Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

browser/google redirect/hijack [Solved]

Started by dukeminster , May 12 2010 11:29 AM

This topic is locked

#1
dukeminster

Posted 12 May 2010 - 11:29 AM

New Member

Member
9 posts

Hello,
I have completed the malware and spyware cleaning guide-logs attached
XP HE SP3. IE browser and google pages sometimes redirected.
also not able to access windows update--but following running TFC the yellow update shield icon informing that updates are avaiable has re-appeared (I have not clicked on it thus far as I am suspiciuos that it is not bona fida)
help to resolve would be greatly appreciated

OTL logfile created on: 12/05/2010 17:36:02 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Daddy\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 329.00 Mb Available Physical Memory | 32.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.91 Gb Total Space | 146.08 Gb Free Space | 76.92% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AGALLOW
Current User Name: Daddy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/12 17:27:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
PRC - [2010/04/25 15:52:48 | 001,344,744 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/04/25 15:52:48 | 000,824,552 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2009/12/17 17:52:46 | 000,392,520 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Rps.exe
PRC - [2009/05/27 14:10:56 | 000,170,736 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
PRC - [2009/05/27 14:10:02 | 000,371,440 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe
PRC - [2009/05/27 13:20:32 | 000,308,464 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
PRC - [2009/05/27 13:20:30 | 002,303,216 | ---- | M] (Virgin Broadband) -- C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
PRC - [2009/04/03 15:51:32 | 000,143,360 | ---- | M] (Kaspersky Lab.) -- C:\Program Files\Virgin Broadband\PCguard\Kav\Bin\ScanningProcess.exe
PRC - [2008/11/14 19:28:10 | 004,937,752 | R--- | M] (Sana Security) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe
PRC - [2008/09/22 17:58:44 | 000,693,512 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/07 01:00:00 | 000,032,768 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\V0410Mon.exe
PRC - [2007/04/09 19:39:36 | 000,020,480 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2005/10/04 14:12:00 | 000,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2005/01/14 18:22:52 | 000,737,379 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
PRC - [2005/01/14 18:22:50 | 000,024,576 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
PRC - [2005/01/14 18:22:26 | 000,110,711 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
PRC - [2005/01/14 18:22:24 | 000,172,153 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
PRC - [2005/01/14 18:21:46 | 000,110,744 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerCinema\PCMService.exe
PRC - [2003/09/04 10:45:08 | 000,135,214 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe
PRC - [2002/11/23 02:15:00 | 000,631,362 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\iTouch.exe

========== Modules (SafeList) ==========

MOD - [2010/05/12 17:27:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
MOD - [2010/04/25 15:52:54 | 000,541,928 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2009/07/12 02:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/07/12 02:09:20 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
MOD - [2008/05/13 10:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/04/13 18:37:57 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll
MOD - [2006/11/03 19:20:00 | 000,083,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpShHook.dll
MOD - [2003/02/26 21:27:44 | 000,036,864 | ---- | M] (Stardock.Net, Inc) -- C:\WINDOWS\system32\wbsys.dll
MOD - [2003/02/26 21:24:32 | 000,028,740 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll
MOD - [2002/11/23 02:15:00 | 000,004,608 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\itchhk.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/05/08 23:59:48 | 002,478,640 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3697.dll -- (Akamai)
SRV - [2010/04/25 15:52:48 | 000,824,552 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2009/12/17 17:36:24 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/05/27 14:10:56 | 000,170,736 | ---- | M] (Virgin Media) [On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe -- (Radialpoint Security Services)
SRV - [2009/05/27 14:10:02 | 000,371,440 | ---- | M] (Virgin Media) [Auto | Running] -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- (RP_FWS)
SRV - [2008/11/14 19:28:10 | 004,937,752 | R--- | M] (Sana Security) [Auto | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe -- (RadialpointSafeConnectAgent)
SRV - [2008/09/22 17:58:48 | 000,910,600 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008/09/22 17:58:44 | 000,693,512 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2007/06/15 15:58:48 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/11/14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/01/14 18:22:50 | 000,024,576 | ---- | M] (Cyberlink) [Auto | Running] -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service)
SRV - [2005/01/14 18:22:26 | 000,110,711 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2005/01/14 18:22:24 | 000,172,153 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)

========== Driver Services (SafeList) ==========

DRV - [2010/04/25 15:52:56 | 000,158,312 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/04/25 15:52:56 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
DRV - [2009/04/03 15:51:32 | 000,179,984 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2008/11/26 16:19:56 | 000,053,192 | ---- | M] (Radialpoint Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - [2008/11/14 19:28:36 | 000,161,304 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys -- (RadialpointSafeConnectDriver)
DRV - [2008/11/14 19:28:36 | 000,029,720 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys -- (RadialpointSafeConnectFilter)
DRV - [2008/11/14 19:28:36 | 000,027,376 | ---- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys -- (RadialpointSafeConnectShim)
DRV - [2008/08/28 14:16:40 | 000,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008/04/13 19:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/01/02 17:31:30 | 000,017,480 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2007/12/09 12:35:47 | 000,022,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbsermpt.sys -- (usbsermpt)
DRV - [2007/08/24 17:55:46 | 000,035,363 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\windrvNT.sys -- (windrvNT)
DRV - [2007/08/21 01:00:00 | 000,244,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0410Dev.sys -- (V0410Dev)
DRV - [2007/06/11 01:01:02 | 000,142,656 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0410AFX.sys -- (V0410Afx)
DRV - [2007/02/27 15:31:28 | 000,021,504 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/02/14 18:14:20 | 000,094,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0410Aud.sys -- (V0410Aud)
DRV - [2007/02/08 13:56:20 | 000,090,800 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1unic.sys -- (sea1unic) Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM)
DRV - [2007/02/08 13:56:06 | 000,086,432 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1obex.sys -- (sea1obex)
DRV - [2007/02/08 13:56:02 | 000,018,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1nd5.sys -- (sea1nd5) Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS)
DRV - [2007/02/08 13:56:00 | 000,088,624 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1mgmt.sys -- (sea1mgmt) Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM)
DRV - [2007/02/08 13:55:52 | 000,097,088 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1mdm.sys -- (sea1mdm)
DRV - [2007/02/08 13:55:50 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1mdfl.sys -- (sea1mdfl)
DRV - [2007/02/08 13:55:40 | 000,061,536 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1bus.sys -- (sea1bus) Sony Ericsson Device 0A1 driver (WDM)
DRV - [2007/01/15 17:57:08 | 000,031,616 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\livecamv.sys -- (RLDesignVirtualAudioCableWdm)
DRV - [2006/12/05 13:37:46 | 000,007,168 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0410Vfx.sys -- (V0410Vfx)
DRV - [2005/10/04 17:39:00 | 003,797,632 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/09/07 15:49:56 | 000,243,200 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RT2500.sys -- (RT2500)
DRV - [2005/07/20 21:07:00 | 003,198,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/04/13 13:34:02 | 000,414,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2005/04/13 13:32:42 | 000,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2005/04/06 04:22:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 04:22:28 | 000,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2003/09/04 10:38:56 | 000,152,576 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV532AV.SYS -- (PID_0920) Logitech QuickCam Express(PID_0920)
DRV - [2002/11/15 02:15:00 | 000,012,640 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\itchfltr.sys -- (itchfltr)
DRV - [2002/11/08 09:50:00 | 000,041,420 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Lhidusb.sys -- (LHidUsb)
DRV - [2002/11/08 09:50:00 | 000,014,156 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LCCFLTR.SYS -- (LCcfltr)
DRV - [2002/09/09 19:54:06 | 000,016,269 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ASNDIS5.sys -- (ASNDIS5)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.1.9.6
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/20 21:30:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/23 19:04:56 | 000,000,000 | ---D | M]

