Action: Delete succeeded. Action Description: The file
was deleted successfully.

Error - 10/16/2009 3:01:59 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Packed.Generic.255 in File: C:\iytcqy.exe by:
Auto-Protect scan. Action: Delete succeeded : Access denied. Action Description:
The file was deleted successfully.

Error - 10/16/2009 3:02:00 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Packed.Generic.255 in File: C:\iytcqy.exe
by: Auto-Protect scan. Action: Delete succeeded : Access denied. Action Description:
The file was deleted successfully.

Error - 10/16/2009 3:02:17 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Trojan.Malscript!html in File: C:\WINDOWS\system32\CRITIC~1.HTM
by: Auto-Protect scan. Action: Delete succeeded. Action Description: The file
was deleted successfully.

Error - 10/16/2009 3:02:17 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Malscript!html in File: C:\WINDOWS\SYSTEM32\critical_warning.html
by: Auto-Protect scan. Action: Delete succeeded : Access denied. Action Description:
The file was deleted successfully.

Error - 10/16/2009 3:02:18 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Malscript!html in File: C:\WINDOWS\system32\CRITIC~1.HTM
by: Auto-Protect scan. Action: Delete succeeded : Access denied. Action Description:
The file was deleted successfully.

Error - 10/16/2009 3:11:56 PM | Computer Name = LAWYER03 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Malscript!html in File: C:\WINDOWS\SYSTEM32\critical_warning.html
by: Auto-Protect scan. Action: Delete succeeded : Access denied. Action Description:
The file was deleted successfully.

[ System Events ]
Error - 9/2/2009 9:20:00 AM | Computer Name = LAWYER03 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Apple Software
Update\Plugins\EXEInstallPlugin.dll.Manifest. Reference error message: The operation
completed successfully. .

Error - 9/2/2009 9:20:00 AM | Computer Name = LAWYER03 | Source = SideBySide | ID = 16842813
Description = Syntax error in manifest or policy file "C:\Program Files\Apple Software
Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2. The required attribute
version is missing from element assemblyIdentity.

Error - 9/2/2009 9:20:00 AM | Computer Name = LAWYER03 | Source = SideBySide | ID = 16842810
Description = Syntax error in manifest or policy file "C:\Program Files\Apple Software
Update\Plugins\MSIInstallPlugin.dll.Manifest" on line 2.

Error - 9/2/2009 9:20:00 AM | Computer Name = LAWYER03 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Apple Software
Update\Plugins\MSIInstallPlugin.dll.Manifest. Reference error message: The operation
completed successfully. .

Error - 10/16/2009 3:31:34 PM | Computer Name = LAWYER03 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/16/2009 3:32:48 PM | Computer Name = LAWYER03 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
eeCtrl Fips intelppm SAVRT SAVRTPEL SYMTDI

Error - 10/16/2009 3:39:48 PM | Computer Name = LAWYER03 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/16/2009 7:54:51 PM | Computer Name = LAWYER03 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/16/2009 7:54:52 PM | Computer Name = LAWYER03 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/16/2009 7:55:59 PM | Computer Name = LAWYER03 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

< End of report >

Thanks in advance!

#2 chamber

Group: Visiting Consultant
Posts: 2,712
Joined: 11-April 08

Posted 21 October 2009 - 05:20 AM

Hi,

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link HERE
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

#3 keepitundercover

Group: Member
Posts: 15
Joined: 16-October 09

Posted 21 October 2009 - 11:26 AM

I didn't realize Symantec Antivirus was running until after I started up Combofix. I think I managed to disable it before the scan... please let me know if I messed up.

Thank you!

