Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help with malaware please? [Solved]

Started by djsnoopy11 , Jun 13 2010 09:20 PM

  • This topic is locked This topic is locked

#1
djsnoopy11
Posted 13 June 2010 - 09:20 PM

djsnoopy11

    Member

  • Member
  • PipPip
  • 11 posts
Please let me know if I need to do anything else... Thanks



ComboFix 10-06-13.01 - E 06/13/2010 21:44:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.332 [GMT -5:00]
Running from: c:\documents and settings\E\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\System\Uninstall
c:\windows\system32\service
c:\windows\system32\service\29112008_TIS17_SfFniAU.log
c:\windows\system32\service\30102008_TIS17_SfFniAU.log
c:\windows\system32\skinboxer43.dll

Infected copy of c:\windows\system32\drivers\intelide.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2010-06-13 21:02 . 2010-06-13 21:05 -------- dc-h--w- c:\windows\ie8
2010-06-13 16:35 . 2010-06-13 16:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-06 22:04 . 2010-06-06 22:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2010-06-06 21:59 . 2010-06-06 21:59 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Mozilla
2010-06-04 05:08 . 2010-06-04 05:08 57108 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-04 04:22 . 2010-06-04 04:22 -------- d-----w- c:\program files\iPod
2010-06-04 04:21 . 2010-06-04 04:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-04 04:14 . 2010-06-04 04:15 -------- d-----w- c:\program files\QuickTime
2010-06-04 04:08 . 2010-06-04 04:08 -------- d-----w- c:\program files\Bonjour
2010-06-04 03:55 . 2010-06-04 03:55 73000 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-04 03:45 . 2010-06-04 03:45 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Apple
2010-06-04 02:16 . 2010-06-06 14:17 -------- d-----w- c:\documents and settings\E\Application Data\Apple Computer
2010-06-04 02:10 . 2010-06-04 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-05-30 19:14 . 2010-05-31 06:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-05-30 19:14 . 2010-05-30 19:14 -------- d-----w- c:\documents and settings\E\Application Data\Yahoo!
2010-05-28 01:49 . 2010-05-28 01:49 -------- d-----w- c:\windows\Performance
2010-05-28 01:49 . 2010-05-28 01:49 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Microsoft Corporation
2010-05-28 01:48 . 2010-05-28 01:48 70368 ----a-w- c:\documents and settings\E\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-28 01:48 . 2010-05-28 01:48 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-05-25 15:11 . 2010-05-25 15:12 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Adobe
2010-05-25 02:16 . 2010-05-25 02:16 0 ----a-w- c:\windows\nsreg.dat
2010-05-25 02:16 . 2010-05-25 02:16 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Netscape
2010-05-25 02:16 . 2010-05-25 02:16 -------- d-----w- c:\documents and settings\E\Application Data\Netscape
2010-05-25 02:16 . 2010-05-25 02:16 -------- d-----w- c:\program files\Netscape
2010-05-25 02:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 02:13 . 2010-05-25 02:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 02:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 13:55 . 2010-05-23 13:55 -------- d-----w- c:\documents and settings\E\Application Data\Malwarebytes
2010-05-23 07:12 . 2010-05-23 14:55 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\dhlplqpan
2010-05-23 07:10 . 2010-05-23 07:10 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-20 06:52 . 2010-05-20 17:37 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Google
2010-05-18 01:58 . 2010-05-18 01:58 -------- d-sh--w- c:\documents and settings\E\IECompatCache
2010-05-18 01:57 . 2010-05-18 01:57 -------- d-----w- c:\documents and settings\E\Application Data\HP
2010-05-18 01:57 . 2010-05-18 01:57 -------- d-sh--w- c:\documents and settings\E\PrivacIE
2010-05-18 01:57 . 2010-06-04 03:46 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Apple Computer
2010-05-18 01:56 . 2004-08-04 02:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-05-18 01:41 . 2010-06-12 03:24 -------- d-----w- c:\documents and settings\E
2010-05-17 00:01 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-16 22:54 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-05-16 22:54 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-16 22:27 . 2010-05-16 22:27 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2010-05-16 21:37 . 2010-05-16 21:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-05-16 17:01 . 2010-06-13 16:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-05-16 17:01 . 2010-05-16 17:01 -------- d-----w- c:\program files\Alwil Software
2010-05-16 13:55 . 2010-05-16 13:55 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-05-16 13:36 . 2010-05-16 13:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MSN6
2010-05-16 00:23 . 2010-05-16 00:24 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 04:22 . 2007-10-29 19:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-30 19:14 . 2004-11-19 19:05 -------- d-----w- c:\program files\Yahoo!
2010-05-23 07:10 . 2007-09-06 13:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-16 07:01 . 2007-10-28 06:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-05-16 06:58 . 2009-11-05 10:38 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-04-28 04:51 . 2010-04-28 04:49 -------- d-----w- c:\program files\Upromise
2010-04-24 16:17 . 2007-01-12 23:13 -------- d-----w- c:\program files\Mystery Case Files - Ravenhearst
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Auto run of VideoCam Suite 1.0.lnk - c:\program files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe [2009-10-21 161160]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=

R1 sosnf32;sosnf32;c:\windows\system32\drivers\sosnf32.sys [2/21/2010 12:38 AM 47488]
R2 SOSNFFSV;SOSNF Filter Service;c:\program files\SOS\SOSNF\sosnffsv.exe [2/21/2010 12:38 AM 1182080]
R2 SOSNFLSV;SOSNF Logging Service;c:\program files\SOS\SOSNF\sosnflsv.exe [2/21/2010 12:38 AM 1633664]
R2 sosnfusv;SOSNF Update Service;c:\program files\SOS\SOSNF\sosnfusv.exe [2/21/2010 12:38 AM 1106304]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 5:38 AM 92008]
S2 gupdate1c98b0c522bf250;Google Update Service (gupdate1c98b0c522bf250);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2009 6:15 PM 133104]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\drivers\w600bus.sys [12/2/2006 9:20 PM 60928]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\drivers\w600mdfl.sys [7/18/2005 1:24 PM 8336]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\drivers\w600mdm.sys [7/18/2005 1:24 PM 96672]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\drivers\w600mgmt.sys [7/18/2005 1:25 PM 88080]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\w600obex.sys [7/18/2005 1:26 PM 85952]
.
Contents of the 'Scheduled Tasks' folder

2010-06-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 23:15]

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 23:15]

2007-08-18 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1253879194&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\f1tc91t3.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: g:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKU-Default-Run-dqnqitoy - c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\dhlplqpan\kotwrsitssd.exe
SafeBoot-WudfPf
SafeBoot-WudfRd



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-13 22:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x82AEBCEC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85baf28
\Driver\ACPI -> ACPI.sys @ 0xf852dcb8
\Driver\atapi -> atapi.sys @ 0xf84e5852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf83dabb0
PacketIndicateHandler -> NDIS.sys @ 0xf83e7a21
SendHandler -> NDIS.sys @ 0xf83c587b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SOSNFFSV]
"ImagePath"="c:\program files\SOS\SOSNF\sosnffsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SOSNFLSV]
"ImagePath"="c:\program files\SOS\SOSNF\sosnflsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sosnfusv]
"ImagePath"="c:\program files\SOS\SOSNF\sosnfusv.exe /startedbyscm:9EA6B2B7-40E274A8-gpsServiceSvc"
.
Completion time: 2010-06-13 22:10:29
ComboFix-quarantined-files.txt 2010-06-14 03:10

Pre-Run: 26,374,361,088 bytes free
Post-Run: 26,554,900,480 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

- - End Of File - - 8C2892EA05BA6F17B7372EA798CA9E1D
  • 0

Advertisements

#2
azarl
Posted 16 June 2010 - 04:29 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Hi

Welcome to Geekstogo. I'll be helping you with this problem.

  • Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.

  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you

ComboFix is a very powerful tool - and highly dangerous if used without full knowledge of its function. On this occasion no harm was done, but it can make your system unbootable.

Please download MBR.exe and save it to C:\
  • Click on Start button.
  • Click Run and type cmd followed by a carriage return
  • Click on Command Prompt.
  • In the Command box type

    c:\mbr -f

  • It will create a file c:\mbr.log; please paste the contents of that file in your reply

Edited by azarl, 16 June 2010 - 04:33 AM.

  • 0

#3
djsnoopy11
Posted 16 June 2010 - 02:40 PM

djsnoopy11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
  • 0

#4
azarl
Posted 17 June 2010 - 02:20 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Note! To use this tool read the following instructions thoroughly first. Dell users pay attention to the last note.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
    From here there are two different routes

  • If the tool detects an mbr infection
    • Please allow it to run mbr -f and shutdown your computer.
    • Upon restarting, please wait about 5 minutes
    • Click Start>Run and type the following bolded command, then hit Enter.
      Note! Make sure you leave a space between helpasst and -mbrt

      helpasst -mbrt

    • When it completes, a log will open.
    • Please post the contents of that log.

  • In the event the tool does not detect an mbr infection and completes
    • click Start>Run and type the following bolded command, then hit Enter.
      Note! Make sure you leave a space between mbr and -f

      mbr -f

    • Now, please do the Start>Run>mbr -f command a second time.
    • Now shut down the computer (do not restart, but shut it down),
    • Wait a few minutes then start it back up.
    • Wait about 5 minutes
    • Click Start>Run and type the following bolded command, then hit Enter.
      Note! Make sure you leave a space between helpasst and -mbrt

      helpasst -mbrt

    • When it completes, a log will open.
    • Please post the contents of that log.


**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Edited by azarl, 17 June 2010 - 02:35 AM.

  • 0

#5
djsnoopy11
Posted 17 June 2010 - 06:16 PM

djsnoopy11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
C:\Documents and Settings\E\Desktop\HelpAsst_mebroot_fix.exe
Thu 06/17/2010 at 18:54:21.39

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 06/17/2010 at 19:13:46.95

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82AEDCEC]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
  • 0

#6
azarl
Posted 18 June 2010 - 03:01 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
» Step 1«
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
» Step 2 «
Posted Image OTL
OTL is currently our primary tool for searching key areas of the registry and other system locations for the telltale signs of malware. It generates a comprehensive log, and offers an initial diagnosis.

  • Download OTL to your Desktop
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.

» Step 3«
Download GMER Rootkit Scanner. Note the files name and unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
  • 0

#7
djsnoopy11
Posted 18 June 2010 - 10:18 PM

djsnoopy11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4194

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/18/2010 8:43:50 AM
mbam-log-2010-06-18 (08-43-50).txt

Scan type: Quick scan
Objects scanned: 149511
Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL
OTL logfile created on: 6/18/2010 8:51:56 AM - Run 3
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\E\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 158.00 Mb Available Physical Memory | 31.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 24.67 Gb Free Space | 66.24% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 149.05 Gb Total Space | 97.50 Gb Free Space | 65.42% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KEW
Current User Name: E
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/18 08:51:19 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTL.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/04/01 12:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/13 12:52:30 | 001,633,664 | ---- | M] (Solid Oak Software) -- C:\Program Files\SOS\SOSNF\sosnflsv.exe
PRC - [2010/02/13 12:52:28 | 001,106,304 | ---- | M] (Solid Oak Software) -- C:\Program Files\SOS\SOSNF\sosnfusv.exe
PRC - [2010/02/13 12:52:26 | 001,182,080 | ---- | M] (Solid Oak Software) -- C:\Program Files\SOS\SOSNF\sosnffsv.exe
PRC - [2009/09/04 13:16:54 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/09/04 13:16:54 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2009/04/08 05:38:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\bgsvcgen.exe
PRC - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2001/08/17 17:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe


========== Modules (SafeList) ==========

MOD - [2010/06/18 08:51:19 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Symantec Core LC)
SRV - File not found [Auto | Stopped] -- -- (Automatic LiveUpdate Scheduler)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/13 12:52:30 | 001,633,664 | ---- | M] (Solid Oak Software) [Auto | Running] -- C:\Program Files\SOS\SOSNF\sosnflsv.exe -- (SOSNFLSV)
SRV - [2010/02/13 12:52:28 | 001,106,304 | ---- | M] (Solid Oak Software) [Auto | Running] -- C:\Program Files\SOS\SOSNF\sosnfusv.exe -- (sosnfusv)
SRV - [2010/02/13 12:52:26 | 001,182,080 | ---- | M] (Solid Oak Software) [Auto | Running] -- C:\Program Files\SOS\SOSNF\sosnffsv.exe -- (SOSNFFSV)
SRV - [2009/09/04 13:17:00 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2009/09/04 13:16:54 | 005,893,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/09/04 13:16:54 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2009/04/08 05:38:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Running] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/02/13 12:52:22 | 000,047,488 | ---- | M] (CYBERsitter LLC) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sosnf32.sys -- (sosnf32)
DRV - [2009/09/02 00:28:46 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/06/20 04:00:00 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/06/20 04:00:00 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/06/15 12:26:38 | 000,513,152 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmaCDriverV32.sys -- (WmaCDriverV32)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/09/22 17:33:38 | 000,515,200 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys -- (SndTDriverV32)
DRV - [2006/02/20 19:17:00 | 000,033,408 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrbsdrv.sys -- (cdrbsdrv)
DRV - [2005/08/15 09:05:59 | 000,060,928 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600bus.sys -- (w600bus) Sony Ericsson W600 driver (WDM)
DRV - [2005/07/18 13:26:40 | 000,085,952 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600obex.sys -- (w600obex)
DRV - [2005/07/18 13:25:36 | 000,088,080 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600mgmt.sys -- (w600mgmt)
DRV - [2005/07/18 13:24:32 | 000,096,672 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600mdm.sys -- (w600mdm)
DRV - [2005/07/18 13:24:26 | 000,008,336 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600mdfl.sys -- (w600mdfl)
DRV - [2005/06/11 11:33:44 | 000,004,608 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2004/08/03 17:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/17 07:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 07:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 07:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 07:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...5&mkt=en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 8C 4F F7 82 2D F6 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/06 16:59:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/13 22:57:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Navigator 9.0.0.6\extensions\\Components: C:\Program Files\Netscape\Navigator 9\components [2010/06/03 23:16:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Navigator 9.0.0.6\extensions\\Plugins: C:\Program Files\Netscape\Navigator 9\plugins [2010/06/09 08:22:20 | 000,000,000 | ---D | M]

[2010/06/06 16:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E\Application Data\Mozilla\Extensions
[2010/06/16 15:11:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E\Application Data\Mozilla\Firefox\Profiles\f1tc91t3.default\extensions
[2010/06/16 15:10:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\E\Application Data\Mozilla\Firefox\Profiles\f1tc91t3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/16 15:11:05 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/13 22:57:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/13 22:57:34 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/13 22:00:45 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DCA BHO) - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Upromise\dca-bho.dll (Compete, Inc.)
O2 - BHO: (Upromise TurboSaver) - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Auto run of VideoCam Suite 1.0.lnk = C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe (Matsushita Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\E\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O9 - Extra 'Tools' menuitem : Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O9 - Extra Button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/10 21:39:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/06/10 21:38:42 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\ctwdm32.dll (Creative Technology Ltd.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 90 Days ==========