[2009/06/07 19:14:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Extensions
[2009/07/02 08:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\qxc8b4y4.default\extensions
[2009/07/02 08:33:55 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\qxc8b4y4.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2008/03/13 19:41:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\qxc8b4y4.default\extensions\[email protected](2).org
[2010/03/30 17:18:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/18 16:05:46 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla(2).org
[2008/01/23 06:48:42 | 000,491,520 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2008/11/24 20:47:59 | 000,056,576 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2009/02/02 18:15:00 | 003,771,296 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2010/04/29 23:20:12 | 000,393,037 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.123fporn.info
O1 - Hosts: 13575 more lines...
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No CLSID value found.
O2 - BHO: (PopKill Class) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll (Virgin Media)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe (CyberLink Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Broadbandadvisor.exe] C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe (Virgin Broadband)
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PCMService] C:\Program Files\CyberLink\PowerCinema\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [V0410Mon.exe] C:\WINDOWS\V0410Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
O4 - HKCU..\Run: [Power2GoExpress] C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe (Cyberlink)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [IndexCleaner] C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe (Virgin Media)
O4 - HKCU..\RunOnce: [IndexCleaner] C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe (Virgin Media)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: %20www.microsoft%20outlook ([]https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} http://www.bebo.com/...oader.5.1.4.cab (Bebo Uploader Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} http://cdnimg.piczo....st_uploader.cab (Image Uploader Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} http://messenger.zon...S.cab109791.cab ()
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1191521532156 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} http://appdirectory....ap/PhtPkMSN.cab (PhotoPickConvert Class)
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} http://appdirectory....ap/DigWXMSN.cab (BatchDownloader Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\wbsys.dll) - C:\WINDOWS\system32\wbsys.dll (Stardock.Net, Inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\WB: DllName - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll (Stardock)
O24 - Desktop WallPaper: C:\Documents and Settings\Daddy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Daddy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/04 17:48:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/12 17:27:03 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
[2010/05/12 17:01:27 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/12 16:53:58 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Daddy\Desktop\erunt_setup.exe
[2010/05/12 16:50:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/05/12 16:35:02 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\TFC.exe
[2010/05/10 20:55:57 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/10 20:54:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/10 20:39:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/10 18:21:17 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Daddy\Desktop\ATF-Cleaner.exe
[2010/05/08 18:52:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Application Data\Malwarebytes
[2010/05/08 18:52:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/08 18:52:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/08 18:52:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/08 18:52:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/08 16:50:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2010/05/08 14:38:20 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/08 14:34:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/08 14:34:21 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/08 14:34:21 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/08 14:34:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/08 14:34:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/08 14:20:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/08 09:49:26 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/05/08 09:12:25 | 016,883,056 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Daddy\My Documents\IE8-WindowsXP-x86-ENU.exe
[2010/05/07 18:28:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Threat Expert
[2010/05/07 18:28:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Application Data\PC Tools
[2010/05/06 21:36:18 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/06 21:33:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\~0
[2010/05/06 21:32:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/05/05 19:18:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Local Settings\Application Data\Threat Expert
[2010/04/29 22:46:02 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/29 22:46:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/29 21:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Trusteer
[2010/04/27 18:39:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/27 16:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Application Data\SUPERAntiSpyware.com
[2010/04/27 16:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/27 16:18:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/27 16:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Trusteer
[2010/04/25 13:45:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

========== Files - Modified Within 30 Days ==========

[2010/05/12 17:30:22 | 074,925,344 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/05/12 17:30:21 | 002,182,176 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/05/12 17:27:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
[2010/05/12 17:16:49 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\gmer.zip
[2010/05/12 17:01:29 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\NTREGOPT.lnk
[2010/05/12 17:01:29 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\ERUNT.lnk
[2010/05/12 16:53:59 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Daddy\Desktop\erunt_setup.exe
[2010/05/12 16:48:42 | 000,013,758 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/12 16:48:24 | 000,000,051 | ---- | M] () -- C:\WINDOWS\iTouch.ini
[2010/05/12 16:48:21 | 000,029,204 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/12 16:47:49 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/12 16:47:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/12 16:46:51 | 001,007,420 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/05/12 16:46:51 | 000,206,336 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/05/12 16:46:26 | 010,485,760 | ---- | M] () -- C:\Documents and Settings\Daddy\ntuser.dat
[2010/05/12 16:46:26 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Daddy\ntuser.ini
[2010/05/12 16:35:03 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\TFC.exe
[2010/05/12 16:12:54 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/12 16:10:55 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\Microsoft Office Outlook 2003.lnk
[2010/05/10 20:56:08 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/10 20:50:08 | 008,206,880 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\SUPERAntiSpyware.exe
[2010/05/10 19:08:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/10 18:38:10 | 003,685,876 | R--- | M] () -- C:\Documents and Settings\Daddy\Desktop\ComboFix.exe
[2010/05/10 18:21:19 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Daddy\Desktop\ATF-Cleaner.exe
[2010/05/08 18:52:31 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 14:38:30 | 000,000,391 | RHS- | M] () -- C:\boot.ini
[2010/05/08 13:53:17 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Daddy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/08 10:20:47 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/08 09:12:40 | 016,883,056 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Daddy\My Documents\IE8-WindowsXP-x86-ENU.exe
[2010/05/07 12:37:21 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2010/05/06 21:36:09 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/03 20:26:28 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/29 23:20:12 | 000,393,037 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 16:19:40 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/25 18:52:50 | 000,015,844 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\k5t7S525hPx8
[2010/04/25 17:40:27 | 000,015,852 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2254772943
[2010/04/19 17:15:46 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\Microsoft Office Word 2003.lnk

========== Files Created - No Company Name ==========

[2010/05/12 17:16:47 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\gmer.zip
[2010/05/12 17:01:29 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\NTREGOPT.lnk
[2010/05/12 17:01:29 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\ERUNT.lnk
[2010/05/10 20:56:08 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/10 20:50:08 | 008,206,880 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\SUPERAntiSpyware.exe
[2010/05/08 18:52:31 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 14:38:30 | 000,000,321 | ---- | C] () -- C:\Boot.bak
[2010/05/08 14:38:22 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/08 14:34:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/08 14:34:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/08 14:34:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/08 14:34:21 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/08 14:34:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/08 14:23:35 | 003,685,876 | R--- | C] () -- C:\Documents and Settings\Daddy\Desktop\ComboFix.exe
[2010/05/07 12:37:21 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2010/04/25 17:40:26 | 000,015,852 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\2254772943
[2010/04/25 13:34:27 | 000,015,844 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\k5t7S525hPx8
[2009/11/07 12:59:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\suppdll.dll
[2009/06/28 20:40:53 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2009/06/04 18:10:43 | 000,031,616 | ---- | C] () -- C:\WINDOWS\System32\drivers\livecamv.sys
[2008/10/14 17:09:12 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen_x86.sys
[2007/08/24 20:02:42 | 000,000,082 | ---- | C] () -- C:\WINDOWS\wb.ini
[2007/08/24 17:55:39 | 000,035,363 | ---- | C] () -- C:\WINDOWS\System32\windrvNT.sys
[2007/04/12 19:29:56 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS78.DLL
[2007/04/09 19:39:16 | 000,015,387 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/04/09 19:38:44 | 000,002,128 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2007/04/07 12:33:20 | 000,000,070 | ---- | C] () -- C:\WINDOWS\7A23CB69.ini
[2007/04/07 12:33:13 | 000,000,051 | ---- | C] () -- C:\WINDOWS\iTouch.ini
[2007/04/07 11:59:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/04 18:30:19 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/07/20 21:07:00 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/14 01:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2007/04/12 19:30:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/07/31 18:32:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
[2010/02/26 23:11:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Driving Test Success
[2009/05/01 08:44:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
[2010/05/06 20:12:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/31 18:26:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2008/02/25 21:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
[2009/03/15 19:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/09/13 17:38:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/12 00:16:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/05/08 17:25:29 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~0
[2008/08/22 20:05:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\fretsonfire
[2007/12/19 18:16:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\LimeWire
[2007/06/29 16:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Opera
[2008/04/18 17:16:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Orbit
[2007/04/09 19:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Screenshot Sender
[2010/01/22 19:36:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Scribus
[2008/01/26 18:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Teleca
[2010/03/31 18:27:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Trusteer
[2009/11/01 16:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Virgin Broadband