Combofix log:

ComboFix 09-10-20.03 - ivy 10/21/2009 10:03.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.542 [GMT -7:00]
Running from: c:\documents and settings\ivy\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\mynolohoh.inf
c:\documents and settings\All Users\Application Data\ymoram.com
c:\documents and settings\All Users\Documents\ezuvave.exe
c:\documents and settings\All Users\Documents\ihuvur.com
c:\documents and settings\All Users\Documents\ikorowy.dll
c:\documents and settings\All Users\Documents\tydoheqe.pif
c:\documents and settings\All Users\Documents\useboh._sy
c:\documents and settings\ivy\Application Data\fajy.pif
c:\documents and settings\ivy\Application Data\mytiki.bin
c:\documents and settings\ivy\Application Data\olohep.lib
c:\documents and settings\ivy\Application Data\ysyx._sy
c:\documents and settings\ivy\Cookies\ugoj.bat
c:\documents and settings\ivy\Cookies\yzekamofyg.inf
c:\documents and settings\ivy\Local Settings\Application Data\adegugisew.reg
c:\documents and settings\ivy\Local Settings\Application Data\urecalod.dll
c:\program files\Common Files\bafuhywubi.sys
c:\program files\Common Files\esihoder.ban
c:\windows\Installer\2de4e6.msi
c:\windows\Installer\WinRMSrv.msi
c:\windows\jevav._dl
c:\windows\kuzuset.bin
c:\windows\patch.exe
c:\windows\ryko.bat
c:\windows\system32\wbem\proquota.exe
c:\windows\xyge.vbs

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-21 17:15 . 2008-04-14 12:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-21 17:15 . 2008-04-14 12:42 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-17 00:34 . 2009-10-17 00:34 -------- d-----w- c:\program files\Trend Micro
2009-10-17 00:25 . 2009-10-17 00:25 -------- d-----w- C:\HiJackThis
2009-10-16 23:40 . 2009-10-16 23:40 -------- d-----w- C:\_OTM
2009-10-16 19:15 . 2009-10-16 19:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-16 19:13 . 2009-10-16 19:13 11323 ----a-w- c:\windows\zihic.dat
2009-10-16 18:59 . 2009-10-16 18:59 -------- d-----w- c:\documents and settings\ivy\Application Data\Malwarebytes
2009-10-16 18:59 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-16 18:59 . 2009-10-16 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 18:59 . 2009-10-16 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-16 18:59 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 16:57 . 2006-12-08 10:56 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-17 00:58 . 2005-04-27 19:10 -------- d-----w- c:\program files\Common Files\Real
2009-10-17 00:49 . 2005-04-27 19:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-17 00:48 . 2005-08-26 22:12 -------- d-----w- c:\program files\Canon
2009-10-17 00:46 . 2005-04-27 19:12 -------- d-----w- c:\program files\MUSICMATCH
2009-10-16 19:13 . 2009-10-16 19:13 13380 ----a-w- c:\program files\Common Files\ivyzivoli.lib
2009-10-16 19:13 . 2009-10-16 19:13 12924 ----a-w- c:\program files\Common Files\zuboz.lib
2009-09-15 22:51 . 2009-09-15 22:51 26160 ----a-w- c:\documents and settings\ivy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-14 19:16 . 2009-09-14 19:16 -------- d-----w- c:\documents and settings\ivy\Application Data\Xerox
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:24 . 2004-08-04 10:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-08-04 10:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2005-05-17 00:18 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-08-04 10:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-04 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-08-04 10:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2004-08-04 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 2004-08-04 10:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 10:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"XeroxScanUtility"="c:\program files\Xerox\Scan_Utility\xrxzipui.exe" [2008-04-14 430080]
"XeroxEndeavorBackgroundTask"="c:\windows\system32\xWD35bgnd.exe" [2008-04-14 80896]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\Nuance\PaperPort\pptd40nt.exe" [2007-06-27 29984]
"IndexSearch"="c:\program files\Nuance\PaperPort\IndexSearch.exe" [2007-06-27 46368]
"PPort11reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"OpwareSE4"="c:\program files\Nuance\OmniPageSE4\OpwareSE4.exe" [2007-06-27 79136]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2002-11-08 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Image Retriever.lnk - c:\program files\Nuance\PaperPort\xdcla.exe [2008-2-28 266240]
Panasonic Communications Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe [2006-5-9 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-252397729-1500270725-3555249311-1118\Scripts\Logon\0\0]
"Script"=LogonScript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-252397729-1500270725-3555249311-1166\Scripts\Logon\0\0]
"Script"=LogonScript.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 1:30 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI9
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-11 01:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} - c:\program files\LexisNexis\PCLaw\plietool.dll
IE: {{9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} - c:\program files\LexisNexis\PCLaw\plietool.dll
DPF: PLUpdate - hxxp://www.pclaw.com/PLUpdate.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 10:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\WININET.dll
.
Completion time: 2009-10-21 10:22
ComboFix-quarantined-files.txt 2009-10-21 17:22