[2010/06/18 08:51:18 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTL.exe
[2010/06/17 18:54:19 | 000,278,016 | ---- | C] (SteelWerX) -- C:\WINDOWS\swreg.exe
[2010/06/14 23:52:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Temp
[2010/06/14 20:43:30 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/14 17:32:08 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\E\Desktop\erunt_setup.exe
[2010/06/13 23:48:07 | 000,201,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTC.exe
[2010/06/13 23:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sun
[2010/06/13 23:11:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/13 22:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Desktop\anti-virus
[2010/06/13 22:24:53 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/13 22:10:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/06/13 21:30:37 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/13 21:22:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/13 16:02:48 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/06/11 21:29:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\E\Recent
[2010/06/09 08:27:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\My Documents\Downloads
[2010/06/06 17:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
[2010/06/06 16:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Mozilla
[2010/06/06 16:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Mozilla
[2010/06/06 16:58:06 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/06/04 08:27:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\My Documents\My Videos
[2010/06/03 23:22:20 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/06/03 23:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/06/03 23:14:10 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/06/03 23:08:00 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/06/03 22:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Apple
[2010/06/03 21:16:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Apple Computer
[2010/06/03 21:10:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/30 14:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
[2010/05/30 14:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Yahoo!
[2010/05/27 20:49:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2010/05/27 20:49:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Microsoft Corporation
[2010/05/27 20:48:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2010/05/25 10:11:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Adobe
[2010/05/24 21:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Netscape
[2010/05/24 21:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Netscape
[2010/05/24 21:16:20 | 000,000,000 | ---D | C] -- C:\Program Files\Netscape
[2010/05/24 21:13:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/24 21:13:29 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/24 21:13:29 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/23 08:55:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Malwarebytes
[2010/05/20 01:52:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Google
[2010/05/17 21:20:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Sun
[2010/05/17 20:58:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\E\IECompatCache
[2010/05/17 20:57:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\HP
[2010/05/17 20:57:48 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\E\PrivacIE
[2010/05/17 20:57:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Apple Computer
[2010/05/17 20:56:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Identities
[2010/05/17 20:56:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\My Documents\My Music
[2010/05/17 20:56:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\My Documents\My Pictures
[2010/05/17 20:52:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Adobe
[2010/05/17 20:41:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\E\IETldCache
[2010/05/17 20:41:22 | 000,000,000 | --SD | C] -- C:\Documents and Settings\E\Application Data\Microsoft
[2010/05/17 20:41:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\E\SendTo
[2010/05/17 20:41:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\E\Application Data
[2010/05/17 20:41:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\My Documents
[2010/05/17 20:41:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\Favorites
[2010/05/17 20:41:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\E\Cookies
[2010/05/17 20:41:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\E\PrintHood
[2010/05/17 20:41:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\E\NetHood
[2010/05/17 20:41:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\E\Local Settings
[2010/05/17 20:41:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Microsoft
[2010/05/17 20:41:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Macromedia
[2010/05/17 20:41:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Desktop
[2010/05/17 20:41:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\Start Menu
[2010/05/17 20:41:21 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\E\Templates
[2010/05/16 19:01:13 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/05/16 12:01:26 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/16 12:01:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2010/05/16 08:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSN6
[2010/04/27 23:49:30 | 000,000,000 | ---D | C] -- C:\Program Files\Upromise
[2003/12/09 14:16:52 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\comintfs.dll

========== Files - Modified Within 90 Days ==========

[2010/06/18 08:51:19 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTL.exe
[2010/06/18 08:29:16 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/18 08:28:48 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/18 08:28:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/18 08:28:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/18 08:28:38 | 535,896,064 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/17 19:16:34 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\E\NTUSER.DAT
[2010/06/17 19:16:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\E\ntuser.ini
[2010/06/17 18:56:04 | 003,768,362 | -H-- | M] () -- C:\Documents and Settings\E\Local Settings\Application Data\IconCache.db
[2010/06/17 18:52:17 | 000,490,232 | ---- | M] () -- C:\Documents and Settings\E\Desktop\HelpAsst_mebroot_fix.exe
[2010/06/17 18:21:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/16 17:18:32 | 000,272,576 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/16 15:39:51 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2010/06/16 11:34:24 | 000,118,272 | ---- | M] () -- C:\Documents and Settings\E\My Documents\malware.doc
[2010/06/14 20:43:35 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\E\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/14 20:43:30 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\E\Desktop\NTREGOPT.lnk
[2010/06/14 20:43:30 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\E\Desktop\ERUNT.lnk
[2010/06/14 20:36:16 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\E\Desktop\gmer.zip
[2010/06/14 20:36:02 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\E\Desktop\erunt_setup.exe
[2010/06/14 16:45:08 | 000,003,879 | ---- | M] () -- C:\Documents and Settings\E\My Documents\kasp.html
[2010/06/14 03:50:41 | 000,201,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTC.exe
[2010/06/13 22:01:36 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/13 22:00:45 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/13 21:30:46 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/13 10:32:11 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/11 21:33:54 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\E\My Documents\Pappasito.doc
[2010/06/06 18:16:49 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\E\Desktop\debt stuff.xls
[2010/06/06 16:58:16 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/06/05 22:17:10 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/04 08:26:49 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\E\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/04 06:06:52 | 000,002,055 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2010/06/04 00:08:59 | 000,057,108 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/05/30 14:14:20 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\E\Desktop\CCleaner.lnk
[2010/05/27 20:48:34 | 000,070,368 | ---- | M] () -- C:\Documents and Settings\E\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/27 20:48:17 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/24 21:16:32 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/05/24 21:16:23 | 000,001,709 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Netscape Navigator.lnk
[2010/05/23 02:10:06 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/23 02:10:06 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/16 07:59:30 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Earth.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

========== Files Created - No Company Name ==========

[2010/06/17 18:54:19 | 000,082,944 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/17 18:32:39 | 000,490,232 | ---- | C] () -- C:\Documents and Settings\E\Desktop\HelpAsst_mebroot_fix.exe
[2010/06/16 15:39:50 | 000,077,312 | ---- | C] () -- C:\mbr.exe
[2010/06/16 15:36:31 | 000,000,195 | ---- | C] () -- C:\Documents and Settings\E\mbr.log
[2010/06/16 11:34:24 | 000,118,272 | ---- | C] () -- C:\Documents and Settings\E\My Documents\malware.doc
[2010/06/14 20:43:35 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\E\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/14 20:43:30 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\E\Desktop\NTREGOPT.lnk
[2010/06/14 20:43:30 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\E\Desktop\ERUNT.lnk
[2010/06/14 17:29:36 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\E\Desktop\gmer.zip
[2010/06/14 16:45:08 | 000,003,879 | ---- | C] () -- C:\Documents and Settings\E\My Documents\kasp.html
[2010/06/13 21:30:45 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/13 21:30:41 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/13 21:22:59 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/13 21:22:59 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/13 15:51:57 | 535,896,064 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/06 16:58:16 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/06/04 08:26:48 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\E\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/04 01:16:04 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\E\My Documents\Pappasito.doc
[2010/06/04 00:08:59 | 000,057,108 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/03 23:23:41 | 000,002,055 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2010/05/30 14:14:20 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\E\Desktop\CCleaner.lnk
[2010/05/27 20:48:17 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/27 18:25:03 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\E\Desktop\debt stuff.xls
[2010/05/24 21:16:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/24 21:16:23 | 000,001,709 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Netscape Navigator.lnk
[2010/05/23 02:10:06 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/17 20:41:23 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\E\ntuser.ini
[2010/05/17 20:41:21 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\E\NTUSER.DAT
[2010/05/17 20:41:21 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\E\ntuser.dat.LOG
[2010/05/16 07:59:30 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Earth.lnk
[2009/02/05 23:10:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/08/09 12:08:04 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/02/26 17:19:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2007/02/26 16:42:49 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2006/10/21 12:59:59 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2006/09/24 13:53:54 | 000,268,242 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-parse.dll
[2006/09/24 13:53:42 | 002,518,779 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-enc.dll
[2006/09/24 13:52:04 | 000,030,693 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-int.dll
[2005/11/17 12:57:30 | 000,258,560 | ---- | C] () -- C:\WINDOWS\System32\MusicTagsAX.dll
[2005/10/14 22:10:24 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\comLyricGetter.dll
[2004/02/01 14:21:56 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\Uncommon.dll
[2003/08/07 15:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/06/13 11:34:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2009/11/03 09:20:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\LogMeIn
[2007/09/12 23:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MoodLogic
[2007/10/11 07:57:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Napster
[2010/02/21 00:38:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SOS
[2008/01/15 09:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2008/08/02 16:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TomTom
[2010/06/03 23:23:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/06/03 21:14:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/24 21:16:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E\Application Data\Netscape