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/05/08 15:27:30 | 000,001,788 | ---- | M] () -- C:\aaw7boot.log
[2007/09/18 16:48:55 | 000,000,000 | ---- | M] () -- C:\AILog.txt
[2007/04/04 17:48:56 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008/06/04 18:00:30 | 000,000,321 | ---- | M] () -- C:\Boot.bak
[2010/05/08 14:38:30 | 000,000,391 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/05/10 19:14:36 | 000,021,080 | ---- | M] () -- C:\ComboFix.txt
[2007/04/04 17:48:56 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/12/09 13:02:36 | 000,000,000 | ---- | M] () -- C:\DBS.TXT
[2010/05/08 13:57:07 | 000,001,254 | ---- | M] () -- C:\hook.log
[2009/03/19 18:18:50 | 000,301,319 | ---- | M] () -- C:\Installer.log
[2007/04/04 17:48:56 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/04/04 17:48:56 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/05 15:56:24 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/12 16:47:39 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2009/06/04 18:13:48 | 000,000,174 | ---- | M] () -- C:\Setup.log
[2008/02/23 18:20:19 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2008/02/25 20:36:25 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2008/02/25 21:20:35 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2008/02/25 20:57:35 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/02/25 21:57:05 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2008/12/10 21:35:44 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2008/02/02 19:23:33 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2008/02/03 20:01:30 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2008/02/03 22:07:27 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/02/04 19:31:25 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/02/04 22:01:13 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/02/05 19:52:17 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/02/06 09:39:06 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2008/02/06 15:37:42 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/02/22 17:44:38 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2008/02/22 17:58:47 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2008/02/22 18:49:45 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2008/02/22 20:19:31 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2008/02/22 20:25:40 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2008/02/23 12:41:00 | 000,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2008/02/23 18:20:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008/02/25 20:36:25 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008/02/25 21:20:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008/02/25 20:57:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008/02/25 21:57:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2008/12/10 21:35:44 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2008/02/02 19:23:33 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2008/02/03 20:01:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2008/02/03 22:07:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/02/04 19:31:25 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/02/04 22:01:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/02/05 19:52:17 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/02/06 09:39:06 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/02/06 15:37:42 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/02/22 17:44:38 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/02/22 17:58:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2008/02/22 18:49:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2008/02/22 20:19:31 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2008/02/22 20:25:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2008/02/23 12:40:59 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/04/04 18:34:30 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/04/04 18:34:30 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/04/04 18:34:30 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/05/06 21:36:09 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\system32\drivers\SBREDrv.sys

< >

========== Files - Unicode (All) ==========
[2009/11/01 16:34:26 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥噜物楧⁮牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g
[2009/11/01 16:34:26 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥噜物楧⁮牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:24051EFF
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

Attached Files

ark.txt 21.51KB 284 downloads
Extras.Txt 42.26KB 246 downloads
OTL.Txt 92.97KB 135 downloads
mbam_log_2010_05_12__17_12_23_.txt 893bytes 143 downloads

Edited by Essexboy, 12 May 2010 - 01:06 PM.

#2
Essexboy

Posted 12 May 2010 - 01:10 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi lets see if we can kill it for you

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
[2010/05/06 21:33:32 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\~0
[2010/04/25 18:52:50 | 000,015,844 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\k5t7S525hPx8
[2010/04/25 17:40:27 | 000,015,852 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\2254772943

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in your C:\ drive
Reboot your computer
Please post the contents of that log

#3
dukeminster

Posted 14 May 2010 - 09:00 AM

New Member

Topic Starter
Member
9 posts

Thanks for the help.
I'm not sure its resolved though-browser stillbein hijacked
OTL and TDS logs pasted below as requested.Can you tell me what beastie it was that was causing the trouble -and how not to bump in to it again!
Regrds
The Duke

OTL logfile created on: 14/05/2010 14:34:36 - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Daddy\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 268.00 Mb Available Physical Memory | 26.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 189.91 Gb Total Space | 146.12 Gb Free Space | 76.94% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AGALLOW
Current User Name: Daddy
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/12 17:27:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
PRC - [2010/05/06 17:04:56 | 002,017,280 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/04/25 15:52:48 | 001,344,744 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/04/25 15:52:48 | 000,824,552 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2009/12/17 17:52:46 | 000,392,520 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Rps.exe
PRC - [2009/05/27 14:10:56 | 000,170,736 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe
PRC - [2009/05/27 14:10:02 | 000,371,440 | ---- | M] (Virgin Media) -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe
PRC - [2009/05/27 13:20:32 | 000,308,464 | ---- | M] (Radialpoint Inc.) -- C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
PRC - [2009/05/27 13:20:30 | 002,303,216 | ---- | M] (Virgin Broadband) -- C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
PRC - [2009/04/03 15:51:32 | 000,143,360 | ---- | M] (Kaspersky Lab.) -- C:\Program Files\Virgin Broadband\PCguard\Kav\Bin\ScanningProcess.exe
PRC - [2008/11/14 19:28:10 | 004,937,752 | R--- | M] (Sana Security) -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe
PRC - [2008/09/22 17:58:44 | 000,693,512 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/07 01:00:00 | 000,032,768 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\V0410Mon.exe
PRC - [2007/04/09 19:39:36 | 000,020,480 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe
PRC - [2005/10/04 14:12:00 | 000,090,112 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2005/03/23 14:34:50 | 001,630,303 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
PRC - [2005/01/14 18:22:52 | 000,737,379 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
PRC - [2005/01/14 18:22:50 | 000,024,576 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
PRC - [2005/01/14 18:22:26 | 000,110,711 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
PRC - [2005/01/14 18:22:24 | 000,172,153 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
PRC - [2005/01/14 18:21:46 | 000,110,744 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerCinema\PCMService.exe
PRC - [2003/09/04 10:45:08 | 000,135,214 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe
PRC - [2002/11/23 02:15:00 | 000,631,362 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\iTouch.exe

========== Modules (SafeList) ==========

MOD - [2010/05/12 17:27:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
MOD - [2010/04/25 15:52:54 | 000,541,928 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2003/02/26 21:27:44 | 000,036,864 | ---- | M] (Stardock.Net, Inc) -- C:\WINDOWS\system32\wbsys.dll
MOD - [2003/02/26 21:24:32 | 000,028,740 | ---- | M] (Stardock.Net, Inc) -- C:\Program Files\Stardock\Object Desktop\ThemeManager\wbhelp.dll
MOD - [2002/11/23 02:15:00 | 000,004,608 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\iTouch\itchhk.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/05/08 23:59:48 | 002,478,640 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3697.dll -- (Akamai)
SRV - [2010/04/25 15:52:48 | 000,824,552 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2009/12/17 17:36:24 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/05/27 14:10:56 | 000,170,736 | ---- | M] (Virgin Media) [On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe -- (Radialpoint Security Services)
SRV - [2009/05/27 14:10:02 | 000,371,440 | ---- | M] (Virgin Media) [Auto | Running] -- C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- (RP_FWS)
SRV - [2008/11/14 19:28:10 | 004,937,752 | R--- | M] (Sana Security) [Auto | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Bin\SanaAgent.exe -- (RadialpointSafeConnectAgent)
SRV - [2008/09/22 17:58:48 | 000,910,600 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV - [2008/09/22 17:58:44 | 000,693,512 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2007/06/15 15:58:48 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/11/14 02:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/01/14 18:22:50 | 000,024,576 | ---- | M] (Cyberlink) [Auto | Running] -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service)
SRV - [2005/01/14 18:22:26 | 000,110,711 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2005/01/14 18:22:24 | 000,172,153 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)