Pre-Run: 42,013,974,528 bytes free
Post-Run: 43,822,030,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2E4E3F424E5AFA1707BB48AAF6B0AA26

#4 chamber

Group: Visiting Consultant
Posts: 2,712
Joined: 11-April 08

Posted 22 October 2009 - 01:27 AM

You didn't do anything wrong, Norton can be awkward.

1) TFC

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

2) Malwarebytes Anti Malware

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

3) OTL

Run a quick scan with OTL again and post the log back

In your reply I would like to see copied and pasted,

1) Malwarebytes log
2) Fresh OTL log

#5 keepitundercover

Group: Member
Posts: 15
Joined: 16-October 09

Posted 22 October 2009 - 02:56 PM

Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 3013
Windows 5.1.2600 Service Pack 3

10/22/2009 1:57:16 PM
mbam-log-2009-10-22 (13-57-16).txt

Scan type: Quick Scan
Objects scanned: 151541
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\lizkavd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL log:

OTL logfile created on: 10/22/2009 1:58:20 PM - Run 2
OTL by OldTimer - Version 3.0.21.0 Folder = C:\Documents and Settings\ivy\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.98 Mb Total Physical Memory | 411.35 Mb Available Physical Memory | 40.53% Memory free
2.38 Gb Paging File | 1.95 Gb Available in Paging File | 81.66% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.22 Gb Total Space | 42.34 Gb Free Space | 59.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 68.35 Gb Total Space | 0.84 Gb Free Space | 1.23% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 68.35 Gb Total Space | 0.84 Gb Free Space | 1.23% Space Free | Partition Type: NTFS
Drive O: | 68.35 Gb Total Space | 0.84 Gb Free Space | 1.23% Space Free | Partition Type: NTFS
Drive P: | 68.35 Gb Total Space | 0.84 Gb Free Space | 1.23% Space Free | Partition Type: NTFS
Drive R: | 68.35 Gb Total Space | 0.84 Gb Free Space | 1.23% Space Free | Partition Type: NTFS
Drive X: | 68.35 Gb Total Space | 0.84 Gb Free Space | 1.23% Space Free | Partition Type: NTFS
Drive Y: | 33.07 Gb Total Space | 22.04 Gb Free Space | 66.65% Space Free | Partition Type: NTFS
Drive Z: | 931.50 Gb Total Space | 700.55 Gb Free Space | 75.21% Space Free | Partition Type: NTFS