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2005/06/10 21:39:28 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2005/06/10 21:23:32 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/06/13 21:30:46 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2003/11/14 11:16:28 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/06/17 19:13:55 | 000,001,589 | ---- | M] () -- C:\HelpAsst.log
[2010/06/18 08:28:38 | 535,896,064 | -HS- | M] () -- C:\hiberfil.sys
[2003/11/14 11:16:28 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/09 17:22:37 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2010/06/16 15:39:51 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2010/06/16 15:40:12 | 000,000,195 | ---- | M] () -- C:\mbr.log
[2003/11/14 11:16:28 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/10/10 23:45:32 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2008/10/15 08:21:49 | 000,262,144 | ---- | M] () -- C:\ntuser.dat
[2009/07/06 01:08:31 | 000,001,024 | -H-- | M] () -- C:\ntuser.dat.LOG
[2010/06/18 08:28:37 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2010/06/13 15:27:03 | 000,000,512 | ---- | M] () -- C:\rkill.log
[2007/10/12 09:51:48 | 000,001,748 | ---- | M] () -- C:\smbios.bin
[2009/08/22 09:28:25 | 000,000,029 | ---- | M] () -- C:\wizard.txt
[2007/10/28 01:14:10 | 000,000,146 | ---- | M] () -- C:\YServer.txt

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2006/04/10 15:02:32 | 000,074,240 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp054.dll
[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/06/10 16:09:24 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/06/10 16:09:24 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/06/10 16:09:24 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/13 19:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/13 19:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4B7BEAFF
< End of report >

GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-18 23:15:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\E\LOCALS~1\Temp\pxtdqpow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1072] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0189000A
.text C:\WINDOWS\System32\svchost.exe[1072] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DB000A
.text C:\WINDOWS\Explorer.EXE[1500] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1500] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1500] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip sosnf32.sys (SOSNF32/CYBERsitter LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp sosnf32.sys (SOSNF32/CYBERsitter LLC)
AttachedDevice \Driver\Tcpip \Device\Udp sosnf32.sys (SOSNF32/CYBERsitter LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp sosnf32.sys (SOSNF32/CYBERsitter LLC)

---- Threads - GMER 1.0.15 ----

Thread System [4:264] 828D4298

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{519B1951-8979-4280-9284-EC68FDDC8DBD}\SOSNF@STA 1994DEC77142DF45
Reg HKLM\SOFTWARE\Classes\CLSID\{519B1951-8979-4280-9284-EC68FDDC8DBD}\SOSNF@STB D159C896D36E4C5D

---- EOF - GMER 1.0.15 ----
  • 0

#8
azarl
Posted 19 June 2010 - 02:26 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
Hi

We've not finished yet, but how does your system seem now?
Are you still experiencing any problems?
  • 0

#9
djsnoopy11
Posted 19 June 2010 - 07:32 AM

djsnoopy11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
yes!!!
the internet is running slowly. I keep getting pop ups and search engines are still redirecting to other sites.
  • 0

#10
azarl
Posted 19 June 2010 - 11:22 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
» Step 1«
  • Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in:


    /md5start
    intelide.sys
    ndis.sys
    CLASSPNP.SYS
    disk.sys
    ACPI.sys
    atapi.sys
    /md5stop

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into your reply.

» Step 2«
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and run it
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log

  • 0

Advertisements

#11
djsnoopy11
Posted 19 June 2010 - 05:07 PM

djsnoopy11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OTL logfile created on: 6/19/2010 5:39:42 PM - Run 4
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\E\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 186.00 Mb Available Physical Memory | 36.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 24.59 Gb Free Space | 66.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 149.05 Gb Total Space | 97.50 Gb Free Space | 65.42% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KEW
Current User Name: E
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/18 08:51:19 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTL.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/04/01 12:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/13 12:52:30 | 001,633,664 | ---- | M] (Solid Oak Software) -- C:\Program Files\SOS\SOSNF\sosnflsv.exe
PRC - [2010/02/13 12:52:28 | 001,106,304 | ---- | M] (Solid Oak Software) -- C:\Program Files\SOS\SOSNF\sosnfusv.exe
PRC - [2010/02/13 12:52:26 | 001,182,080 | ---- | M] (Solid Oak Software) -- C:\Program Files\SOS\SOSNF\sosnffsv.exe
PRC - [2009/09/04 13:16:54 | 000,158,448 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/09/04 13:16:54 | 000,058,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ZuneBusEnum.exe
PRC - [2009/04/08 05:38:14 | 000,092,008 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\system32\bgsvcgen.exe
PRC - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2001/08/17 17:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\devldr32.exe


========== Modules (SafeList) ==========

MOD - [2010/06/18 08:51:19 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Symantec Core LC)
SRV - File not found [Auto | Stopped] -- -- (Automatic LiveUpdate Scheduler)
SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/13 12:52:30 | 001,633,664 | ---- | M] (Solid Oak Software) [Auto | Running] -- C:\Program Files\SOS\SOSNF\sosnflsv.exe -- (SOSNFLSV)
SRV - [2010/02/13 12:52:28 | 001,106,304 | ---- | M] (Solid Oak Software) [Auto | Running] -- C:\Program Files\SOS\SOSNF\sosnfusv.exe -- (sosnfusv)
SRV - [2010/02/13 12:52:26 | 001,182,080 | ---- | M] (Solid Oak Software) [Auto | Running] -- C:\Program Files\SOS\SOSNF\sosnffsv.exe -- (SOSNFFSV)
SRV - [2009/09/04 13:17:00 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2009/09/04 13:16:54 | 005,893,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2009/09/04 13:16:54 | 000,058,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ZuneBusEnum.exe -- (ZuneBusEnum)
SRV - [2009/04/08 05:38:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2007/06/15 12:57:42 | 000,145,504 | ---- | M] (B.H.A Corporation) [Auto | Running] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
SRV - [2006/03/03 21:03:10 | 000,069,632 | ---- | M] (HP) [Unknown | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/02/13 12:52:22 | 000,047,488 | ---- | M] (CYBERsitter LLC) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sosnf32.sys -- (sosnf32)
DRV - [2009/09/02 00:28:46 | 000,040,832 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\zumbus.sys -- (zumbus)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/06/20 04:00:00 | 000,009,200 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/06/20 04:00:00 | 000,009,072 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/06/15 12:26:38 | 000,513,152 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WmaCDriverV32.sys -- (WmaCDriverV32)
DRV - [2006/11/02 08:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/09/22 17:33:38 | 000,515,200 | ---- | M] (Windows ® 2000/XP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys -- (SndTDriverV32)
DRV - [2006/02/20 19:17:00 | 000,033,408 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrbsdrv.sys -- (cdrbsdrv)
DRV - [2005/08/15 09:05:59 | 000,060,928 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600bus.sys -- (w600bus) Sony Ericsson W600 driver (WDM)
DRV - [2005/07/18 13:26:40 | 000,085,952 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600obex.sys -- (w600obex)
DRV - [2005/07/18 13:25:36 | 000,088,080 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600mgmt.sys -- (w600mgmt)
DRV - [2005/07/18 13:24:32 | 000,096,672 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600mdm.sys -- (w600mdm)
DRV - [2005/07/18 13:24:26 | 000,008,336 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w600mdfl.sys -- (w600mdfl)
DRV - [2005/06/11 11:33:44 | 000,004,608 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2004/08/03 17:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/17 07:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmanm.sys -- (sfman) Creative SoundFont Manager Driver (WDM)
DRV - [2001/08/17 07:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctlfacem.sys -- (emu10k1) Creative Interface Manager Driver (WDM)
DRV - [2001/08/17 07:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emu10k1m.sys -- (emu10k) Creative SB Live! (WDM)
DRV - [2001/08/17 07:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://login.live.co...n...5&mkt=en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 8C 4F F7 82 2D F6 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/06 16:59:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/13 22:57:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Navigator 9.0.0.6\extensions\\Components: C:\Program Files\Netscape\Navigator 9\components [2010/06/03 23:16:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Navigator 9.0.0.6\extensions\\Plugins: C:\Program Files\Netscape\Navigator 9\plugins [2010/06/09 08:22:20 | 000,000,000 | ---D | M]