========== Driver Services (SafeList) ==========

DRV - [2010/04/25 15:52:56 | 000,158,312 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/04/25 15:52:56 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
DRV - [2009/04/03 15:51:32 | 000,179,984 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2008/11/26 16:19:56 | 000,053,192 | ---- | M] (Radialpoint Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rp_skt32.sys -- (RPSKT) Security Services Driver (x86)
DRV - [2008/11/14 19:28:36 | 000,161,304 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys -- (RadialpointSafeConnectDriver)
DRV - [2008/11/14 19:28:36 | 000,029,720 | R--- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys -- (RadialpointSafeConnectFilter)
DRV - [2008/11/14 19:28:36 | 000,027,376 | ---- | M] (Sana Security, Inc. ) [Kernel | On_Demand | Running] -- C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys -- (RadialpointSafeConnectShim)
DRV - [2008/08/28 14:16:40 | 000,071,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DefragFS.sys -- (DefragFS)
DRV - [2008/04/13 19:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/01/02 17:31:30 | 000,017,480 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hamachi.sys -- (hamachi)
DRV - [2007/12/09 12:35:47 | 000,022,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbsermpt.sys -- (usbsermpt)
DRV - [2007/08/24 17:55:46 | 000,035,363 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\windrvNT.sys -- (windrvNT)
DRV - [2007/08/21 01:00:00 | 000,244,704 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0410Dev.sys -- (V0410Dev)
DRV - [2007/06/11 01:01:02 | 000,142,656 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0410AFX.sys -- (V0410Afx)
DRV - [2007/02/27 15:31:28 | 000,021,504 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/02/14 18:14:20 | 000,094,720 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0410Aud.sys -- (V0410Aud)
DRV - [2007/02/08 13:56:20 | 000,090,800 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1unic.sys -- (sea1unic) Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM)
DRV - [2007/02/08 13:56:06 | 000,086,432 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1obex.sys -- (sea1obex)
DRV - [2007/02/08 13:56:02 | 000,018,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1nd5.sys -- (sea1nd5) Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS)
DRV - [2007/02/08 13:56:00 | 000,088,624 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1mgmt.sys -- (sea1mgmt) Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM)
DRV - [2007/02/08 13:55:52 | 000,097,088 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1mdm.sys -- (sea1mdm)
DRV - [2007/02/08 13:55:50 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1mdfl.sys -- (sea1mdfl)
DRV - [2007/02/08 13:55:40 | 000,061,536 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sea1bus.sys -- (sea1bus) Sony Ericsson Device 0A1 driver (WDM)
DRV - [2007/01/15 17:57:08 | 000,031,616 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\livecamv.sys -- (RLDesignVirtualAudioCableWdm)
DRV - [2006/12/05 13:37:46 | 000,007,168 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V0410Vfx.sys -- (V0410Vfx)
DRV - [2005/10/04 17:39:00 | 003,797,632 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/09/07 15:49:56 | 000,243,200 | ---- | M] (Ralink Technology Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RT2500.sys -- (RT2500)
DRV - [2005/07/20 21:07:00 | 003,198,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/04/13 13:34:02 | 000,414,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvapu.sys -- (nvnforce) Service for NVIDIA® nForce™
DRV - [2005/04/13 13:32:42 | 000,053,376 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvax.sys -- (nvax) Service for NVIDIA® nForce™
DRV - [2005/04/06 04:22:30 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/06 04:22:28 | 000,033,536 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2003/09/04 10:38:56 | 000,152,576 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV532AV.SYS -- (PID_0920) Logitech QuickCam Express(PID_0920)
DRV - [2002/11/15 02:15:00 | 000,012,640 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\itchfltr.sys -- (itchfltr)
DRV - [2002/11/08 09:50:00 | 000,041,420 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Lhidusb.sys -- (LHidUsb)
DRV - [2002/11/08 09:50:00 | 000,014,156 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LCCFLTR.SYS -- (LCcfltr)
DRV - [2002/09/09 19:54:06 | 000,016,269 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\ASNDIS5.sys -- (ASNDIS5)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.1.9.6
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:2.2.0.102

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/20 21:30:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/23 19:04:56 | 000,000,000 | ---D | M]

[2009/06/07 19:14:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Extensions
[2009/07/02 08:33:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\qxc8b4y4.default\extensions
[2009/07/02 08:33:55 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\qxc8b4y4.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2008/03/13 19:41:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Mozilla\Firefox\Profiles\qxc8b4y4.default\extensions\[email protected](2).org
[2010/03/30 17:18:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/18 16:05:46 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla(2).org
[2008/01/23 06:48:42 | 000,491,520 | ---- | M] (BitComet) -- C:\Program Files\Mozilla Firefox\plugins\npBitCometAgent.dll
[2008/11/24 20:47:59 | 000,056,576 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2009/02/02 18:15:00 | 003,771,296 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll

O1 HOSTS File: ([2010/04/29 23:20:12 | 000,393,037 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.123fporn.info
O1 - Hosts: 13575 more lines...
O2 - BHO: (PopKill Class) - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll (Virgin Media)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe (CyberLink Corp.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [Broadbandadvisor.exe] C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe (Virgin Broadband)
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PCMService] C:\Program Files\CyberLink\PowerCinema\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [V0410Mon.exe] C:\WINDOWS\V0410Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe (Logitech Inc.)
O4 - HKCU..\Run: [Power2GoExpress] C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe (Cyberlink)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: %20www.microsoft%20outlook ([]https in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akama...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} http://www.bebo.com/...oader.5.1.4.cab (Bebo Uploader Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} http://cdnimg.piczo....st_uploader.cab (Image Uploader Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace....ploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} http://messenger.zon...S.cab109791.cab ()
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zon...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1191521532156 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} http://appdirectory....ap/PhtPkMSN.cab (PhotoPickConvert Class)
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} http://appdirectory....ap/DigWXMSN.cab (BatchDownloader Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://messenger.zon...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (get_atlcom Class)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\wbsys.dll) - C:\WINDOWS\system32\wbsys.dll (Stardock.Net, Inc)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\WB: DllName - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll (Stardock)
O24 - Desktop WallPaper: C:\Documents and Settings\Daddy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Daddy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/04 17:48:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/05/14 14:25:57 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/12 17:27:03 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
[2010/05/12 17:01:27 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/12 16:53:58 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Daddy\Desktop\erunt_setup.exe
[2010/05/12 16:35:02 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\TFC.exe
[2010/05/10 20:55:57 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/05/10 20:54:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/10 20:39:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/08 18:52:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Application Data\Malwarebytes
[2010/05/08 18:52:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/08 18:52:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/08 18:52:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/08 18:52:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/08 16:50:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2010/05/08 14:38:20 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/08 14:34:21 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/08 14:34:21 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/08 14:34:21 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/08 14:34:21 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/08 14:34:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/08 14:20:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/08 09:49:26 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/05/07 18:28:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Threat Expert
[2010/05/07 18:28:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Application Data\PC Tools
[2010/05/06 21:36:18 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/06 21:32:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/05/05 19:18:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Local Settings\Application Data\Threat Expert
[2010/04/29 22:46:02 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/29 22:46:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/29 21:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Trusteer
[2010/04/27 18:39:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/27 16:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Application Data\SUPERAntiSpyware.com
[2010/04/27 16:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/27 16:18:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/27 16:18:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Trusteer
[2010/04/25 13:45:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/03/31 18:27:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Application Data\Trusteer
[2010/03/31 18:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Trusteer
[2010/03/31 18:26:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/03/30 18:28:50 | 000,000,000 | ---D | C] -- C:\Program Files\BitKinex
[2010/03/30 17:35:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2010/03/30 16:55:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai
[2010/02/19 19:23:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Daddy\Desktop\Copy of New Folder

========== Files - Modified Within 90 Days ==========

[2010/05/14 14:37:46 | 076,022,048 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/05/14 14:30:39 | 002,191,904 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/05/14 14:29:55 | 000,000,051 | ---- | M] () -- C:\WINDOWS\iTouch.ini
[2010/05/14 14:29:52 | 000,029,204 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/14 14:29:16 | 000,013,758 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/14 14:28:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/14 14:28:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/14 14:27:40 | 001,022,924 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/05/14 14:27:40 | 000,207,536 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/05/14 14:27:15 | 010,747,904 | ---- | M] () -- C:\Documents and Settings\Daddy\ntuser.dat
[2010/05/14 14:27:15 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Daddy\ntuser.ini
[2010/05/12 20:02:04 | 000,000,173 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/12 17:27:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\OTL.exe
[2010/05/12 17:16:49 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\gmer.zip
[2010/05/12 17:01:29 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\NTREGOPT.lnk
[2010/05/12 17:01:29 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\ERUNT.lnk
[2010/05/12 16:53:59 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Daddy\Desktop\erunt_setup.exe
[2010/05/12 16:35:03 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Daddy\Desktop\TFC.exe
[2010/05/12 16:12:54 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/12 16:10:55 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\Microsoft Office Outlook 2003.lnk
[2010/05/10 20:56:08 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/10 20:50:08 | 008,206,880 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\SUPERAntiSpyware.exe
[2010/05/10 19:08:10 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/10 18:38:10 | 003,685,876 | R--- | M] () -- C:\Documents and Settings\Daddy\Desktop\ComboFix.exe
[2010/05/08 18:52:31 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 14:38:30 | 000,000,391 | RHS- | M] () -- C:\boot.ini
[2010/05/08 13:53:17 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Daddy\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/08 10:21:12 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/07 12:37:21 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2010/05/06 21:36:09 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/03 20:26:28 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/29 23:20:12 | 000,393,037 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 16:19:40 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/19 17:15:46 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\Microsoft Office Word 2003.lnk
[2010/03/28 11:45:42 | 000,521,480 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/28 11:45:42 | 000,441,992 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/28 11:45:42 | 000,070,192 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/12 18:52:57 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/03/10 20:27:09 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/19 19:14:10 | 000,001,475 | ---- | M] () -- C:\Documents and Settings\Daddy\Desktop\Windows Explorer.lnk
[2010/02/16 13:49:17 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/16 10:15:05 | 000,001,864 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\The Sims 2 University.lnk