Computer Name: LAWYER03
Current User Name: ivy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/10/16 18:14:26 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ivy\Desktop\OTL.exe
PRC - [2009/09/10 14:53:56 | 01,312,080 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/04/14 14:05:48 | 00,430,080 | ---- | M] (Xerox Corporation) -- C:\Program Files\Xerox\Scan_Utility\xrxzipui.exe
PRC - [2008/04/14 13:59:54 | 00,080,896 | ---- | M] () -- C:\WINDOWS\System32\xWD35bgnd.exe
PRC - [2008/04/14 05:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/02/28 15:37:56 | 00,266,240 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\PaperPort\xdcla.exe
PRC - [2007/06/27 12:17:40 | 00,029,984 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\PaperPort\pptd40nt.exe
PRC - [2007/06/27 11:58:44 | 00,079,136 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\Nuance\OmniPageSE4\OpwareSE4.exe
PRC - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2006/05/12 15:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe
PRC - [2006/05/09 21:49:08 | 00,176,128 | ---- | M] (Panasonic Communications Co., Ltd.) -- C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe
PRC - [2005/09/20 10:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxpers.exe
PRC - [2005/09/20 10:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\hkcmd.exe
PRC - [2005/04/17 13:30:48 | 00,085,184 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2005/04/17 13:30:40 | 01,706,176 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2005/04/17 13:30:32 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2005/04/08 16:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2005/04/08 16:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2005/04/08 16:52:30 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2004/10/14 12:42:54 | 01,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2004/03/18 10:33:26 | 00,892,928 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\iTouch.exe
PRC - [2003/06/19 21:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2002/11/21 10:50:00 | 00,037,888 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\em_exec.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/04/14 05:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/01/21 14:12:35 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])
SRV - [2006/05/12 15:04:08 | 00,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4 [Auto | Running])
SRV - [2005/04/17 13:30:42 | 00,124,608 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
SRV - [2005/04/17 13:30:40 | 01,706,176 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
SRV - [2005/04/17 13:30:32 | 00,019,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
SRV - [2005/04/08 16:54:52 | 00,161,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
SRV - [2005/04/08 16:54:50 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
SRV - [2005/04/08 16:52:32 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
SRV - [2005/04/05 12:17:22 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
SRV - [2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2005/03/30 22:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
SRV - [2004/07/14 23:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2003/12/17 11:59:48 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc [On_Demand | Stopped])
SRV - [2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2003/06/19 21:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (DeskBandHelper Class) - {9E0B5480-4FF0-4FEE-818B-D4DB0F220D64} - C:\Program Files\LexisNexis\PCLaw\plietool.dll (LexisNexis®, a division of Reed Elsevier Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (PCLaw Web Timer) - {0E1230F8-EA50-42A9-983C-D22ABC2EED4B} - C:\Program Files\LexisNexis\PCLaw\plietool.dll (LexisNexis®, a division of Reed Elsevier Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files\Nuance\PaperPort\IndexSearch.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\Logi_MwX.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\Nuance\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files\Nuance\PaperPort\pptd40nt.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [PPort11reminder] C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [XeroxEndeavorBackgroundTask] C:\WINDOWS\System32\xWD35bgnd.exe ()
O4 - HKLM..\Run: [XeroxScanUtility] C:\Program Files\Xerox\Scan_Utility\xrxzipui.exe (Xerox Corporation)
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Image Retriever.lnk = C:\Program Files\Nuance\PaperPort\xdcla.exe (Nuance Communications, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Panasonic Communications Utility.lnk = C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe (Panasonic Communications Co., Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\Program Files\LexisNexis\PCLaw\plietool.dll (LexisNexis®, a division of Reed Elsevier Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\Program Files\LexisNexis\PCLaw\plietool.dll (LexisNexis®, a division of Reed Elsevier Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc2.cab (Office Update Installation Engine)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\DOCUME~1\MEERA~1.VAN\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab (F5 Networks Auto Update)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} https://secure.cdot.ca/vdesk/terminal/urTer...,2007,0223,0314 (F5 Networks SSLTunnel)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab (HouseCall Control)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} https://secure.cdot.ca/vdesk/terminal/msrdp...sion=5,2,3790,0 (Microsoft RDP Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} https://secure.cdot.ca/vdesk/terminal/urxho...,2007,0223,0312 (F5 Networks Host Control)
O16 - DPF: PLUpdate http://www.pclaw.com/PLUpdate.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vancouverlaw
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\System32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/10/16 11:59:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/16 11:59:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ivy\Application Data\Malwarebytes
[2009/10/16 17:58:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ivy\Application Data\Real
[2009/10/21 10:36:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ivy\Local Settings\Application Data\Softalk
[2009/10/16 11:59:03 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/16 17:34:34 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/10/22 12:56:27 | 00,271,872 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ivy\Desktop\TFC.exe
[2009/10/21 10:22:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/10/21 10:01:06 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/10/21 09:58:22 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/21 09:58:22 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/21 09:58:21 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/21 09:58:21 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/21 09:57:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/21 09:55:00 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/10/16 18:14:20 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ivy\Desktop\OTL.exe
[2009/10/16 17:51:47 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/10/16 17:25:35 | 00,000,000 | ---D | C] -- C:\HiJackThis
[2009/10/16 16:40:09 | 00,000,000 | ---D | C] -- C:\_OTM
[2009/10/16 11:59:05 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/16 11:59:03 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files - Modified Within 14 Days ==========

[2009/10/22 13:01:56 | 00,000,031 | ---- | M] () -- C:\dev.ini
[2009/10/22 13:01:23 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/10/22 13:00:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/22 13:00:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/10/22 13:00:46 | 10,643,57888 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/22 12:57:10 | 00,271,872 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ivy\Desktop\TFC.exe
[2009/10/21 11:40:03 | 05,894,418 | -H-- | M] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\IconCache.db
[2009/10/21 10:17:52 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/21 10:01:14 | 00,000,281 | RHS- | M] () -- C:\BOOT.INI
[2009/10/21 09:54:43 | 03,351,153 | R--- | M] () -- C:\Documents and Settings\ivy\Desktop\ComboFix.exe
[2009/10/16 18:14:26 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ivy\Desktop\OTL.exe
[2009/10/16 18:03:42 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\ivy\Desktop\settings.dat
[2009/10/16 17:34:35 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\ivy\Desktop\HijackThis.lnk
[2009/10/16 12:13:11 | 00,013,380 | ---- | M] () -- C:\Program Files\Common Files\ivyzivoli.lib
[2009/10/16 12:13:11 | 00,011,323 | ---- | M] () -- C:\WINDOWS\zihic.dat
[2009/10/16 12:13:10 | 00,012,924 | ---- | M] () -- C:\Program Files\Common Files\zuboz.lib
[2009/10/16 11:59:08 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/15 18:29:03 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/11 08:10:09 | 00,236,544 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/10/09 12:27:36 | 00,161,344 | ---- | M] () -- C:\Documents and Settings\ivy\My Documents\enf03-appC-eng.pdf

========== Files - No Company Name ==========
[2009/10/21 10:01:13 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/10/21 10:01:08 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/10/21 09:58:22 | 00,236,544 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/10/21 09:58:22 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/10/21 09:58:21 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/10/21 09:58:21 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/10/21 09:53:59 | 03,351,153 | R--- | C] () -- C:\Documents and Settings\ivy\Desktop\ComboFix.exe
[2009/10/16 18:03:42 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\ivy\Desktop\settings.dat
[2009/10/16 17:34:35 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\ivy\Desktop\HijackThis.lnk
[2009/10/16 16:56:35 | 10,643,57888 | -HS- | C] () -- C:\hiberfil.sys
[2009/10/16 12:13:11 | 00,013,380 | ---- | C] () -- C:\Program Files\Common Files\ivyzivoli.lib
[2009/10/16 12:13:11 | 00,011,323 | ---- | C] () -- C:\WINDOWS\zihic.dat
[2009/10/16 12:13:10 | 00,012,924 | ---- | C] () -- C:\Program Files\Common Files\zuboz.lib
[2009/10/16 11:59:08 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/09 12:27:36 | 00,161,344 | ---- | C] () -- C:\Documents and Settings\ivy\My Documents\enf03-appC-eng.pdf
[2009/09/15 15:51:55 | 00,026,160 | ---- | C] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/14 12:06:23 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\ivy\Application Data\DESKTOP.INI
[2009/09/14 12:06:18 | 05,894,418 | -H-- | C] () -- C:\Documents and Settings\ivy\Local Settings\Application Data\IconCache.db
[2009/02/04 14:30:37 | 00,031,948 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2009/02/04 14:27:29 | 00,909,312 | ---- | C] () -- C:\WINDOWS\System32\xrx_xml2.dll
[2009/02/04 14:27:28 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\xlibeay.dll
[2009/02/04 14:27:28 | 00,364,544 | ---- | C] () -- C:\WINDOWS\System32\xipinterp.dll
[2009/02/04 14:27:28 | 00,274,432 | ---- | C] () -- C:\WINDOWS\System32\xiputil.dll
[2009/02/04 14:27:28 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xipsup.dll
[2009/02/04 14:27:28 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\xi.dll
[2009/02/04 14:27:28 | 00,151,552 | ---- | C] () -- C:\WINDOWS\System32\xesup.dll
[2009/02/04 14:27:28 | 00,025,088 | ---- | C] () -- C:\WINDOWS\System32\xipxml.dll
[2009/02/04 14:27:27 | 03,051,520 | ---- | C] () -- C:\WINDOWS\System32\xeng.dll
[2009/02/04 14:27:26 | 01,310,720 | ---- | C] () -- C:\WINDOWS\System32\xeext.dll
[2009/02/04 14:27:24 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\lcms.dll
[2009/02/04 14:27:23 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\documentio.dll
[2009/02/04 14:27:23 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\diotifffx.dll
[2007/03/05 14:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/12/08 04:02:52 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/11/29 20:36:46 | 00,000,000 | ---- | C] () -- C:\WINDOWS\tstcln32.INI
[2005/12/01 23:13:59 | 00,000,823 | ---- | C] () -- C:\WINDOWS\tsc.ini
[2005/12/01 23:13:58 | 00,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2005/12/01 23:13:07 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2005/11/07 16:30:18 | 00,001,397 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005/11/01 17:36:39 | 00,000,691 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2005/08/26 15:14:26 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/05/24 15:22:13 | 00,000,125 | ---- | C] () -- C:\WINDOWS\PLREMOTE.INI
[2005/05/16 18:48:40 | 00,000,206 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2005/05/16 17:57:38 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/04/27 12:24:21 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/04/27 12:16:48 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/04/27 12:11:49 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/27 11:43:46 | 00,000,370 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/01/28 06:08:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 15:25:56 | 00,000,884 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/11 15:15:00 | 00,000,752 | ---- | C] () -- C:\WINDOWS\WIN.INI
[2004/08/11 15:07:24 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/11 15:07:12 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
[2003/01/07 13:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/01 17:17:50 | 00,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2002/07/04 16:05:34 | 00,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2001/12/14 14:34:46 | 00,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[1999/07/23 14:46:48 | 00,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 11:53:20 | 00,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
[1979/12/31 22:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2009/10/21 10:14:35 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/03/10 16:47:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2005/04/27 11:41:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/02/04 14:32:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2007/10/09 12:57:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/02/04 14:28:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xerox
[2009/10/21 10:14:53 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\ivy\Application Data
[2009/09/14 12:16:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ivy\Application Data\Xerox
[2005/04/27 12:10:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ivy\Application Data\You've Got Pictures Screensaver
[2009/09/02 06:20:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/04 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\DESKTOP.INI
[2009/10/22 13:00:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

< End of report >

#6 chamber

Group: Visiting Consultant
Posts: 2,712
Joined: 11-April 08

Posted 23 October 2009 - 12:46 AM

Things are looking better, how is it running now?

1) TFC

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

2) JavaRa

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

3) Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

In your reply I would like to see copied and pasted,

1) Kaspersky scan
2) How are things running?

#7 keepitundercover

Group: Member
Posts: 15
Joined: 16-October 09

Posted 26 October 2009 - 10:03 AM

Kapersky scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, October 26, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 23, 2009 19:21:33
Records in database: 3050527
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
G:\
M:\
O:\
P:\
R:\
X:\
Y:\
Z:\

Scan statistics:
Objects scanned: 297166
Threats found: 14
Infected objects found: 36
Suspicious objects found: 2
Scan duration: 10:09:00

File name / Threat / Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WBEM\proquota.exe.vir Infected: Packed.Win32.Krap.ah 1
G:\Mail\Outlook Express\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 2
G:\Mail\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 2
G:\Mail\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Citifraud.ai 4
G:\Mail\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Smitfraud.c 2
G:\Mail\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.q 1
G:\Mail\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Citifraud.bc 1
G:\Mail\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Citifraud.aq 1
O:\IT\Applications\remote desktop\NSA.EXE Infected: Backdoor.Win32.ServU-based.af 1
O:\IT\Applications\remote desktop\NSA.EXE Infected: Backdoor.Win32.WinterLove.dz 1
O:\IT\Applications\VNC\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
O:\IT\backup of profile in gordon\BK before new server\Desktop\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Sunfraud.c 1
O:\IT\backup of profile in gordon\BK before new server\Desktop\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Citifraud.ai 1
O:\IT\backup of profile in gordon\BK before new server\Desktop\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Sunfraud.bi 1
O:\IT\backup of profile in gordon\Desktop\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Sunfraud.c 1
O:\IT\backup of profile in gordon\Desktop\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Citifraud.ai 1
O:\IT\backup of profile in gordon\Desktop\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Sunfraud.bi 1
R:\Mail\Outlook.pst.old Infected: Email-Worm.Win32.Sober.y 7

Selected area has been scanned.

Things are running alright, no *major* problems, but everything seems a tad slow and I'm still being redirected to annoying fake shopping pages whenever I use google.

Thank you for helping me!

#8 chamber

Group: Visiting Consultant
Posts: 2,712
Joined: 11-April 08

Posted 26 October 2009 - 10:35 AM

Can you give me an example of the redirects? Perhaps a screen shot?

For the slowness you are experiencing you have a lot of memory being used,

Quote

1014.98 Mb Total Physical Memory | 411.35 Mb Available Physical Memory | 40.53% Memory free

You may want to take a look at the processes that are running and see if there is anything that you can live without

1) Old e mails

All of these files have infected e mails in them,

G:\Mail\Outlook Express\Deleted Items.dbx
O:\IT\Applications\remote desktop\NSA.EXE
O:\IT\backup of profile in gordon\BK before new server\Desktop\Outlook Express\Deleted Items.dbxud.bi 1
O:\IT\backup of profile in gordon\Desktop\Outlook Express\Deleted Items.dbx
R:\Mail\Outlook.pst.old

It is up to you if you want to delete them or not.

2) Hosts File

Go to Start then Run and copy and paste the following,

C:\WINDOWS\System32\drivers\etc\Hosts

Open the file in notepad and save and attach it to your next post.

Download the HostsXpert 3.7 - Hosts File Manager.

Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

3) Security Check

Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your reply I would like to see copied and pasted,

1) Hosts file information
2) Security check log

#9 keepitundercover

Group: Member
Posts: 15
Joined: 16-October 09

Posted 26 October 2009 - 12:09 PM

Hi,

Oops, I did the HostsXpert thing before the first step you gave me, so this is what I get now when I run C:\WINDOWS\System32\drivers\etc\Hosts ... I hope this didn't mess up what you needed to see.

Hosts file information:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

Security check log:

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Symantec AntiVirus
Panasonic Windows Firewall Setting Tool
Windows Firewall Setting Tool
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
HijackThis 2.0.2
Java™ 6 Update 16
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````````````````````````
DNS Vulnerability Check:
POOR! (Vulnerable to DNS cache poisoning!!-- Consider OPENDNS)

`````````End of Log```````````

#10 chamber

Group: Visiting Consultant
Posts: 2,712
Joined: 11-April 08

Posted 26 October 2009 - 12:54 PM

I would suggest using OpenDNS, more information can be found HERE.

You also need to update you adobe reader, visit HERE for the latest version.

Have you now installed the custom hosts file?

Did you manage to get me an example of the redirects?

#11 keepitundercover

Group: Member
Posts: 15
Joined: 16-October 09

Posted 26 October 2009 - 01:25 PM

Hello,

Yes, I followed your instructions to install the custom hosts file. What I meant was that I used HostsXpert to install the file before I ran the command that you gave me. I hope that didn't create a problem.

Here are some screenshots:

Posted Image

The first one I haven't seen before... the second one seems to be a fake search site. The third and fourth shots are the fake shopping sites I mentioned before.

Thank you!

#12 chamber

Group: Visiting Consultant
Posts: 2,712
Joined: 11-April 08

Posted 26 October 2009 - 01:34 PM

Do you get the same problem in other browsers?

#13 keepitundercover

Group: Member
Posts: 15
Joined: 16-October 09

Posted 26 October 2009 - 02:51 PM

No, Firefox seems to be fine.

#14 chamber

Group: Visiting Consultant
Posts: 2,712
Joined: 11-April 08

Posted 27 October 2009 - 01:39 AM

Lets reset Internet explorer and see if it still happens.

Exit all programs, including Internet Explorer (if it is running).
If you use Windows XP, click Start, and then click Run. Type the following command in the Open box, and then press ENTER:
inetcpl.cpl
The Internet Options dialog box appears.
Click the Advanced tab.
Under Reset Internet Explorer settings, click Reset. Then click Reset again.
When Internet Explorer finishes resetting the settings, click Close in the Reset Internet Explorer Settings dialog box.
Start Internet Explorer again.