[2010/06/06 16:59:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E\Application Data\Mozilla\Extensions
[2010/06/19 08:36:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E\Application Data\Mozilla\Firefox\Profiles\f1tc91t3.default\extensions
[2010/06/16 15:10:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\E\Application Data\Mozilla\Firefox\Profiles\f1tc91t3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/19 08:36:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/13 22:57:57 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/13 22:57:34 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/13 22:00:45 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DCA BHO) - {B49699FC-1665-4414-A1CB-C4A2A4A13EEC} - C:\Program Files\Upromise\dca-bho.dll (Compete, Inc.)
O2 - BHO: (Upromise TurboSaver) - {EDC0F17F-F4B7-47e4-B73E-887FAEB376FA} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Auto run of VideoCam Suite 1.0.lnk = C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe (Matsushita Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\E\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O9 - Extra 'Tools' menuitem : Upromise TurboSaver - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - C:\Program Files\Upromise\upromisetoolbar.dll (Upromise, Inc.)
O9 - Extra Button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/06/10 21:39:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/06/18 23:19:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\E\Recent
[2010/06/18 08:51:18 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTL.exe
[2010/06/17 18:54:19 | 000,278,016 | ---- | C] (SteelWerX) -- C:\WINDOWS\swreg.exe
[2010/06/14 23:52:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Temp
[2010/06/14 20:43:30 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/14 17:32:08 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\E\Desktop\erunt_setup.exe
[2010/06/13 23:48:07 | 000,201,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTC.exe
[2010/06/13 23:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Sun
[2010/06/13 23:11:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/13 22:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Desktop\anti-virus
[2010/06/13 22:24:53 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/13 22:10:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/06/13 21:30:37 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/13 21:22:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/13 16:02:48 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/06/09 08:27:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\My Documents\Downloads
[2010/06/06 17:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
[2010/06/06 16:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Mozilla
[2010/06/06 16:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Mozilla
[2010/06/06 16:58:06 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/06/04 08:27:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\My Documents\My Videos
[2010/06/03 23:22:20 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/06/03 23:21:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/06/03 23:14:10 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/06/03 23:08:00 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/06/03 22:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Apple
[2010/06/03 21:16:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Apple Computer
[2010/06/03 21:10:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/30 14:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
[2010/05/30 14:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Yahoo!
[2010/05/27 20:49:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2010/05/27 20:49:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Microsoft Corporation
[2010/05/27 20:48:15 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2010/05/25 10:11:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Adobe
[2010/05/24 21:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Netscape
[2010/05/24 21:16:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Netscape
[2010/05/24 21:16:20 | 000,000,000 | ---D | C] -- C:\Program Files\Netscape
[2010/05/24 21:13:30 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/24 21:13:29 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/24 21:13:29 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/23 08:55:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Malwarebytes
[2010/05/20 01:52:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Google
[2010/05/17 21:20:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Sun
[2010/05/17 20:58:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\E\IECompatCache
[2010/05/17 20:57:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\HP
[2010/05/17 20:57:48 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\E\PrivacIE
[2010/05/17 20:57:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Apple Computer
[2010/05/17 20:56:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Identities
[2010/05/17 20:56:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\My Documents\My Music
[2010/05/17 20:56:35 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\My Documents\My Pictures
[2010/05/17 20:52:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Adobe
[2010/05/17 20:41:42 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\E\IETldCache
[2010/05/17 20:41:22 | 000,000,000 | --SD | C] -- C:\Documents and Settings\E\Application Data\Microsoft
[2010/05/17 20:41:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\E\SendTo
[2010/05/17 20:41:22 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\E\Application Data
[2010/05/17 20:41:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\My Documents
[2010/05/17 20:41:22 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\Favorites
[2010/05/17 20:41:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\E\Cookies
[2010/05/17 20:41:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\E\PrintHood
[2010/05/17 20:41:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\E\NetHood
[2010/05/17 20:41:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\E\Local Settings
[2010/05/17 20:41:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Local Settings\Application Data\Microsoft
[2010/05/17 20:41:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Application Data\Macromedia
[2010/05/17 20:41:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\E\Desktop
[2010/05/17 20:41:21 | 000,000,000 | R--D | C] -- C:\Documents and Settings\E\Start Menu
[2010/05/17 20:41:21 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\E\Templates
[2010/05/16 19:01:13 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/05/16 12:01:26 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/16 12:01:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2010/05/16 08:36:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MSN6
[2010/04/27 23:49:30 | 000,000,000 | ---D | C] -- C:\Program Files\Upromise
[2003/12/09 14:16:52 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\comintfs.dll

========== Files - Modified Within 90 Days ==========

[2010/06/19 17:21:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/19 08:49:18 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\E\Desktop\debt stuff.xls
[2010/06/19 08:27:07 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/19 08:26:34 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/19 08:26:30 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/19 08:26:26 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/19 08:26:24 | 535,896,064 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/19 01:28:06 | 001,310,720 | -H-- | M] () -- C:\Documents and Settings\E\NTUSER.DAT
[2010/06/19 01:28:06 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\E\ntuser.ini
[2010/06/19 01:27:56 | 003,768,732 | -H-- | M] () -- C:\Documents and Settings\E\Local Settings\Application Data\IconCache.db
[2010/06/18 08:51:19 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTL.exe
[2010/06/17 18:52:17 | 000,490,232 | ---- | M] () -- C:\Documents and Settings\E\Desktop\HelpAsst_mebroot_fix.exe
[2010/06/16 17:18:32 | 000,272,576 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/16 15:39:51 | 000,077,312 | ---- | M] () -- C:\mbr.exe
[2010/06/16 11:34:24 | 000,118,272 | ---- | M] () -- C:\Documents and Settings\E\My Documents\malware.doc
[2010/06/14 20:43:35 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\E\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/14 20:43:30 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\E\Desktop\NTREGOPT.lnk
[2010/06/14 20:43:30 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\E\Desktop\ERUNT.lnk
[2010/06/14 20:36:16 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\E\Desktop\gmer.zip
[2010/06/14 20:36:02 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\E\Desktop\erunt_setup.exe
[2010/06/14 16:45:08 | 000,003,879 | ---- | M] () -- C:\Documents and Settings\E\My Documents\kasp.html
[2010/06/14 03:50:41 | 000,201,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\E\Desktop\OTC.exe
[2010/06/13 22:01:36 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/13 22:00:45 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/13 21:30:46 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/13 10:32:11 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/11 21:33:54 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\E\My Documents\Pappasito.doc
[2010/06/06 16:58:16 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/06/05 22:17:10 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/04 08:26:49 | 000,003,584 | ---- | M] () -- C:\Documents and Settings\E\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/04 06:06:52 | 000,002,055 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2010/06/04 00:08:59 | 000,057,108 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/05/30 14:14:20 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\E\Desktop\CCleaner.lnk
[2010/05/27 20:48:34 | 000,070,368 | ---- | M] () -- C:\Documents and Settings\E\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/27 20:48:17 | 000,001,862 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/24 21:16:32 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/05/24 21:16:23 | 000,001,709 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Netscape Navigator.lnk
[2010/05/23 02:10:06 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/23 02:10:06 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/16 07:59:30 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Earth.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe

========== Files Created - No Company Name ==========

[2010/06/17 18:54:19 | 000,082,944 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/17 18:32:39 | 000,490,232 | ---- | C] () -- C:\Documents and Settings\E\Desktop\HelpAsst_mebroot_fix.exe
[2010/06/16 15:39:50 | 000,077,312 | ---- | C] () -- C:\mbr.exe
[2010/06/16 15:36:31 | 000,000,195 | ---- | C] () -- C:\Documents and Settings\E\mbr.log
[2010/06/16 11:34:24 | 000,118,272 | ---- | C] () -- C:\Documents and Settings\E\My Documents\malware.doc
[2010/06/14 20:43:35 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\E\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/06/14 20:43:30 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\E\Desktop\NTREGOPT.lnk
[2010/06/14 20:43:30 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\E\Desktop\ERUNT.lnk
[2010/06/14 17:29:36 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\E\Desktop\gmer.zip
[2010/06/14 16:45:08 | 000,003,879 | ---- | C] () -- C:\Documents and Settings\E\My Documents\kasp.html
[2010/06/13 21:30:45 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/13 21:30:41 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/13 21:22:59 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/13 21:22:59 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/13 15:51:57 | 535,896,064 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/06 16:58:16 | 000,001,602 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Mozilla Firefox.lnk
[2010/06/04 08:26:48 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\E\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/04 01:16:04 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\E\My Documents\Pappasito.doc
[2010/06/04 00:08:59 | 000,057,108 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/03 23:23:41 | 000,002,055 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\iTunes.lnk
[2010/05/30 14:14:20 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\E\Desktop\CCleaner.lnk
[2010/05/27 20:48:17 | 000,001,862 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Windows 7 Upgrade Advisor.lnk
[2010/05/27 18:25:03 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\E\Desktop\debt stuff.xls
[2010/05/24 21:16:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/05/24 21:16:23 | 000,001,709 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Netscape Navigator.lnk
[2010/05/23 02:10:06 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/05/17 20:41:23 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\E\ntuser.ini
[2010/05/17 20:41:21 | 001,310,720 | -H-- | C] () -- C:\Documents and Settings\E\NTUSER.DAT
[2010/05/17 20:41:21 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\E\ntuser.dat.LOG
[2010/05/16 07:59:30 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Google Earth.lnk
[2009/02/05 23:10:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/08/09 12:08:04 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/02/26 17:19:58 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
[2007/02/26 16:42:49 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2006/10/21 12:59:59 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2006/09/24 13:53:54 | 000,268,242 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-parse.dll
[2006/09/24 13:53:42 | 002,518,779 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-enc.dll
[2006/09/24 13:52:04 | 000,030,693 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-int.dll
[2005/11/17 12:57:30 | 000,258,560 | ---- | C] () -- C:\WINDOWS\System32\MusicTagsAX.dll
[2005/10/14 22:10:24 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\comLyricGetter.dll
[2004/02/01 14:21:56 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\Uncommon.dll
[2003/08/07 15:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/06/13 11:34:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Alwil Software
[2009/11/03 09:20:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\LogMeIn
[2007/09/12 23:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\MoodLogic
[2007/10/11 07:57:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Napster
[2010/02/21 00:38:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SOS
[2008/01/15 09:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2008/08/02 16:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TomTom
[2010/06/03 23:23:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/06/03 21:14:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/05/24 21:16:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\E\Application Data\Netscape

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: ACPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:ACPI.sys
[2008/10/10 23:38:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:ACPI.sys
[2008/10/10 23:38:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:ACPI.sys
[2008/04/13 13:36:35 | 000,187,776 | ---- | M] (Microsoft Corporation) MD5=8FD99680A539792A30E97944FDAECF17 -- C:\WINDOWS\ServicePackFiles\i386\acpi.sys
[2008/04/13 13:36:35 | 000,187,776 | ---- | M] (Microsoft Corporation) MD5=8FD99680A539792A30E97944FDAECF17 -- C:\WINDOWS\system32\drivers\acpi.sys
[2004/08/04 07:00:00 | 000,187,776 | ---- | M] (Microsoft Corporation) MD5=A10C7534F7223F4A73A948967D00E69B -- C:\WINDOWS\$NtServicePackUninstall$\acpi.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/10/10 23:38:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/10/10 23:38:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: CLASSPNP.SYS >
[2004/08/04 07:00:00 | 000,049,664 | ---- | M] (Microsoft Corporation) MD5=D86173B401470F06D9810F7962969DDF -- C:\WINDOWS\$NtServicePackUninstall$\classpnp.sys
[2008/04/13 14:16:22 | 000,049,536 | ---- | M] (Microsoft Corporation) MD5=FE47DD8FE6D7768FF94EBEC6C74B2719 -- C:\WINDOWS\ServicePackFiles\i386\classpnp.sys
[2008/04/13 14:16:22 | 000,049,536 | ---- | M] (Microsoft Corporation) MD5=FE47DD8FE6D7768FF94EBEC6C74B2719 -- C:\WINDOWS\system32\drivers\classpnp.sys

< MD5 for: DISK.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/10/10 23:38:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/10/10 23:38:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 07:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: INTELIDE.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:intelide.sys
[2008/10/10 23:38:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:intelide.sys
[2008/10/10 23:38:16 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:intelide.sys
[2004/08/03 17:59:42 | 000,005,504 | ---- | M] (Microsoft Corporation) MD5=2D722B2B54AB55B2FA475EB58D7B2AAD -- C:\WINDOWS\$NtServicePackUninstall$\intelide.sys
[2008/04/13 13:40:29 | 000,005,504 | ---- | M] (Microsoft Corporation) MD5=B5466A9250342A7AA0CD1FBA13420678 -- C:\WINDOWS\ServicePackFiles\i386\intelide.sys
[2008/04/13 13:40:29 | 000,005,504 | ---- | M] (Microsoft Corporation) MD5=B5466A9250342A7AA0CD1FBA13420678 -- C:\WINDOWS\system32\drivers\intelide.sys

< MD5 for: NDIS.SYS >
[2008/04/13 14:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ERDNT\cache\ndis.sys
[2008/04/13 14:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\ServicePackFiles\i386\ndis.sys
[2008/04/13 14:20:37 | 000,182,656 | ---- | M] (Microsoft Corporation) MD5=1DF7F42665C94B825322FAE71721130D -- C:\WINDOWS\system32\drivers\ndis.sys
[2004/08/04 07:00:00 | 000,182,912 | ---- | M] (Microsoft Corporation) MD5=558635D3AF1C7546D26067D5D9B6959E -- C:\WINDOWS\$NtServicePackUninstall$\ndis.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:4B7BEAFF

18:01:58:406 1336 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
18:01:58:406 1336 ================================================================================
18:01:58:406 1336 SystemInfo:

18:01:58:406 1336 OS Version: 5.1.2600 ServicePack: 3.0
18:01:58:406 1336 Product type: Workstation
18:01:58:406 1336 ComputerName: KEW
18:01:58:406 1336 UserName: E
18:01:58:406 1336 Windows directory: C:\WINDOWS
18:01:58:406 1336 Processor architecture: Intel x86
18:01:58:406 1336 Number of processors: 1
18:01:58:406 1336 Page size: 0x1000
18:01:58:406 1336 Boot type: Normal boot
18:01:58:406 1336 ================================================================================
18:01:58:750 1336 Initialize success
18:01:58:750 1336
18:01:58:750 1336 Scanning Services ...
18:01:59:265 1336 Raw services enum returned 343 services
18:01:59:265 1336
18:01:59:265 1336 Scanning Drivers ...
18:02:00:296 1336 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:02:00:421 1336 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:02:00:593 1336 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:02:00:703 1336 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
18:02:00:812 1336 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
18:02:01:281 1336 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:02:01:390 1336 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:02:01:750 1336 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:02:01:921 1336 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:02:02:046 1336 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:02:02:187 1336 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:02:02:359 1336 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:02:02:468 1336 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:02:02:531 1336 Cdr4_xp (223dea13c9d064babc882b4727f6f905) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
18:02:02:671 1336 Cdralw2k (9e26599599d178e71afb5599e146031a) C:\WINDOWS\system32\drivers\Cdralw2k.sys
18:02:02:765 1336 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
18:02:02:875 1336 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:02:03:078 1336 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
18:02:03:296 1336 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:02:03:406 1336 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:02:03:796 1336 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:02:03:937 1336 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:02:04:046 1336 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:02:04:203 1336 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:02:04:296 1336 E100B (fe9cb643a034285031502d3369e5a869) C:\WINDOWS\system32\DRIVERS\e100b325.sys
18:02:04:406 1336 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
18:02:04:531 1336 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
18:02:04:765 1336 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:02:04:875 1336 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:02:04:968 1336 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:02:05:062 1336 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:02:05:171 1336 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:02:05:265 1336 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:02:05:421 1336 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:02:05:546 1336 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
18:02:05:687 1336 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
18:02:05:812 1336 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:02:05:906 1336 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:02:06:046 1336 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:02:06:140 1336 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:02:06:234 1336 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:02:06:343 1336 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:02:06:609 1336 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:02:06:796 1336 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:02:07:000 1336 IntelIde (1e1e77725ef849ea12b5b2abd344af96) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:02:07:000 1336 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelide.sys. Real md5: 1e1e77725ef849ea12b5b2abd344af96, Fake md5: b5466a9250342a7aa0cd1fba13420678
18:02:07:000 1336 File "C:\WINDOWS\system32\DRIVERS\intelide.sys" infected by TDSS rootkit ... 18:02:08:906 1336 Backup copy found, using it..
18:02:08:968 1336 will be cured on next reboot
18:02:09:093 1336 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:02:09:234 1336 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:02:09:390 1336 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:02:09:531 1336 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:02:09:703 1336 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:02:09:859 1336 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:02:10:000 1336 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:02:10:156 1336 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:02:10:281 1336 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:02:10:421 1336 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
18:02:10:578 1336 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:02:10:718 1336 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:02:10:968 1336 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:02:11:078 1336 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:02:11:234 1336 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:02:11:390 1336 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:02:11:546 1336 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:02:11:812 1336 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:02:11:984 1336 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:02:12:171 1336 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:02:12:312 1336 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:02:12:468 1336 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:02:12:609 1336 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:02:12:765 1336 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:02:12:921 1336 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
18:02:13:078 1336 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:02:13:234 1336 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:02:13:390 1336 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:02:13:531 1336 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:02:13:687 1336 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
18:02:13:843 1336 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:02:13:984 1336 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:02:14:156 1336 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:02:14:328 1336 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:02:14:500 1336 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:02:14:703 1336 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:02:14:937 1336 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:02:15:109 1336 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:02:15:250 1336 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:02:15:437 1336 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:02:15:609 1336 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:02:15:765 1336 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:02:16:062 1336 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
18:02:16:203 1336 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:02:17:156 1336 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
18:02:17:343 1336 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:02:17:531 1336 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:02:17:859 1336 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:02:18:203 1336 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:02:19:078 1336 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:02:19:171 1336 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:02:19:281 1336 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:02:19:406 1336 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:02:19:500 1336 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:02:19:593 1336 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:02:19:718 1336 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:02:19:828 1336 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:02:19:906 1336 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:02:19:984 1336 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:02:20:093 1336 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:02:20:203 1336 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:02:20:296 1336 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
18:02:20:484 1336 SndTDriverV32 (fd492fc4646c0f01283a439d42915a04) C:\WINDOWS\system32\drivers\SndTDriverV32.sys
18:02:20:656 1336 sosnf32 (afce6f3a28995996fff8515e94393b9c) C:\WINDOWS\system32\drivers\sosnf32.sys
18:02:20:828 1336 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:02:20:921 1336 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:02:21:046 1336 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
18:02:21:203 1336 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:02:21:312 1336 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:02:21:484 1336 symlcbrd (6596892dd5abbe48f5876a551867a166) C:\WINDOWS\system32\drivers\symlcbrd.sys
18:02:21:671 1336 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:02:21:812 1336 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:02:21:984 1336 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:02:22:093 1336 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:02:22:203 1336 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:02:22:359 1336 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:02:22:531 1336 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:02:22:656 1336 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:02:22:750 1336 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:02:22:843 1336 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:02:22:953 1336 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:02:23:046 1336 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:02:23:156 1336 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:02:23:234 1336 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:02:23:375 1336 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:02:23:515 1336 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:02:23:625 1336 w600bus (3286961f32baa7d9f2d75b24ec3ed7e6) C:\WINDOWS\system32\DRIVERS\w600bus.sys
18:02:23:734 1336 w600mdfl (e403d8bd711561530d5a81d7f0773c54) C:\WINDOWS\system32\DRIVERS\w600mdfl.sys
18:02:23:906 1336 w600mdm (9e1aea75bf144a8511b014757ba8a073) C:\WINDOWS\system32\DRIVERS\w600mdm.sys
18:02:24:062 1336 w600mgmt (805455d662a4652af5d22c7efea90107) C:\WINDOWS\system32\DRIVERS\w600mgmt.sys
18:02:24:171 1336 w600obex (cf61f82c83fdf3f1ec9ab293e6523c5a) C:\WINDOWS\system32\DRIVERS\w600obex.sys
18:02:24:265 1336 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:02:24:406 1336 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
18:02:24:625 1336 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:02:24:718 1336 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
18:02:24:906 1336 WmaCDriverV32 (1f1a0ebbf45b8ed460c7a4b6d19a4496) C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
18:02:25:078 1336 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
18:02:25:171 1336 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:02:25:281 1336 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:02:25:390 1336 zumbus (9b2c9d322e3fbb1814d7c17a980c1286) C:\WINDOWS\system32\DRIVERS\zumbus.sys
18:02:25:390 1336 Reboot required for cure complete..
18:02:25:843 1336 Cure on reboot scheduled successfully
18:02:25:843 1336
18:02:25:843 1336 Completed
18:02:25:843 1336
18:02:25:843 1336 Results:
18:02:25:843 1336 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:02:25:843 1336 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:02:25:843 1336
18:02:25:843 1336 KLMD(ARK) unloaded successfully
  • 0

#12
azarl
Posted 20 June 2010 - 02:39 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
We're getting somewhere now :)