========== Files Created - No Company Name ==========

[2010/05/12 20:02:04 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/12 17:16:47 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\gmer.zip
[2010/05/12 17:01:29 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\NTREGOPT.lnk
[2010/05/12 17:01:29 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\ERUNT.lnk
[2010/05/10 20:56:08 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/10 20:50:08 | 008,206,880 | ---- | C] () -- C:\Documents and Settings\Daddy\Desktop\SUPERAntiSpyware.exe
[2010/05/08 18:52:31 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/08 14:38:30 | 000,000,321 | ---- | C] () -- C:\Boot.bak
[2010/05/08 14:38:22 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/08 14:34:21 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/08 14:34:21 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/08 14:34:21 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/08 14:34:21 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/08 14:34:21 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/08 14:23:35 | 003,685,876 | R--- | C] () -- C:\Documents and Settings\Daddy\Desktop\ComboFix.exe
[2010/05/07 12:37:21 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2010/03/12 18:52:57 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/02/16 10:15:05 | 000,001,864 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims 2 University.lnk
[2009/11/07 12:59:00 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\suppdll.dll
[2009/06/28 20:40:53 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\Gif89.dll
[2009/06/04 18:10:43 | 000,031,616 | ---- | C] () -- C:\WINDOWS\System32\drivers\livecamv.sys
[2008/10/14 17:09:12 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen_x86.sys
[2007/08/24 20:02:42 | 000,000,082 | ---- | C] () -- C:\WINDOWS\wb.ini
[2007/08/24 17:55:39 | 000,035,363 | ---- | C] () -- C:\WINDOWS\System32\windrvNT.sys
[2007/04/12 19:29:56 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS78.DLL
[2007/04/09 19:39:16 | 000,015,387 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2007/04/09 19:38:44 | 000,002,128 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2007/04/07 12:33:20 | 000,000,070 | ---- | C] () -- C:\WINDOWS\7A23CB69.ini
[2007/04/07 12:33:13 | 000,000,051 | ---- | C] () -- C:\WINDOWS\iTouch.ini
[2007/04/07 11:59:27 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/04 18:30:19 | 000,157,184 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2005/07/20 21:07:00 | 000,540,672 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/14 01:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2007/04/12 19:30:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2008/07/31 18:32:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
[2010/02/26 23:11:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Driving Test Success
[2009/05/01 08:44:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
[2010/05/06 20:12:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/03/31 18:26:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2008/02/25 21:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
[2009/03/15 19:32:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/09/13 17:38:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/12 00:16:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/08/22 20:05:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\fretsonfire
[2007/12/19 18:16:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\LimeWire
[2007/06/29 16:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Opera
[2008/04/18 17:16:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Orbit
[2007/04/09 19:43:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Screenshot Sender
[2010/01/22 19:36:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Scribus
[2008/01/26 18:14:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Teleca
[2010/03/31 18:27:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Trusteer
[2009/11/01 16:32:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Daddy\Application Data\Virgin Broadband

========== Purity Check ==========

========== Files - Unicode (All) ==========
[2009/11/01 16:34:26 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥噜物楧⁮牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g
[2009/11/01 16:34:26 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\????????????????????????????????????g) -- C:\WINDOWS\System32\㩃停潲牧浡䘠汩獥噜物楧⁮牂慯扤湡層䍐畧牡層慓敦潃湮捥屴潃普杩塜楖睥挮湯楦g

15:12:35:250 1520 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
15:12:35:250 1520 ================================================================================
15:12:35:250 1520 SystemInfo:

15:12:35:250 1520 OS Version: 5.1.2600 ServicePack: 3.0
15:12:35:250 1520 Product type: Workstation
15:12:35:250 1520 ComputerName: AGALLOW
15:12:35:250 1520 UserName: Daddy
15:12:35:250 1520 Windows directory: C:\WINDOWS
15:12:35:250 1520 Processor architecture: Intel x86
15:12:35:250 1520 Number of processors: 1
15:12:35:250 1520 Page size: 0x1000
15:12:35:265 1520 Boot type: Normal boot
15:12:35:265 1520 ================================================================================
15:12:35:343 1520 UnloadDriverW: NtUnloadDriver error 2
15:12:35:343 1520 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:12:35:562 1520 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:12:35:609 1520 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:12:35:609 1520 wfopen_ex: Trying to KLMD file open
15:12:35:609 1520 wfopen_ex: File opened ok (Flags 2)
15:12:35:609 1520 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:12:35:609 1520 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:12:35:609 1520 wfopen_ex: Trying to KLMD file open
15:12:35:609 1520 wfopen_ex: File opened ok (Flags 2)
15:12:35:609 1520 Initialize success
15:12:35:609 1520
15:12:35:609 1520 Scanning Services ...
15:12:36:375 1520 Raw services enum returned 392 services
15:12:36:375 1520
15:12:36:375 1520 Scanning Kernel memory ...
15:12:36:375 1520 Devices to scan: 2
15:12:36:375 1520
15:12:36:375 1520 Driver Name: Disk
15:12:36:375 1520 IRP_MJ_CREATE : F74EDBB0
15:12:36:375 1520 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
15:12:36:375 1520 IRP_MJ_CLOSE : F74EDBB0
15:12:36:375 1520 IRP_MJ_READ : F74E7D1F
15:12:36:375 1520 IRP_MJ_WRITE : F74E7D1F
15:12:36:375 1520 IRP_MJ_QUERY_INFORMATION : 804F355A
15:12:36:375 1520 IRP_MJ_SET_INFORMATION : 804F355A
15:12:36:375 1520 IRP_MJ_QUERY_EA : 804F355A
15:12:36:375 1520 IRP_MJ_SET_EA : 804F355A
15:12:36:375 1520 IRP_MJ_FLUSH_BUFFERS : F74E82E2
15:12:36:375 1520 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
15:12:36:375 1520 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
15:12:36:375 1520 IRP_MJ_DIRECTORY_CONTROL : 804F355A
15:12:36:375 1520 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
15:12:36:375 1520 IRP_MJ_DEVICE_CONTROL : F74E83BB
15:12:36:375 1520 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28
15:12:36:375 1520 IRP_MJ_SHUTDOWN : F74E82E2
15:12:36:375 1520 IRP_MJ_LOCK_CONTROL : 804F355A
15:12:36:375 1520 IRP_MJ_CLEANUP : 804F355A
15:12:36:375 1520 IRP_MJ_CREATE_MAILSLOT : 804F355A
15:12:36:390 1520 IRP_MJ_QUERY_SECURITY : 804F355A
15:12:36:390 1520 IRP_MJ_SET_SECURITY : 804F355A
15:12:36:390 1520 IRP_MJ_POWER : F74E9C82
15:12:36:390 1520 IRP_MJ_SYSTEM_CONTROL : F74EE99E
15:12:36:390 1520 IRP_MJ_DEVICE_CHANGE : 804F355A
15:12:36:390 1520 IRP_MJ_QUERY_QUOTA : 804F355A
15:12:36:390 1520 IRP_MJ_SET_QUOTA : 804F355A
15:12:36:437 1520 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
15:12:36:437 1520
15:12:36:437 1520 Driver Name: atapi
15:12:36:437 1520 IRP_MJ_CREATE : 86262EE4
15:12:36:437 1520 IRP_MJ_CREATE_NAMED_PIPE : 86262EE4
15:12:36:437 1520 IRP_MJ_CLOSE : 86262EE4
15:12:36:437 1520 IRP_MJ_READ : 86262EE4
15:12:36:437 1520 IRP_MJ_WRITE : 86262EE4
15:12:36:437 1520 IRP_MJ_QUERY_INFORMATION : 86262EE4
15:12:36:437 1520 IRP_MJ_SET_INFORMATION : 86262EE4
15:12:36:437 1520 IRP_MJ_QUERY_EA : 86262EE4
15:12:36:437 1520 IRP_MJ_SET_EA : 86262EE4
15:12:36:437 1520 IRP_MJ_FLUSH_BUFFERS : 86262EE4
15:12:36:437 1520 IRP_MJ_QUERY_VOLUME_INFORMATION : 86262EE4
15:12:36:437 1520 IRP_MJ_SET_VOLUME_INFORMATION : 86262EE4
15:12:36:437 1520 IRP_MJ_DIRECTORY_CONTROL : 86262EE4
15:12:36:437 1520 IRP_MJ_FILE_SYSTEM_CONTROL : 86262EE4
15:12:36:437 1520 IRP_MJ_DEVICE_CONTROL : 86262EE4
15:12:36:437 1520 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86262EE4
15:12:36:453 1520 IRP_MJ_SHUTDOWN : 86262EE4
15:12:36:453 1520 IRP_MJ_LOCK_CONTROL : 86262EE4
15:12:36:453 1520 IRP_MJ_CLEANUP : 86262EE4
15:12:36:453 1520 IRP_MJ_CREATE_MAILSLOT : 86262EE4
15:12:36:453 1520 IRP_MJ_QUERY_SECURITY : 86262EE4
15:12:36:453 1520 IRP_MJ_SET_SECURITY : 86262EE4
15:12:36:453 1520 IRP_MJ_POWER : 86262EE4
15:12:36:453 1520 IRP_MJ_SYSTEM_CONTROL : 86262EE4
15:12:36:453 1520 IRP_MJ_DEVICE_CHANGE : 86262EE4
15:12:36:453 1520 IRP_MJ_QUERY_QUOTA : 86262EE4
15:12:36:453 1520 IRP_MJ_SET_QUOTA : 86262EE4
15:12:36:453 1520 Driver "atapi" infected by TDSS rootkit!
15:12:36:609 1520 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
15:12:36:609 1520 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 15:12:36:609 1520 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
15:12:36:625 1520 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
15:12:37:187 1520 vfvi6
15:12:37:265 1520 !dsvbh1
15:12:39:609 1520 dsvbh2
15:12:39:609 1520 fdfb2
15:12:39:609 1520 Backup copy found, using it..
15:12:39:640 1520 will be cured on next reboot
15:12:39:640 1520 Reboot required for cure complete..
15:12:39:781 1520 Cure on reboot scheduled successfully
15:12:39:781 1520
15:12:39:781 1520 Completed
15:12:39:781 1520
15:12:39:781 1520 Results:
15:12:39:781 1520 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
15:12:39:781 1520 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:12:39:781 1520 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:12:39:781 1520
15:12:39:781 1520 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:12:39:796 1520 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:12:39:796 1520 UnloadDriverW: NtUnloadDriver error 1
15:12:39:796 1520 KLMD(ARK) unloaded successfully

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:24051EFF
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report

#4
Essexboy

Posted 14 May 2010 - 12:12 PM

GeekU Moderator

Retired Staff
69,964 posts

Hmm lets use a slightly stronger hammer - Once I have finally determined the variant I will let you know

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#5
dukeminster

Posted 15 May 2010 - 02:30 AM

New Member

Topic Starter
Member
9 posts

OK Here's the log--thanks again

ComboFix 10-05-14.06 - Daddy 15/05/2010 8:56.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.579 [GMT 1:00]
Running from: c:\documents and settings\Daddy\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack

.
((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-14 13:25 . 2010-05-14 13:25 -------- d-----w- C:\_OTL
2010-05-12 16:01 . 2010-05-12 16:01 -------- d-----w- c:\program files\ERUNT
2010-05-10 19:57 . 2010-05-14 18:07 63488 ----a-w- c:\documents and settings\Daddy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-10 19:57 . 2010-05-10 19:57 52224 ----a-w- c:\documents and settings\Daddy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-10 19:56 . 2010-05-14 18:07 117760 ----a-w- c:\documents and settings\Daddy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-10 19:55 . 2010-05-10 19:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-10 19:54 . 2010-05-10 19:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-08 17:52 . 2010-05-08 17:52 -------- d-----w- c:\documents and settings\Daddy\Application Data\Malwarebytes
2010-05-08 17:52 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 17:52 . 2010-05-08 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-08 17:52 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 17:52 . 2010-05-08 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 15:50 . 2010-05-08 15:50 -------- d-----w- c:\windows\Downloaded Installations
2010-05-08 08:49 . 2010-05-08 08:51 -------- dc-h--w- c:\windows\ie8
2010-05-07 21:37 . 2010-05-07 21:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-07 17:28 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Apple
2010-05-07 17:28 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-05-07 17:28 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Threat Expert
2010-05-07 17:28 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\Daddy\Application Data\PC Tools
2010-05-07 17:27 . 2010-05-07 17:27 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\PowerCinema
2010-05-07 17:27 . 2010-05-07 17:27 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Microsoft Help
2010-05-07 17:27 . 2010-05-07 17:27 -------- d-----w- c:\documents and settings\elly and charless\Application Data\CyberLink
2010-05-07 11:38 . 2010-05-07 13:21 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\AskToolbar
2010-05-07 11:37 . 2010-05-07 17:23 -------- d-----w- c:\documents and settings\elly and charless\Application Data\BitTorrent
2010-05-06 20:36 . 2010-05-06 20:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 20:32 . 2010-05-08 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-06 17:16 . 2010-05-06 17:16 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-05-05 18:18 . 2010-05-05 18:18 -------- d-----w- c:\documents and settings\Daddy\Local Settings\Application Data\Threat Expert
2010-05-03 19:26 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\elly and charless\Application Data\Apple Computer
2010-05-03 16:05 . 2010-05-13 14:02 -------- d-----w- c:\documents and settings\elly and charless\Tracing
2010-04-29 21:46 . 2010-05-08 09:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 21:46 . 2010-05-08 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-29 20:55 . 2010-04-29 20:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-04-28 19:25 . 2010-04-28 19:25 -------- d-sh--w- c:\documents and settings\elly and charless\PrivacIE
2010-04-28 15:52 . 2010-05-07 17:26 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Spotify
2010-04-28 15:52 . 2010-05-06 17:26 -------- d-----w- c:\documents and settings\elly and charless\Application Data\Spotify
2010-04-28 15:25 . 2010-04-28 15:25 -------- d-sh--w- c:\documents and settings\elly and charless\IECompatCache
2010-04-28 15:17 . 2010-04-28 15:17 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Mozilla
2010-04-27 21:17 . 2010-05-07 12:03 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Apple Computer
2010-04-27 21:17 . 2010-04-27 21:17 104640 ----a-w- c:\documents and settings\elly and charless\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 15:18 . 2010-04-27 15:18 -------- d-----w- c:\documents and settings\Daddy\Application Data\SUPERAntiSpyware.com
2010-04-27 15:18 . 2010-04-27 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-27 15:18 . 2010-04-27 15:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-04-25 12:44 . 2010-04-25 12:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 08:12 . 2010-03-30 15:55 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-15 08:11 . 2009-11-01 15:37 76550688 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-15 08:11 . 2009-11-01 15:37 2206752 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-15 07:53 . 2009-11-01 15:37 208832 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-15 07:53 . 2009-11-01 15:37 1029884 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-15 07:22 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-14 17:49 . 2008-07-12 19:44 -------- d-----w- c:\program files\Bonjour
2010-05-14 17:47 . 2009-12-01 18:33 -------- d-----w- c:\program files\BitTorrent
2010-05-12 18:59 . 2009-04-15 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 15:12 . 2008-01-05 19:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-07 17:45 . 2007-04-04 17:09 -------- d-----w- c:\program files\CyberLink
2010-05-07 17:45 . 2007-04-04 17:09 -------- d-----w- c:\program files\InstallShield Installation Information
2010-05-06 19:12 . 2009-08-04 18:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-27 21:15 . 2010-04-27 21:15 -------- d-----w- c:\documents and settings\elly and charless\Application Data\Trusteer
2010-04-27 21:15 . 2010-04-27 21:15 -------- d-----w- c:\documents and settings\elly and charless\Application Data\Virgin Broadband
2010-04-27 15:15 . 2010-03-30 17:28 -------- d-----w- c:\program files\BitKinex
2010-04-03 09:48 . 2007-04-04 17:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-31 17:27 . 2010-03-31 17:27 -------- d-----w- c:\documents and settings\Daddy\Application Data\Trusteer
2010-03-31 17:27 . 2010-03-31 17:27 -------- d-----w- c:\program files\Trusteer
2010-03-31 17:26 . 2010-03-31 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-03-30 16:35 . 2010-03-30 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 09:16 . 2009-10-02 18:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 08:10 . 2004-08-04 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-06-15 19:33 . 2009-06-04 17:13 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 17:43 . 2009-06-04 17:13 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 13:41 . 2009-06-04 17:13 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 12:10 . 2009-06-04 17:13 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 11:19 . 2009-06-04 17:12 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 17:35 . 2009-06-04 17:13 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 10:10 . 2009-06-04 17:12 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 10:42 . 2009-06-04 17:12 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 10:22 . 2009-06-04 17:12 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 10:21 . 2009-06-04 17:12 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 1630303]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-06 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-20 7110656]
"nwiz"="nwiz.exe" [2005-07-20 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-20 86016]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 90112]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-11-23 631362]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2003-09-04 135214]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-04-09 20480]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"V0410Mon.exe"="c:\windows\V0410Mon.exe" [2007-06-07 32768]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 ----a-w- c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15834:TCP"= 15834:TCP:BitComet 15834 TCP
"15834:UDP"= 15834:UDP:BitComet 15834 UDP
"1052:TCP"= 1052:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [25/04/2010 15:52 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/04/2010 15:52 158312]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 13:00 14336]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 17:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 19:28 4937752]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/04/2010 15:52 824552]
R3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 14:10 170736]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 19:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 19:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 19:28 27376]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [04/06/2009 18:10 31616]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Daddy\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Daddy\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Daddy\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Daddy\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 17:58 910600]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [09/04/2007 19:39 152576]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [26/01/2008 11:09 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [26/01/2008 11:10 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [26/01/2008 11:10 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [26/01/2008 11:10 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [26/01/2008 11:10 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [26/01/2008 11:10 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [26/01/2008 11:10 90800]
S3 V0410Afx;Creative Camera VF0410 Audio Effects Driver;c:\windows\system32\drivers\V0410AFX.sys [04/06/2009 19:31 142656]
S3 V0410Aud;Creative Camera VF0410 Noise Cancellation APO;c:\windows\system32\drivers\V0410Aud.sys [04/06/2009 19:31 94720]
S3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\drivers\V0410Dev.sys [04/06/2009 19:31 244704]
S3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\drivers\V0410Vfx.sys [04/06/2009 19:31 7168]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: %20www.microsoft%20outlook
DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
FF - ProfilePath - c:\documents and settings\Daddy\Application Data\Mozilla\Firefox\Profiles\qxc8b4y4.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 09:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x861F7EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74ebf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf7316852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: NVIDIA nForce Networking Controller -> SendCompleteHandler -> NDIS.sys @ 0xf720fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf721ca21
SendHandler -> NDIS.sys @ 0xf71fa87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-1078145449-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43A61272-549B-4253-DCEF-9CE5D59823E9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-15 09:17:51
ComboFix-quarantined-files.txt 2010-05-15 08:17
ComboFix2.txt 2010-05-10 18:14

Pre-Run: 160,724,484,096 bytes free
Post-Run: 160,693,555,200 bytes free

- - End Of File - - 96ECC82827152D10D4001DED04986945

#6
Essexboy

Posted 15 May 2010 - 04:49 AM

GeekU Moderator

Retired Staff
69,964 posts

OK you had the latest variant of the TDSS rootkit

What problems do you have remaining ?

#7
dukeminster

Posted 15 May 2010 - 10:36 AM

New Member

Topic Starter
Member
9 posts

IE browser still redirecting and windows update not dispaying-Internet Explorer cannot display the webpage
sorry!

#8
Essexboy

Posted 15 May 2010 - 10:48 AM

GeekU Moderator

Retired Staff
69,964 posts

Not a problem

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

Let me know if that resolves it

Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

#9
dukeminster

Posted 15 May 2010 - 12:00 PM

New Member

Topic Starter
Member
9 posts

Didnt need to change anything re the first two proxy related checks.
MWB log pasted below

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4104

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15/05/2010 18:44:41
mbam-log-2010-05-15 (18-44-41).txt

Scan type: Quick scan
Objects scanned: 136490
Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10
Essexboy

Posted 15 May 2010 - 12:16 PM

GeekU Moderator

Retired Staff
69,964 posts

And you still have redirects ?

Download Dr.Web CureIt to the desktop.

Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, chose the Complete Scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look and see if you can click the following icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer to allow files that were in use to be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

#11
dukeminster

Posted 16 May 2010 - 08:48 AM

New Member

Topic Starter
Member
9 posts

Dr Web log pasted below. Scan took a long time.
Windows reported that some files have been replaced by unrecognised versions and to mainiain stability Windows must restore orignal file versons-insert XP system disc? ( our PC supplied by Mesh- XP preloaded- supplied with a recovery disc only)Do I need to restore these files? How?
Has my security been compromised? a)by the infection b)by posting the log information?
looks pretty bad to me!
Windows update now connects-but have not downloaded anything yet
Once again your help is much appreciated

Process in memory: C:\WINDOWS\System32\svchost.exe:1632;;BackDoor.Tdss.565;Eradicated.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Will be cured after restart.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
archive.pst\2130404.attach.38245 - report.2007.10.29.5306985.pdf;C:\Documents and Settings\Daddy\Local Settings\Application Data\Microsoft\Outlook\archive.pst;Exploit.PDFUri;;
archive.pst;C:\Documents and Settings\Daddy\Local Settings\Application Data\Microsoft\Outlook;Archive contains infected objects;Moved.;
NorExec.exe;C:\Program Files\ASUS\WLAN Card Utilities;Win32.HLLW.Walker.3;Deleted.;
SktInstall.exe;C:\Program Files\InstallShield Installation Information\{0B0F82AB-5B9A-4B9F-96EF-74E1FD85F01F};Probably BACKDOOR.Trojan;Moved.;
rasacd.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers;BackDoor.Tdss.2459;Will be cured after restart.;
A0000276.exe;C:\System Volume Information\_restore{7A4BE94D-54ED-4AC7-89D9-AA1D78299391}\RP2;Win32.HLLW.Walker.3;Deleted.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;
rasacd.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Cured.;

#12
Essexboy

Posted 16 May 2010 - 09:17 AM

GeekU Moderator

Retired Staff
69,964 posts

I am not sure if Dr Web cured it

Run OTL

Under the Custom Scan box paste this in

/md5start
rasacd.sys
/md5stop

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

THEN

1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
```
TDL::
c:\windows\system32\drivers\rasacd.sys
```
3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:[list]
Combofix.txt .

#13
dukeminster

Posted 16 May 2010 - 12:14 PM

New Member

Topic Starter
Member
9 posts

OK here we go
Hope its good news!

ComboFix 10-05-15.03 - Daddy 16/05/2010 18:36:03.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.480 [GMT 1:00]
Running from: c:\documents and settings\Daddy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daddy\Desktop\CFScript.txt
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.

((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-15 18:49 . 2010-05-16 00:14 -------- d-----w- c:\documents and settings\Daddy\DoctorWeb
2010-05-14 13:25 . 2010-05-14 13:25 -------- d-----w- C:\_OTL
2010-05-12 16:01 . 2010-05-12 16:01 -------- d-----w- c:\program files\ERUNT
2010-05-10 19:57 . 2010-05-14 18:07 63488 ----a-w- c:\documents and settings\Daddy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-10 19:57 . 2010-05-10 19:57 52224 ----a-w- c:\documents and settings\Daddy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-10 19:56 . 2010-05-14 18:07 117760 ----a-w- c:\documents and settings\Daddy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-10 19:55 . 2010-05-10 19:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-10 19:54 . 2010-05-10 19:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-08 17:52 . 2010-05-08 17:52 -------- d-----w- c:\documents and settings\Daddy\Application Data\Malwarebytes
2010-05-08 17:52 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 17:52 . 2010-05-08 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-08 17:52 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-08 17:52 . 2010-05-08 17:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-08 15:50 . 2010-05-08 15:50 -------- d-----w- c:\windows\Downloaded Installations
2010-05-08 08:49 . 2010-05-08 08:51 -------- dc-h--w- c:\windows\ie8
2010-05-07 21:37 . 2010-05-07 21:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-07 17:28 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Apple
2010-05-07 17:28 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-05-07 17:28 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Threat Expert
2010-05-07 17:28 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\Daddy\Application Data\PC Tools
2010-05-07 17:27 . 2010-05-07 17:27 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\PowerCinema
2010-05-07 17:27 . 2010-05-07 17:27 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Microsoft Help
2010-05-07 17:27 . 2010-05-07 17:27 -------- d-----w- c:\documents and settings\elly and charless\Application Data\CyberLink
2010-05-07 11:38 . 2010-05-07 13:21 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\AskToolbar
2010-05-07 11:37 . 2010-05-07 17:23 -------- d-----w- c:\documents and settings\elly and charless\Application Data\BitTorrent
2010-05-06 20:36 . 2010-05-06 20:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 20:32 . 2010-05-08 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-06 17:16 . 2010-05-06 17:16 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-05-05 18:18 . 2010-05-05 18:18 -------- d-----w- c:\documents and settings\Daddy\Local Settings\Application Data\Threat Expert
2010-05-03 19:26 . 2010-05-07 17:28 -------- d-----w- c:\documents and settings\elly and charless\Application Data\Apple Computer
2010-05-03 16:05 . 2010-05-13 14:02 -------- d-----w- c:\documents and settings\elly and charless\Tracing
2010-04-29 21:46 . 2010-05-08 09:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-29 21:46 . 2010-05-08 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-29 20:55 . 2010-04-29 20:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trusteer
2010-04-28 19:25 . 2010-04-28 19:25 -------- d-sh--w- c:\documents and settings\elly and charless\PrivacIE
2010-04-28 15:52 . 2010-05-07 17:26 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Spotify
2010-04-28 15:52 . 2010-05-06 17:26 -------- d-----w- c:\documents and settings\elly and charless\Application Data\Spotify
2010-04-28 15:25 . 2010-04-28 15:25 -------- d-sh--w- c:\documents and settings\elly and charless\IECompatCache
2010-04-28 15:17 . 2010-04-28 15:17 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Mozilla
2010-04-27 21:17 . 2010-05-07 12:03 -------- d-----w- c:\documents and settings\elly and charless\Local Settings\Application Data\Apple Computer
2010-04-27 21:17 . 2010-04-27 21:17 104640 ----a-w- c:\documents and settings\elly and charless\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-27 15:18 . 2010-04-27 15:18 -------- d-----w- c:\documents and settings\Daddy\Application Data\SUPERAntiSpyware.com
2010-04-27 15:18 . 2010-04-27 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-27 15:18 . 2010-04-27 15:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Trusteer
2010-04-25 12:44 . 2010-04-25 12:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 17:43 . 2010-03-30 15:55 -------- d-----w- c:\program files\Common Files\Akamai
2010-05-16 17:43 . 2009-11-01 15:37 77328416 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-05-16 17:42 . 2009-11-01 15:37 2250016 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-05-16 12:48 . 2004-08-04 12:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-05-16 12:47 . 2009-11-01 15:37 212408 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-05-16 12:47 . 2009-11-01 15:37 1039028 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-05-15 07:22 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-05-14 17:49 . 2008-07-12 19:44 -------- d-----w- c:\program files\Bonjour
2010-05-14 17:47 . 2009-12-01 18:33 -------- d-----w- c:\program files\BitTorrent
2010-05-12 18:59 . 2009-04-15 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-12 15:12 . 2008-01-05 19:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-07 17:45 . 2007-04-04 17:09 -------- d-----w- c:\program files\CyberLink
2010-05-07 17:45 . 2007-04-04 17:09 -------- d-----w- c:\program files\InstallShield Installation Information
2010-05-06 19:12 . 2009-08-04 18:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-27 21:15 . 2010-04-27 21:15 -------- d-----w- c:\documents and settings\elly and charless\Application Data\Trusteer
2010-04-27 21:15 . 2010-04-27 21:15 -------- d-----w- c:\documents and settings\elly and charless\Application Data\Virgin Broadband
2010-04-27 15:15 . 2010-03-30 17:28 -------- d-----w- c:\program files\BitKinex
2010-04-03 09:48 . 2007-04-04 17:26 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-31 17:27 . 2010-03-31 17:27 -------- d-----w- c:\documents and settings\Daddy\Application Data\Trusteer
2010-03-31 17:27 . 2010-03-31 17:27 -------- d-----w- c:\program files\Trusteer
2010-03-31 17:26 . 2010-03-31 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2010-03-30 16:35 . 2010-03-30 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 09:16 . 2009-10-02 18:27 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 08:10 . 2004-08-04 12:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-06-15 19:33 . 2009-06-04 17:13 233472 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2006-05-25 17:43 . 2009-06-04 17:13 204895 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2005-09-29 13:41 . 2009-06-04 17:13 77824 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2006-06-19 12:10 . 2009-06-04 17:13 426081 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2005-02-02 11:19 . 2009-06-04 17:12 458752 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2006-04-10 17:35 . 2009-06-04 17:13 139264 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2005-11-09 10:10 . 2009-06-04 17:12 204800 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2005-11-09 10:42 . 2009-06-04 17:12 106496 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2006-01-04 10:22 . 2009-06-04 17:12 212992 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2006-01-04 10:21 . 2009-06-04 17:12 167936 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-15_08.11.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-16 12:48 . 2010-05-16 12:48 16384 c:\windows\Temp\Perflib_Perfdata_47c.dat
+ 2010-05-16 12:48 . 2010-05-16 12:48 16384 c:\windows\Temp\Perflib_Perfdata_340.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 1630303]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-06 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 110744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="c:\program files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 69721]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-20 7110656]
"nwiz"="nwiz.exe" [2005-07-20 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-20 86016]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"SoundMan"="SOUNDMAN.EXE" [2005-10-04 90112]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-11-23 631362]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2003-09-04 135214]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-04-09 20480]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"V0410Mon.exe"="c:\windows\V0410Mon.exe" [2007-06-07 32768]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 21:34 24576 ----a-w- c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15834:TCP"= 15834:TCP:BitComet 15834 TCP
"15834:UDP"= 15834:UDP:BitComet 15834 UDP
"2005:TCP"= 2005:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [25/04/2010 15:52 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [25/04/2010 15:52 158312]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [04/08/2004 13:00 14336]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 17:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 19:28 4937752]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [25/04/2010 15:52 824552]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 19:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 19:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 19:28 27376]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [04/06/2009 18:10 31616]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Daddy\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Daddy\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Daddy\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Daddy\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 17:58 910600]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [09/04/2007 19:39 152576]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 14:10 170736]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [26/01/2008 11:09 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [26/01/2008 11:10 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [26/01/2008 11:10 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [26/01/2008 11:10 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [26/01/2008 11:10 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [26/01/2008 11:10 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [26/01/2008 11:10 90800]
S3 V0410Afx;Creative Camera VF0410 Audio Effects Driver;c:\windows\system32\drivers\V0410AFX.sys [04/06/2009 19:31 142656]
S3 V0410Aud;Creative Camera VF0410 Noise Cancellation APO;c:\windows\system32\drivers\V0410Aud.sys [04/06/2009 19:31 94720]
S3 V0410Dev;Creative Camera VF0410 Driver;c:\windows\system32\drivers\V0410Dev.sys [04/06/2009 19:31 244704]
S3 V0410Vfx;Creative Camera VF0410 Video VFX Driver;c:\windows\system32\drivers\V0410Vfx.sys [04/06/2009 19:31 7168]
S4 iteraid;iteraid; [x]
S4 Si3112r;Si3112r; [x]
S4 viasraid;viasraid; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ntlworld.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: %20www.microsoft%20outlook
DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} - hxxp://cdnimg.piczo.com/images/uploader/piczo_fast_uploader.cab
FF - ProfilePath - c:\documents and settings\Daddy\Application Data\Mozilla\Firefox\Profiles\qxc8b4y4.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 18:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-1078145449-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{43A61272-549B-4253-DCEF-9CE5D59823E9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

- - - - - - - > 'explorer.exe'(15416)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\Logitech\iTouch\iTchHk.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-16 18:47:13
ComboFix-quarantined-files.txt 2010-05-16 17:47
ComboFix2.txt 2010-05-15 08:17
ComboFix3.txt 2010-05-10 18:14

Pre-Run: 160,556,138,496 bytes free
Post-Run: 160,530,604,032 bytes free

- - End Of File - - 4C75790FE2FCBF12B3FF27560D93A7C3