Can you run ComboFix again please now.
  • 0

#13
djsnoopy11
Posted 20 June 2010 - 04:39 PM

djsnoopy11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 10-06-20.03 - E 06/20/2010 17:22:15.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.327 [GMT -5:00]
Running from: c:\documents and settings\E\Desktop\anti-virus\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-19 23:59 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-16 20:39 . 2010-06-16 20:39 77312 ----a-w- C:\mbr.exe
2010-06-15 04:52 . 2010-06-15 06:16 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Temp
2010-06-15 02:40 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-15 01:43 . 2010-06-15 01:43 -------- d-----w- c:\program files\ERUNT
2010-06-14 04:11 . 2010-06-14 04:11 -------- d-----w- c:\program files\Common Files\Java
2010-06-14 03:58 . 2010-06-14 03:58 503808 ----a-w- c:\documents and settings\E\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5abb61c2-n\msvcp71.dll
2010-06-14 03:58 . 2010-06-14 03:58 499712 ----a-w- c:\documents and settings\E\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5abb61c2-n\jmc.dll
2010-06-14 03:58 . 2010-06-14 03:58 348160 ----a-w- c:\documents and settings\E\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5abb61c2-n\msvcr71.dll
2010-06-14 03:58 . 2010-06-14 03:58 61440 ----a-w- c:\documents and settings\E\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3986c0d2-n\decora-sse.dll
2010-06-14 03:58 . 2010-06-14 03:58 12800 ----a-w- c:\documents and settings\E\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3986c0d2-n\decora-d3d.dll
2010-06-14 03:57 . 2010-06-14 03:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-13 21:02 . 2010-06-13 21:05 -------- dc-h--w- c:\windows\ie8
2010-06-13 16:35 . 2010-06-13 16:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-06 22:04 . 2010-06-06 22:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2010-06-06 21:59 . 2010-06-06 21:59 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Mozilla
2010-06-04 05:08 . 2010-06-04 05:08 57108 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-04 04:22 . 2010-06-04 04:22 -------- d-----w- c:\program files\iPod
2010-06-04 04:21 . 2010-06-04 04:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-04 04:14 . 2010-06-04 04:15 -------- d-----w- c:\program files\QuickTime
2010-06-04 04:08 . 2010-06-04 04:08 -------- d-----w- c:\program files\Bonjour
2010-06-04 03:55 . 2010-06-04 03:55 73000 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-06-04 03:45 . 2010-06-04 03:45 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Apple
2010-06-04 02:16 . 2010-06-06 14:17 -------- d-----w- c:\documents and settings\E\Application Data\Apple Computer
2010-06-04 02:10 . 2010-06-04 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-05-30 19:14 . 2010-05-31 06:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-05-30 19:14 . 2010-05-30 19:14 -------- d-----w- c:\documents and settings\E\Application Data\Yahoo!
2010-05-28 01:49 . 2010-05-28 01:49 -------- d-----w- c:\windows\Performance
2010-05-28 01:49 . 2010-05-28 01:49 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Microsoft Corporation
2010-05-28 01:48 . 2010-05-28 01:48 70368 ----a-w- c:\documents and settings\E\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-28 01:48 . 2010-05-28 01:48 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-05-25 15:11 . 2010-05-25 15:12 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Adobe
2010-05-25 02:16 . 2010-05-25 02:16 0 ----a-w- c:\windows\nsreg.dat
2010-05-25 02:16 . 2010-05-25 02:16 -------- d-----w- c:\documents and settings\E\Local Settings\Application Data\Netscape
2010-05-25 02:16 . 2010-05-25 02:16 -------- d-----w- c:\documents and settings\E\Application Data\Netscape
2010-05-25 02:16 . 2010-05-25 02:16 -------- d-----w- c:\program files\Netscape
2010-05-25 02:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 02:13 . 2010-05-25 02:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-25 02:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 13:55 . 2010-05-23 13:55 -------- d-----w- c:\documents and settings\E\Application Data\Malwarebytes
2010-05-23 07:12 . 2010-05-23 14:55 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\dhlplqpan
2010-05-23 07:10 . 2010-05-23 07:10 552 ----a-w- c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 23:03 . 2005-06-10 21:17 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2010-06-14 03:57 . 2009-09-10 03:31 -------- d-----w- c:\program files\Java
2010-06-13 16:34 . 2010-05-16 17:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-06-04 04:22 . 2007-10-29 19:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-30 19:14 . 2004-11-19 19:05 -------- d-----w- c:\program files\Yahoo!
2010-05-23 07:10 . 2007-09-06 13:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-18 01:57 . 2010-05-18 01:57 -------- d-----w- c:\documents and settings\E\Application Data\HP
2010-05-16 17:01 . 2010-05-16 17:01 -------- d-----w- c:\program files\Alwil Software
2010-05-16 13:36 . 2010-05-16 13:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MSN6
2010-05-16 07:01 . 2007-10-28 06:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-05-16 06:58 . 2009-11-05 10:38 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 04:51 . 2010-04-28 04:49 -------- d-----w- c:\program files\Upromise
2010-04-24 16:17 . 2007-01-12 23:13 -------- d-----w- c:\program files\Mystery Case Files - Ravenhearst
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\E\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Auto run of VideoCam Suite 1.0.lnk - c:\program files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe [2009-10-21 161160]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=

R1 sosnf32;sosnf32;c:\windows\system32\drivers\sosnf32.sys [2/21/2010 12:38 AM 47488]
S2 gupdate1c98b0c522bf250;Google Update Service (gupdate1c98b0c522bf250);c:\program files\Google\Update\GoogleUpdate.exe [2/9/2009 6:15 PM 133104]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\drivers\w600bus.sys [12/2/2006 9:20 PM 60928]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\drivers\w600mdfl.sys [7/18/2005 1:24 PM 8336]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\drivers\w600mdm.sys [7/18/2005 1:24 PM 96672]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\drivers\w600mgmt.sys [7/18/2005 1:25 PM 88080]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\w600obex.sys [7/18/2005 1:26 PM 85952]
.
Contents of the 'Scheduled Tasks' folder

2010-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 23:15]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-09 23:15]

2007-08-18 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1253879194&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\f1tc91t3.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: g:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SOSNFFSV]
"ImagePath"="c:\program files\SOS\SOSNF\sosnffsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SOSNFLSV]
"ImagePath"="c:\program files\SOS\SOSNF\sosnflsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sosnfusv]
"ImagePath"="c:\program files\SOS\SOSNF\sosnfusv.exe /startedbyscm:9EA6B2B7-40E274A8-gpsServiceSvc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2620)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-20 17:36:26
ComboFix-quarantined-files.txt 2010-06-20 22:36

Pre-Run: 25,368,592,384 bytes free
Post-Run: 25,393,119,232 bytes free

- - End Of File - - B9C4F690005C0924435FECD427CEADB3
  • 0

#14
azarl
Posted 21 June 2010 - 02:07 AM

azarl

    GeekU Admin

  • Community Leader
  • 25,310 posts
» Step 1«
Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
» Step 2«
Kaspersky WebScanner
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA technology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest vision.

Upgrading Java
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u18-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586-p.exe and select "Run as an Administrator.")
Running Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Diallers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

  • 0

#15
djsnoopy11
Posted 22 June 2010 - 06:23 AM

djsnoopy11

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 22, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 22, 2010 01:58:38
Records in database: 4308889
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
G:\
H:\
Scan statistics
Objects scanned 77183
Threats found 4
Infected objects found 4
Suspicious objects found 0
Scan duration 04:43:18

File name Threat Threats count
C:\Program Files\YASAMPEGEncoder\YASAMPEGEncoder.exe Infected: Trojan.Win32.Vilsel.tqi 1
C:\System Volume Information\_restore{30412D02-EB26-478D-9F30-94EF8B78AD68}\RP1858\A0270182.exe Infected: Trojan-Downloader.Win32.Agent.cmab 1
C:\System Volume Information\_restore{30412D02-EB26-478D-9F30-94EF8B78AD68}\RP1892\A0285859.sys Infected: Rootkit.Win32.TDSS.ap 1
G:\Music\ek music\from old comp\New Folder\ek music\AGSetup0608.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 1
Selected area has been scanned.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP