Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

backdoor.tidserv!inf removal

Started by Introfeel , Jul 23 2010 11:04 AM

This topic is locked

#1
Introfeel

Posted 23 July 2010 - 11:04 AM

Member

Member
24 posts

I have a windows home vista computer and all of the info I have found for this trojan is for xp. How do I remove it from my computer manually?

#2
hammerman

Posted 23 July 2010 - 01:12 PM

Member 4k

Member
4,183 posts

Hello Introfeel and welcome to GeeksToGo

I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
Please do no attach logs or post them in Quote/Code boxes unless requested.
I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
If in doubt about anything, please ask.

Please follow these steps.

-- Step 1 --

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Custom Scan box paste this in

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

-- Step 2 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked. UNCHECK the following boxes
- Sections
- IAT/EAT
- Drives/Partition other than System drive (typically C:\)
- Show all (important)
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

#3
Introfeel

Posted 23 July 2010 - 03:16 PM

Member

Topic Starter
Member
24 posts

OTL logfile created on: 7/23/2010 4:05:51 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Introfeel\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.71 Gb Total Space | 326.98 Gb Free Space | 71.75% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.03 Gb Free Space | 60.25% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: POINDEXTER
Current User Name: Introfeel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Introfeel\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe (Symantec Corporation)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\eFax Messenger 4.4\J2GTray.exe (j2 Global Communications, Inc.)
PRC - C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (j2 Global Communications, Inc.)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Windows\System32\AERTSrv.exe (Andrea Electronics Corporation)
PRC - C:\Windows\V0270Mon.exe (Creative Technology Ltd.)
PRC - C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe ()
PRC - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
PRC - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe (Sonic Solutions)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)

========== Modules (SafeList) ==========

MOD - C:\Users\Introfeel\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\asoehook.dll (Symantec Corporation)
MOD - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\microsoft.vc90.crt\msvcr90.dll (Microsoft Corporation)
MOD - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\microsoft.vc90.crt\msvcp90.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (WPFFontCache_v0400) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe (Microsoft Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (sdCoreService) -- C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools)
SRV - (sdAuxService) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools)
SRV - (N360) -- C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe (Symantec Corporation)
SRV - (Browser Defender Update Service) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe (Threat Expert Ltd.)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (AERTFilters) -- C:\Windows\System32\AERTSrv.exe (Andrea Electronics Corporation)
SRV - (IDriverT) -- C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)

========== Driver Services (SafeList) ==========

DRV - (NwlnkFwd) -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- C:\Windows\System32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- C:\Windows\System32\DRIVERS\ipinip.sys File not found
DRV - (blbdrive) -- C:\Windows\System32\drivers\blbdrive.sys File not found
DRV - (NAVEX15) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100722.003\NAVEX15.SYS (Symantec Corporation)
DRV - (NAVENG) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100722.003\NAVENG.SYS (Symantec Corporation)
DRV - (BHDrvx86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (IDSVix86) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100721.003\IDSvix86.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\Windows\System32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMTDIv) -- C:\Windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS (Symantec Corporation)
DRV - (SymIRON) -- C:\Windows\system32\drivers\N360\0402000.00C\Ironx86.SYS (Symantec Corporation)
DRV - (SymEFA) -- C:\Windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\Windows\System32\Drivers\N360\0402000.00C\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\Windows\system32\drivers\N360\0402000.00C\SRTSPX.SYS (Symantec Corporation)
DRV - (PCTCore) -- C:\Windows\system32\drivers\PCTCore.sys (PC Tools)
DRV - (ccHP) -- C:\Windows\system32\drivers\N360\0402000.00C\ccHPx86.sys (Symantec Corporation)
DRV - (SymDS) -- C:\Windows\system32\drivers\N360\0402000.00C\SYMDS.SYS (Symantec Corporation)
DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\Windows\System32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (VF0270Dev) -- C:\Windows\System32\drivers\V0270Dev.sys (Creative Technology Ltd.)
DRV - (pgfilter) -- C:\Program Files\PeerGuardian2\pgfilter.sys ()
DRV - (e1express) Intel® -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (VF0270Vfx) -- C:\Windows\System32\drivers\V0270Vfx.sys (EyePower Games Pte. Ltd.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (DRVNDDM) -- C:\Windows\System32\drivers\DRVNDDM.SYS (Roxio)
DRV - (DLARTL_M) -- C:\Windows\System32\drivers\DLARTL_M.SYS (Roxio)
DRV - (DLACDBHM) -- C:\Windows\System32\drivers\DLACDBHM.SYS (Roxio)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (nvraid) NVIDIA nForce™ -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (VSTHWBS2) -- C:\Windows\System32\drivers\VSTBS23.SYS (Conexant Systems, Inc.)
DRV - (VST_DPV) -- C:\Windows\System32\drivers\VSTDPV3.SYS (Conexant Systems, Inc.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) Intel® -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (DLADResM) -- C:\Windows\System32\DLA\DLADResM.SYS (Roxio)
DRV - (DLAUDFAM) -- C:\Windows\System32\DLA\DLAUDFAM.SYS (Roxio)
DRV - (DLABMFSM) -- C:\Windows\System32\DLA\DLABMFSM.SYS (Roxio)
DRV - (DLAUDF_M) -- C:\Windows\System32\DLA\DLAUDF_M.SYS (Roxio)
DRV - (DLAOPIOM) -- C:\Windows\System32\DLA\DLAOPIOM.SYS (Roxio)
DRV - (DLABOIOM) -- C:\Windows\System32\DLA\DLABOIOM.SYS (Roxio)
DRV - (DLAPoolM) -- C:\Windows\System32\DLA\DLAPoolM.SYS (Roxio)
DRV - (DLAIFS_M) -- C:\Windows\System32\DLA\DLAIFS_M.SYS (Roxio)
DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWBS2) -- C:\Windows\System32\drivers\HSXHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (DRVMCDB) -- C:\Windows\System32\Drivers\DRVMCDB.SYS (Sonic Solutions)
DRV - (HPPLSBULK) -- C:\Windows\System32\drivers\hpplsbulk.sys (Hewlett Packard)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.n...cid=NET_mmhpset
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F4 9F F0 0F 43 ED CA 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100127023632
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.4
FF - prefs.js..extensions.enabledItems: [email protected]:7
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2010/07/05 20:00:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2010/05/06 03:06:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/05/07 22:52:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/07 22:51:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/01 06:40:40 | 000,000,000 | ---D | M]

[2010/05/14 17:46:15 | 000,000,000 | ---D | M] -- C:\Users\Introfeel\AppData\Roaming\Mozilla\Extensions
[2010/05/14 17:46:15 | 000,000,000 | ---D | M] -- C:\Users\Introfeel\AppData\Roaming\Mozilla\Extensions\[email protected]
[2010/05/07 20:38:32 | 000,000,000 | ---D | M] -- C:\Users\Introfeel\AppData\Roaming\Mozilla\Firefox\Profiles\jq6w6nho.default\extensions
[2010/05/07 20:38:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Introfeel\AppData\Roaming\Mozilla\Firefox\Profiles\jq6w6nho.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/07 20:38:32 | 000,000,000 | ---D | M] -- C:\Users\Introfeel\AppData\Roaming\Mozilla\Firefox\Profiles\jq6w6nho.default\extensions\staged-xpis
[2010/05/08 09:44:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/07 20:34:23 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/05/07 21:54:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/07 21:53:23 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/07/21 15:18:06 | 000,414,821 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 14326 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe (Hewlett-Packard)
O4 - HKLM..\Run: [V0270Mon.exe] C:\Windows\V0270Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [eFax 4.4] C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (j2 Global Communications, Inc.)
O4 - HKCU..\Run: [googletalk] C:\Users\Introfeel\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Introfeel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe (j2 Global Communications, Inc.)
O4 - Startup: C:\Users\Introfeel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
O4 - Startup: C:\Users\Introfeel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O13 - gopher Prefix: missing
O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} http://h50203.www5.h...SWebManager.CAB (Hewlett-Packard Printer Diagnostics)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.h...tDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} http://www.hp.com/cp...ddObjSigned.cab (HPSDDX Class)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg...l_v1-0-31-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://cirrusevents...br/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

Drivers32: aux - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\Windows\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.imaadpcm - C:\Windows\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\Windows\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\Windows\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\Windows\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\Windows\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.i420 - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: VIDC.IYUV - C:\Windows\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - C:\Windows\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\Windows\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVU9 - C:\Windows\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - C:\Windows\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\Windows\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\Windows\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2010/07/23 15:59:38 | 000,000,000 | ---D | C] -- C:\Users\Introfeel\Desktop\gmer
[2010/07/23 15:57:29 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Users\Introfeel\Desktop\OTL.exe
[2010/07/23 11:42:11 | 001,652,664 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDCore.dll
[2010/07/23 11:42:11 | 000,165,840 | ---- | C] (Threat Expert Ltd.) -- C:\Windows\PCTBDRes.dll
[2010/07/23 11:42:11 | 000,149,456 | ---- | C] (PC Tools) -- C:\Windows\SGDetectionTool.dll
[2010/07/23 11:36:32 | 000,233,136 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctgntdi.sys
[2010/07/23 11:36:32 | 000,100,136 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctwfpfilter.sys
[2010/07/23 11:36:20 | 000,218,592 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTCore.sys
[2010/07/23 11:36:20 | 000,088,040 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTAppEvent.sys
[2010/07/23 11:36:05 | 000,063,360 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\pctplsg.sys
[2010/07/23 11:35:56 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/07/23 11:35:56 | 000,000,000 | ---D | C] -- C:\Users\Introfeel\AppData\Roaming\PC Tools
[2010/07/23 11:35:56 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2010/07/23 11:35:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/07/23 11:35:35 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/07/22 17:23:51 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/07/22 16:55:22 | 000,000,000 | ---D | C] -- C:\Users\Introfeel\AppData\Roaming\vlc
[2010/07/21 17:11:31 | 000,000,000 | ---D | C] -- C:\Users\Introfeel\AppData\Roaming\Creative
[2010/07/17 16:48:19 | 000,000,000 | ---D | C] -- C:\Users\Introfeel\Documents\AIDS
[2010/07/15 20:16:40 | 000,000,000 | ---D | C] -- C:\Windows\System32\MKDE
[2010/07/12 00:52:18 | 000,000,000 | ---D | C] -- C:\Program Files\IDI Magic
[2010/07/10 06:29:26 | 000,000,000 | ---D | C] -- C:\Program Files\Cherry Red Casino
[2010/07/07 06:57:13 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2010/07/07 06:56:00 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrsmgr.dll
[2010/07/07 06:55:49 | 000,040,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrs.exe
[2010/07/07 06:55:49 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrshost.exe
[2010/07/07 06:55:49 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsmprovhost.exe
[2010/07/07 06:55:48 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wsmplpxy.dll
[2010/07/07 06:55:48 | 000,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrssrv.dll
[2010/07/07 06:55:47 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wevtfwd.dll
[2010/07/07 06:55:47 | 000,079,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wecutil.exe
[2010/07/07 06:55:47 | 000,056,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wecapi.dll
[2010/07/07 06:55:47 | 000,054,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmRes.dll
[2010/07/07 06:55:47 | 000,041,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pwrshplugin.dll
[2010/07/07 06:55:44 | 000,252,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSManMigrationPlugin.dll
[2010/07/07 06:55:44 | 000,246,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSManHTTPConfig.exe
[2010/07/07 06:55:44 | 000,241,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winrscmd.dll
[2010/07/07 06:55:44 | 000,214,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmWmiPl.dll
[2010/07/07 06:55:44 | 000,145,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WsmAuto.dll
[2010/07/03 11:57:11 | 000,000,000 | ---D | C] -- C:\Users\Introfeel\Documents\Gamble
[2010/06/30 15:52:51 | 000,000,000 | ---D | C] -- C:\Users\Introfeel\Documents\Forex
[2010/06/27 16:15:01 | 000,000,000 | ---D | C] -- C:\Users\Introfeel\AppData\Roaming\Google
[2010/06/26 15:51:56 | 000,000,000 | ---D | C] -- C:\Program Files\Rushmore Casino
[2010/06/26 06:36:13 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET

========== Files - Modified Within 30 Days ==========

[2010/07/23 16:08:08 | 006,815,744 | -HS- | M] () -- C:\Users\Introfeel\NTUSER.DAT
[2010/07/23 15:59:24 | 000,284,915 | ---- | M] () -- C:\Users\Introfeel\Desktop\gmer.zip
[2010/07/23 15:57:32 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\Introfeel\Desktop\OTL.exe
[2010/07/23 15:31:00 | 000,000,924 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-939453163-656404264-1916229718-1000UA.job
[2010/07/23 15:27:44 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/07/23 15:27:44 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/07/23 12:04:57 | 000,000,226 | ---- | M] () -- C:\Users\Introfeel\Desktop\backdoor.tidserv!inf removal - Geeks to Go!.url
[2010/07/23 11:36:11 | 000,001,761 | ---- | M] () -- C:\Users\Public\Desktop\Spyware Doctor.lnk
[2010/07/23 11:27:45 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/07/23 11:27:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/07/23 11:27:41 | 2134,069,248 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/23 11:15:57 | 000,524,288 | -HS- | M] () -- C:\Users\Introfeel\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/07/23 11:15:57 | 000,065,536 | -HS- | M] () -- C:\Users\Introfeel\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/07/23 11:09:30 | 000,126,920 | ---- | M] () -- C:\Windows\hppins01.dat
[2010/07/23 11:08:19 | 000,000,179 | ---- | M] () -- C:\Windows\win.ini
[2010/07/23 11:06:04 | 002,161,116 | -H-- | M] () -- C:\Users\Introfeel\AppData\Local\IconCache.db
[2010/07/23 11:05:47 | 000,000,235 | ---- | M] () -- C:\Users\Introfeel\Desktop\Backdoor.Tidserv Removal - Removing Help Symantec.url
[2010/07/23 11:03:30 | 000,715,876 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/07/23 11:03:30 | 000,612,592 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/07/23 11:03:30 | 000,107,654 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/07/22 17:31:00 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-939453163-656404264-1916229718-1000Core.job
[2010/07/22 17:24:34 | 000,001,804 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/07/22 16:55:15 | 000,000,861 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2010/07/22 16:53:48 | 019,473,201 | ---- | M] () -- C:\Users\Introfeel\Documents\vlc-1.1.1-win32.exe
[2010/07/22 12:17:45 | 000,000,194 | ---- | M] () -- C:\Users\Introfeel\Desktop\Spiritual Warfare.url
[2010/07/22 12:15:05 | 000,000,178 | ---- | M] () -- C:\Users\Introfeel\Desktop\Fire and Ice.url
[2010/07/21 15:18:06 | 000,414,821 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/07/20 08:49:23 | 000,003,072 | ---- | M] () -- C:\Users\Introfeel\AppData\Roaming\wklnhst.dat
[2010/07/19 19:11:01 | 000,767,928 | ---- | M] () -- C:\Windows\BDTSupport.dll
[2010/07/16 12:25:04 | 000,412,221 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100721-151806.backup
[2010/07/15 20:16:46 | 000,001,946 | ---- | M] () -- C:\Users\Public\Desktop\Federal Money Retriever.lnk
[2010/07/14 20:38:09 | 000,000,283 | ---- | M] () -- C:\Users\Introfeel\Desktop\Upscale Gourmet Food Emporium - NJ Business for sale in New Jersey on BizBuySell.url
[2010/07/13 06:10:56 | 000,196,648 | ---- | M] () -- C:\Users\Introfeel\Documents\Forgiveness Student Loan.pdf
[2010/07/12 18:10:19 | 000,000,193 | ---- | M] () -- C:\Users\Introfeel\Desktop\Gourmet Food Emporium Business For Sale In New York City Area, New York GlobalBX.url
[2010/07/12 01:26:57 | 000,000,210 | ---- | M] () -- C:\Users\Introfeel\Desktop\8(a) Small Business Application.url
[2010/07/12 01:26:41 | 000,000,188 | ---- | M] () -- C:\Users\Introfeel\Desktop\Small Business Assessment Tool (SBAT).url
[2010/07/11 19:25:22 | 000,000,459 | ---- | M] () -- C:\Users\Introfeel\Desktop\United Starseed Federation - Uniting Starseeds, Walk-Ins and Lightworkers with Their Home Worlds!.url
[2010/07/10 12:06:28 | 000,001,703 | ---- | M] () -- C:\Users\Introfeel\Desktop\Rushmore Casino.lnk
[2010/07/10 08:00:35 | 000,041,472 | ---- | M] () -- C:\Users\Introfeel\Desktop\Cherry-Red-Authorization-Form[1].doc
[2010/07/10 06:30:03 | 000,001,725 | ---- | M] () -- C:\Users\Introfeel\Desktop\Cherry Red Casino.lnk
[2010/07/06 19:37:42 | 000,001,854 | ---- | M] () -- C:\Users\Introfeel\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/07/06 19:37:42 | 000,001,830 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/07/05 18:48:04 | 000,000,207 | ---- | M] () -- C:\Users\Introfeel\Desktop\European Roulette - Play for free at PokerLoco online casino.url
[2010/07/05 12:36:20 | 000,000,000 | ---- | M] () -- C:\Users\Introfeel\Documents\How_To_Make_Money_Online_Without_spending_a_dime.pdf
[2010/07/04 22:01:20 | 000,000,124 | ---- | M] () -- C:\Users\Introfeel\Desktop\Joyce J Hurley on MySpace Music - Free Streaming MP3s, Pictures & Music Downloads.url
[2010/07/04 07:25:42 | 000,000,190 | ---- | M] () -- C:\Users\Introfeel\Desktop\iPetitions - Start a free online petition in minutes.url
[2010/07/02 03:32:49 | 000,002,064 | ---- | M] () -- C:\Users\Introfeel\Desktop\Google Chrome.lnk
[2010/07/02 03:32:49 | 000,002,026 | ---- | M] () -- C:\Users\Introfeel\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/01 15:12:36 | 000,114,688 | ---- | M] () -- C:\Users\Introfeel\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/01 06:40:41 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/06/30 21:26:12 | 019,495,102 | ---- | M] () -- C:\Users\Introfeel\Documents\vlc-1.1.0-win32.exe
[2010/06/26 15:03:54 | 007,846,251 | ---- | M] () -- C:\Users\Introfeel\Documents\alldayprofits_com.mht
[2010/06/26 07:21:30 | 000,061,071 | ---- | M] () -- C:\Users\Introfeel\Documents\Gambling.html

========== Files Created - No Company Name ==========

[2010/07/23 15:59:22 | 000,284,915 | ---- | C] () -- C:\Users\Introfeel\Desktop\gmer.zip
[2010/07/23 12:04:57 | 000,000,226 | ---- | C] () -- C:\Users\Introfeel\Desktop\backdoor.tidserv!inf removal - Geeks to Go!.url
[2010/07/23 11:42:11 | 001,152,444 | ---- | C] () -- C:\Windows\UDB.zip
[2010/07/23 11:42:11 | 000,767,952 | ---- | C] () -- C:\Windows\BDTSupport.dll.old
[2010/07/23 11:42:11 | 000,767,928 | ---- | C] () -- C:\Windows\BDTSupport.dll
[2010/07/23 11:42:11 | 000,000,882 | ---- | C] () -- C:\Windows\RegSDImport.xml
[2010/07/23 11:42:11 | 000,000,879 | ---- | C] () -- C:\Windows\RegISSImport.xml
[2010/07/23 11:42:11 | 000,000,131 | ---- | C] () -- C:\Windows\IDB.zip
[2010/07/23 11:36:32 | 000,007,387 | ---- | C] () -- C:\Windows\System32\drivers\pctgntdi.cat
[2010/07/23 11:36:20 | 000,007,412 | ---- | C] () -- C:\Windows\System32\drivers\PCTAppEvent.cat
[2010/07/23 11:36:20 | 000,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctcore.cat
[2010/07/23 11:36:10 | 000,001,761 | ---- | C] () -- C:\Users\Public\Desktop\Spyware Doctor.lnk
[2010/07/23 11:36:05 | 000,007,383 | ---- | C] () -- C:\Windows\System32\drivers\pctplsg.cat
[2010/07/23 11:05:47 | 000,000,235 | ---- | C] () -- C:\Users\Introfeel\Desktop\Backdoor.Tidserv Removal - Removing Help Symantec.url
[2010/07/23 06:13:30 | 2134,069,248 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/22 17:24:34 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/07/22 16:55:14 | 000,000,861 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2010/07/22 16:53:30 | 019,473,201 | ---- | C] () -- C:\Users\Introfeel\Documents\vlc-1.1.1-win32.exe
[2010/07/15 20:16:46 | 000,001,946 | ---- | C] () -- C:\Users\Public\Desktop\Federal Money Retriever.lnk
[2010/07/14 20:38:09 | 000,000,283 | ---- | C] () -- C:\Users\Introfeel\Desktop\Upscale Gourmet Food Emporium - NJ Business for sale in New Jersey on BizBuySell.url
[2010/07/13 06:10:55 | 000,196,648 | ---- | C] () -- C:\Users\Introfeel\Documents\Forgiveness Student Loan.pdf
[2010/07/12 18:10:19 | 000,000,193 | ---- | C] () -- C:\Users\Introfeel\Desktop\Gourmet Food Emporium Business For Sale In New York City Area, New York GlobalBX.url
[2010/07/12 01:26:57 | 000,000,210 | ---- | C] () -- C:\Users\Introfeel\Desktop\8(a) Small Business Application.url
[2010/07/12 01:26:41 | 000,000,188 | ---- | C] () -- C:\Users\Introfeel\Desktop\Small Business Assessment Tool (SBAT).url
[2010/07/10 12:06:27 | 000,001,703 | ---- | C] () -- C:\Users\Introfeel\Desktop\Rushmore Casino.lnk
[2010/07/10 08:00:33 | 000,041,472 | ---- | C] () -- C:\Users\Introfeel\Desktop\Cherry-Red-Authorization-Form[1].doc
[2010/07/10 06:30:02 | 000,001,725 | ---- | C] () -- C:\Users\Introfeel\Desktop\Cherry Red Casino.lnk
[2010/07/07 06:55:45 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2010/07/07 06:55:45 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2010/07/07 06:55:44 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2010/07/06 19:37:42 | 000,001,830 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/07/06 19:37:41 | 000,001,854 | ---- | C] () -- C:\Users\Introfeel\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2010/07/05 12:36:19 | 000,000,000 | ---- | C] () -- C:\Users\Introfeel\Documents\How_To_Make_Money_Online_Without_spending_a_dime.pdf
[2010/07/04 22:01:20 | 000,000,124 | ---- | C] () -- C:\Users\Introfeel\Desktop\Joyce J Hurley on MySpace Music - Free Streaming MP3s, Pictures & Music Downloads.url
[2010/07/01 06:40:40 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/06/30 21:25:42 | 019,495,102 | ---- | C] () -- C:\Users\Introfeel\Documents\vlc-1.1.0-win32.exe
[2010/06/26 15:03:53 | 007,846,251 | ---- | C] () -- C:\Users\Introfeel\Documents\alldayprofits_com.mht
[2010/06/26 14:25:02 | 000,000,207 | ---- | C] () -- C:\Users\Introfeel\Desktop\European Roulette - Play for free at PokerLoco online casino.url
[2010/06/26 07:21:28 | 000,061,071 | ---- | C] () -- C:\Users\Introfeel\Documents\Gambling.html
[2010/06/11 20:19:03 | 000,000,000 | ---- | C] () -- C:\Windows\HPMProp.INI
[2010/05/09 06:39:05 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2010/05/06 12:32:33 | 000,056,056 | ---- | C] () -- C:\Windows\System32\DLAAPI_W.DLL
[2010/05/06 12:32:29 | 000,000,118 | ---- | C] () -- C:\Windows\wininit.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008/02/13 12:54:52 | 000,467,001 | R--- | C] () -- C:\Windows\System32\W3MKDE.DLL
[2008/02/13 12:54:52 | 000,061,499 | R--- | C] () -- C:\Windows\System32\W3MKDERC.DLL
[2008/02/11 19:55:18 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1437.dll
[2008/01/14 17:47:06 | 000,099,712 | ---- | C] () -- C:\Windows\HPBroker.dll
[2007/08/06 18:22:15 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2005/02/03 11:31:00 | 000,032,768 | ---- | C] () -- C:\Windows\System32\compJNI.dll
[2004/08/20 07:02:52 | 000,102,400 | ---- | C] () -- C:\Windows\System32\PMLJNI.dll
[2001/07/07 04:00:00 | 000,003,399 | ---- | C] () -- C:\Windows\System32\hptcpmon.ini
[2001/03/28 12:37:14 | 000,000,033 | ---- | C] () -- C:\Windows\hppcap.ini

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2006/09/18 16:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2009/12/09 17:25:27 | 007,306,434 | ---- | M] () -- C:\Ben Harper & Ziggy Marley - Could You Be Love (Live Bob Marley Cover).mp3
[2009/04/11 01:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2010/05/05 21:38:08 | 000,008,192 | R-S- | M] () -- C:\BOOTSECT.BAK
[2009/12/09 17:25:33 | 005,571,022 | ---- | M] () -- C:\Brothers Keepers - Ziggy Marley, Bunny Wailer, Buju Banton, Damian 'Junior Gong' Marley, Morgan Heri.mp3
[2006/09/18 16:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2009/12/09 17:42:04 | 005,412,699 | ---- | M] () -- C:\Confunkshun - Chase Me.mp3
[2009/12/09 17:36:54 | 004,722,278 | ---- | M] () -- C:\confunktion - fun fun fun.mp3
[2008/04/03 20:31:27 | 000,004,512 | RH-- | M] () -- C:\dell.sdr
[2009/12/09 17:25:50 | 005,135,883 | ---- | M] () -- C:\Erykah Badu and Ziggy Marley - In Love With You.mp3
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 09:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 09:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 09:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2010/07/23 11:27:41 | 2134,069,248 | -HS- | M] () -- C:\hiberfil.sys
[2008/11/02 00:31:20 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/02/17 21:00:06 | 000,002,405 | -H-- | M] () -- C:\IPH.PH
[2008/11/02 00:31:20 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/11/06 12:45:42 | 000,000,826 | ---- | M] () -- C:\net_save.dna
[2010/07/23 11:27:40 | 2449,948,672 | -HS- | M] () -- C:\pagefile.sys
[2009/07/28 13:25:10 | 000,000,909 | ---- | M] () -- C:\updatedatfix.log
[2007/11/07 09:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 09:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2009/02/14 23:04:31 | 000,000,037 | ---- | M] () -- C:\wizard.txt
[2008/11/17 07:36:28 | 000,000,158 | ---- | M] () -- C:\YServer.txt

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/11/02 07:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 07:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2010/05/11 13:29:48 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 16:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2010/05/01 17:54:54 | 000,302,080 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\hpcpp104.dll
[2007/01/25 13:24:04 | 000,286,208 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\hpzpp4wm.dll
[2008/01/19 02:34:28 | 000,089,600 | ---- | M] (Hewlett-Packard Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\HPZPPLHN.DLL
[2006/11/02 07:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.scr >
[2009/07/10 12:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2010/05/08 20:52:00 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2006/11/02 04:46:04 | 000,380,957 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\expsrv.dll
[2009/04/11 01:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 01:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\user32.dll /md5 >
[2009/04/11 01:28:25 | 000,627,712 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/01/19 02:37:09 | 000,179,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\ws2_32.dll

< %systemroot%\system32\ws2help.dll /md5 >
[2006/11/02 04:44:30 | 000,004,608 | ---- | M] (Microsoft Corporation) MD5=17C0671BF57057108A6D949510EE42C8 -- C:\Windows\System32\ws2help.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-23 08:02:58

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\zeytinia package:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Untitled 1_html_m1fdd0ba3.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\sorry_im_stupid.JPG:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Rudejam:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Ressurrection Financing:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\reshack[1]:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\programs:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\PL2303_Prolific_DriverInstaller_10311[1]:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\P2160088 justice..jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\old documents:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\MySpaceIM Pics:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\My Scans:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\my roboform data:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\My Received Files:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\My Dick.jpeg.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Manly_P._Hall_-_Man__Grand_Symbol_of_the_Mysteries:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\LoopNet - The Gary Portfolio, Garden-Low-Rise, 2002 Hanley Street, Gary, IN_files:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\live! cam center:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\LimeWire:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\joycehurley-04.m3u:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Hypnotherapy Skillas:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\hypnotherapy a a:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Grocery Store:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Gamble:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\FRANK SHAFT Booty_Studio_-_4-Scene-4_ipod.mp4:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\FRANK SHAFT Booty_Studio_-_3-Scene-4_ipod.mp4:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Forex:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\FLAC_frontend[1]:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\FLAC_frontend:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\eFax Messenger 4.4:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Downloads:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\chakra balancing:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Blogs:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\AIDS:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\Adeel:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\acquisition_of_rental_property_broker_2009_1_[1]:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Documents\3568_ResHack[1]:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Desktop\OpenOffice.org 3.2 (en-US) Installation Files:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Desktop\Monica Main:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Desktop\How to Turn a Few Dollars Into Billions:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Desktop\gmer:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Desktop\Free Ads:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Introfeel\Desktop\eugene:Roxio EMC Stream
@Alternate Data Stream - 158 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:A8ADE5D8
< End of report >

#4
Introfeel

Posted 23 July 2010 - 03:18 PM

Member

Topic Starter
Member
24 posts

#5
hammerman

Posted 24 July 2010 - 12:16 AM

Member 4k

Member
4,183 posts

Hi,

Can you post the Extras.txt log and do you have the GMER log?

#6
Introfeel

Posted 24 July 2010 - 04:14 AM

Member

Topic Starter
Member
24 posts

OTL Extras logfile created on: 7/23/2010 4:05:51 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\Introfeel\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 455.71 Gb Total Space | 326.98 Gb Free Space | 71.75% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.03 Gb Free Space | 60.25% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: POINDEXTER
Current User Name: Introfeel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{D3E6C177-9DA0-449D-BADF-80D3944F2BAD}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{D8CC37E6-904B-44DF-AB57-913AC70C2234}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{177AF48A-BE20-408A-867F-28B6439DA026}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{4730945A-652C-4B06-9A37-E280ECB62951}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{5CED6E07-8C00-4C21-BDF5-90E333904555}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{611C620B-1F8D-4BDB-9584-FE15E83508E9}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{6D0E4978-CD69-4C24-8EBF-BAB707656E94}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{7EF0BBF9-F4E6-42CA-9787-165A474AD203}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{9666599A-75B6-43C8-B30C-4661945541CA}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{A1A6B532-F503-4B67-B57D-93EF12DABBD3}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |
"{D8E4CF52-3FBF-4E96-8931-439740EA6CD1}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{DE8A0897-DBEA-4B96-9091-AD6017E217D5}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{F135BF59-FC6E-4800-96EC-7C166592D03A}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0B023593-E50E-4B7F-868A-68553D8DFAF5}" = hppscan2800
"{0BEA216B-D17C-47E1-A932-0289D54F35F1}" = hppScanTo
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{1F803ABC-CAA5-4E5D-AE72-D7248E185BBC}" = Federal Money Retriever®
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216018F0}" = Java™ 6 Update 18
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{26B878A8-5704-3B64-BDBC-4F0EACA38121}" = Google Talk Plugin
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2F471509-1144-4997-8E22-6F19496723BA}" = hppTLBX2840Help
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57DA304D-27B0-40D1-A796-92CEFF20FA32}" = hppIOFiles
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{6B72304B-8204-4819-ABE4-3837485D1BF8}" = hppFaxDrv
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{70B0459A-6BFB-45B4-AF97-3799B8FE8A10}" = hppTooCool
"{777CA40C-0206-4EF6-A0FC-618BF06BF8D0}" = Intel® PRO Network Connections 12.1.11.0
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{AD8CD806-45C6-4A8C-95B5-4C55778FEBEB}" = hppSendFax
"{AFAC914D-9E83-4A89-8ABE-427521C82CCF}" = Safari
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{B13F9676-15B9-4F5D-9FF3-C3CC56BAC641}" = hppCLJ2800
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B8910E04-E0A0-4FC4-9E0A-E8259239F10E}" = hppTLBX2840
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{BFE903DE-4845-4387-9C6C-98B21B8445A3}" = GMATPrep™
"{C2F34782-CE15-4524-951D-75204560F75A}" = hppDustDevil
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C861921A-E002-498F-9800-153CCBABB9C9}" = 32 Bit HP CIO Components Installer
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D8AC1EB5-E8B0-44A0-B113-899407188A2F}" = hppFonts
"{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F423FA4E-D2BC-4FE4-B8F9-1BFC26A5DE9C}" = hppManuals2800
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced Video FX Engine" = Advanced Video FX Engine
"Browser Defender_is1" = Browser Defender 2.0.6.15
"Cherry Red Casino" = Cherry Red Casino
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 PCI V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative Live! Cam Center" = Creative Live! Cam Center
"Creative VF0270" = Creative Live! Cam Optia Driver (1.03.01.0000)
"FLAC" = FLAC 1.2.1b (remove only)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Color LaserJet 2820/2830/2840" = HP Color LaserJet 2820/2830/2840 3.1
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"LimeWire" = LimeWire 5.5.8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"N360" = Norton Security Suite
"PeerGuardian_is1" = PeerGuardian 2.0
"PROSetDX" = Intel® PRO Network Connections 12.1.11.0
"RealPlayer 12.0" = RealPlayer
"Rushmore Casino" = Rushmore Casino
"Spyware Doctor" = Spyware Doctor 7.0
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.1
"WinLiveSuite_Wave3" = Windows Live Essentials
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/23/2010 4:02:56 AM | Computer Name = Poindexter | Source = MsiInstaller | ID = 11606
Description =

Error - 7/23/2010 4:02:56 AM | Computer Name = Poindexter | Source = MsiInstaller | ID = 11606
Description =

Error - 7/23/2010 4:02:57 AM | Computer Name = Poindexter | Source = MsiInstaller | ID = 1023
Description =

Error - 7/23/2010 7:00:23 AM | Computer Name = Poindexter | Source = EventSystem | ID = 4609
Description =

Error - 7/23/2010 12:35:38 PM | Computer Name = Poindexter | Source = Perflib | ID = 1010
Description =

Error - 7/23/2010 12:35:39 PM | Computer Name = Poindexter | Source = Perflib | ID = 1008
Description =

Error - 7/23/2010 12:35:39 PM | Computer Name = Poindexter | Source = Perflib | ID = 1005
Description =

Error - 7/23/2010 12:35:39 PM | Computer Name = Poindexter | Source = Perflib | ID = 1017
Description =

Error - 7/23/2010 12:42:19 PM | Computer Name = Poindexter | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 7/23/2010 12:42:21 PM | Computer Name = Poindexter | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ System Events ]
Error - 5/8/2010 10:06:19 AM | Computer Name = Poindexter | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description =

Error - 5/8/2010 7:57:07 PM | Computer Name = Poindexter | Source = DCOM | ID = 10000
Description =

Error - 5/8/2010 7:57:16 PM | Computer Name = Poindexter | Source = DCOM | ID = 10016
Description =

Error - 5/8/2010 7:57:16 PM | Computer Name = Poindexter | Source = DCOM | ID = 10016
Description =

Error - 5/8/2010 7:57:16 PM | Computer Name = Poindexter | Source = DCOM | ID = 10016
Description =

Error - 5/8/2010 7:57:16 PM | Computer Name = Poindexter | Source = DCOM | ID = 10016
Description =

Error - 5/8/2010 9:32:22 PM | Computer Name = Poindexter | Source = DCOM | ID = 10010
Description =

Error - 5/8/2010 9:47:02 PM | Computer Name = Poindexter | Source = HTTP | ID = 15016
Description =

Error - 5/8/2010 9:51:49 PM | Computer Name = Poindexter | Source = Microsoft-Windows-Eventlog | ID = 30
Description =

Error - 5/9/2010 7:13:15 AM | Computer Name = Poindexter | Source = HTTP | ID = 15016
Description =

< End of report >

#7
Introfeel

Posted 24 July 2010 - 04:17 AM

Member

Topic Starter
Member
24 posts

I ran Gmer it took over 12 hours to scan and then when I pushed ok as per your instructions the program dissapeared and my computer froze up. I had to shut down my computer and when I restarted it windows had to check for disk integrity. Please don't ask me to use this program again. there must be another way.

#8
hammerman

Posted 24 July 2010 - 04:27 AM

Member 4k

Member
4,183 posts

Hi,

Please follow these steps.

-- Step 1 --

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent malware removal tools from fixing certain things.
Please disable TeaTimer for now until you are clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

-- Step 2 --

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in the root directory (usually C:\).
Please post the contents of that log in your next reply.

-- Step 3 --

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#9
Introfeel

Posted 24 July 2010 - 11:16 AM

Member

Topic Starter
Member
24 posts

TDS Kiler produced zero results. There was nothing to copy.

Here is the log from the second scan:

ComboFix 10-07-23.04 - Introfeel 07/24/2010 11:47:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.922 [GMT -5:00]
Running from: c:\users\Introfeel\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Security Suite *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 16:58 . 2010-07-24 16:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-23 16:35 . 2010-07-23 16:35 -------- d-----w- c:\users\Introfeel\AppData\Roaming\PC Tools
2010-07-23 16:35 . 2010-07-23 16:35 -------- d-----w- c:\programdata\PC Tools
2010-07-22 22:23 . 2010-07-22 22:23 -------- d-----w- c:\program files\iPod
2010-07-22 21:55 . 2010-07-22 21:58 -------- d-----w- c:\users\Introfeel\AppData\Roaming\vlc
2010-07-21 22:11 . 2010-07-21 22:11 -------- d-----w- c:\users\Introfeel\AppData\Roaming\Creative
2010-07-12 05:52 . 2010-07-12 05:52 -------- d-----w- c:\program files\IDI Magic
2010-07-12 01:12 . 2010-07-12 01:12 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\CrashDumps
2010-07-10 11:29 . 2010-07-10 11:34 -------- d-----w- c:\program files\Cherry Red Casino
2010-07-07 11:56 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-06-26 20:51 . 2010-07-14 20:40 -------- d-----w- c:\program files\Rushmore Casino
2010-06-26 11:36 . 2010-06-26 11:36 -------- d-----w- c:\program files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 17:01 . 2010-05-14 22:45 -------- d-----w- c:\users\Introfeel\AppData\Roaming\LimeWire
2010-07-23 16:51 . 2010-07-23 16:35 -------- d-----w- c:\program files\Spyware Doctor
2010-07-23 16:42 . 2010-07-23 16:35 -------- d-----w- c:\program files\Common Files\PC Tools
2010-07-23 16:09 . 2010-05-15 23:22 126920 ----a-w- c:\windows\hppins01.dat
2010-07-22 23:05 . 2010-05-06 17:29 -------- d-----w- c:\programdata\Roxio
2010-07-22 22:24 . 2010-05-07 05:52 -------- d-----w- c:\program files\iTunes
2010-07-22 22:23 . 2010-05-07 05:45 -------- d-----w- c:\program files\Common Files\Apple
2010-07-20 13:49 . 2010-05-06 19:43 3072 ----a-w- c:\users\Introfeel\AppData\Roaming\wklnhst.dat
2010-07-20 00:11 . 2010-07-23 16:42 767928 ----a-w- c:\windows\BDTSupport.dll
2010-07-19 07:26 . 2010-07-23 16:42 192 ----a-w- c:\windows\UDB.zip
2010-07-19 07:26 . 2010-07-23 16:42 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-07-19 07:26 . 2010-07-23 16:42 264144 ----a-w- c:\windows\PCTBDRes.dll
2010-07-19 07:26 . 2010-07-23 16:42 1435600 ----a-w- c:\windows\PCTBDCore.dll
2010-07-15 12:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-12 05:51 . 2010-05-06 17:20 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-09 20:48 . 2010-05-06 08:15 -------- d-----w- c:\users\Introfeel\AppData\Roaming\Skype
2010-07-09 16:12 . 2010-05-08 00:07 -------- d-----w- c:\users\Introfeel\AppData\Roaming\skypePM
2010-07-03 22:37 . 2010-05-06 17:37 -------- d-----w- c:\users\Introfeel\AppData\Roaming\Roxio
2010-07-02 02:44 . 2010-05-07 02:49 -------- d-----w- c:\users\Introfeel\AppData\Roaming\HpUpdate
2010-07-01 17:01 . 2010-05-07 02:47 -------- d-----w- c:\users\Introfeel\AppData\Roaming\HP
2010-06-20 13:49 . 2010-06-20 13:49 -------- d-----w- c:\programdata\WebEx
2010-06-19 02:59 . 2010-05-06 01:56 101496 ----a-w- c:\users\Introfeel\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-19 02:55 . 2010-05-07 05:54 -------- d-----w- c:\users\Introfeel\AppData\Roaming\Apple Computer
2010-06-19 02:54 . 2010-06-19 02:54 -------- d-----w- c:\program files\Bonjour
2010-06-18 12:56 . 2010-06-18 12:55 -------- d-----w- c:\program files\GMATPrep
2010-06-18 12:55 . 2010-05-06 05:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-14 17:24 . 2010-05-08 03:39 -------- d-----w- c:\program files\Safari
2010-06-12 01:18 . 2010-06-12 01:18 -------- d-----w- c:\programdata\Hewlett-Packard
2010-06-04 21:46 . 2010-05-09 00:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-11 11:23 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 11:23 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-12 17:32 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-09 01:19 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-09 01:19 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-08 02:53 . 2010-05-08 02:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-08 00:07 . 2010-05-08 00:07 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-06 08:05 . 2010-05-06 08:05 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-06 07:57 . 2010-05-06 07:57 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-05-06 07:57 . 2010-05-06 07:57 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-05-06 07:57 . 2010-05-06 07:57 243712 ----a-w- c:\windows\system32\rastls.dll
2010-05-06 07:57 . 2010-05-06 07:57 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-05-06 07:56 . 2010-05-06 07:56 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-05-06 07:56 . 2010-05-06 07:56 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-05-06 07:56 . 2010-05-06 07:56 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-05-06 07:56 . 2010-05-06 07:56 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-05-06 07:56 . 2010-05-06 07:56 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-05-06 07:56 . 2010-05-06 07:56 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-05-06 07:56 . 2010-05-06 07:56 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-05-06 07:56 . 2010-05-06 07:56 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-05-06 07:56 . 2010-05-06 07:56 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-05-06 07:56 . 2010-05-06 07:56 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-05-06 06:35 . 2010-05-06 06:35 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-06 06:35 . 2010-05-06 06:35 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-06 06:35 . 2010-05-06 06:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-06 06:33 . 2010-05-06 06:33 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-05-06 06:32 . 2010-05-06 06:32 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-05-06 06:32 . 2010-05-06 06:32 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-05-06 06:32 . 2010-05-06 06:32 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-05-06 06:32 . 2010-05-06 06:32 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-05-06 05:26 . 2010-05-06 01:56 680 ----a-w- c:\users\Introfeel\AppData\Local\d3d9caps.dat
2010-05-06 04:50 . 2010-05-06 04:50 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-06 04:50 . 2010-05-06 04:50 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-06 04:50 . 2010-05-06 04:50 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-06 04:50 . 2010-05-06 04:50 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-06 04:50 . 2010-05-06 04:50 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-05-06 04:50 . 2010-05-06 04:50 272896 ----a-w- c:\windows\system32\polstore.dll
2010-05-06 04:49 . 2010-05-06 04:49 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-06 04:49 . 2010-05-06 04:49 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-06 04:47 . 2010-05-06 04:47 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-05-06 04:47 . 2010-05-06 04:47 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-05-06 04:47 . 2010-05-06 04:47 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-05-06 04:47 . 2010-05-06 04:47 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-05-06 04:47 . 2010-05-06 04:47 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-05-06 04:47 . 2010-05-06 04:47 17920 ----a-w- c:\windows\system32\netevent.dll
2010-05-06 04:47 . 2010-05-06 04:47 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-05-06 04:47 . 2010-05-06 04:47 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-05-06 04:47 . 2010-05-06 04:47 10240 ----a-w- c:\windows\system32\finger.exe
2010-05-06 04:46 . 2010-05-06 04:46 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-05-06 04:46 . 2010-05-06 04:46 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-05-06 04:46 . 2010-05-06 04:46 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-06 04:46 . 2010-05-06 04:46 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-05-06 04:46 . 2010-05-06 04:46 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-05-06 04:46 . 2010-05-06 04:46 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-05-06 04:46 . 2010-05-06 04:46 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-05-06 04:45 . 2010-05-06 04:45 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-05-06 04:45 . 2010-05-06 04:45 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-05-06 04:45 . 2010-05-06 04:45 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-05-06 04:45 . 2010-05-06 04:45 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-05-06 04:45 . 2010-05-06 04:45 9728 ----a-w- c:\windows\system32\lsass.exe
2010-05-06 04:45 . 2010-05-06 04:45 72704 ----a-w- c:\windows\system32\secur32.dll
2010-05-06 04:45 . 2010-05-06 04:45 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-05-06 04:45 . 2010-05-06 04:45 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-06 04:45 . 2010-05-06 04:45 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-05-06 04:45 . 2010-05-06 04:45 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-05-06 04:44 . 2010-05-06 04:44 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-06 04:44 . 2010-05-06 04:44 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-06 04:44 . 2010-05-06 04:44 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-06 04:44 . 2010-05-06 04:44 98816 ----a-w- c:\windows\system32\mfps.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"Google Update"="c:\users\Introfeel\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-08 136176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"googletalk"="c:\users\Introfeel\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2007-08-22 28672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-08 202256]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2007-05-19 741376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\users\Introfeel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):12,b1,8c,89,39,f1,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-02-02 9344]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [2010-06-19 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100723.001\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-07-19 198608]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-23 102448]
S3 VF0270Dev;Live! Cam Optia;c:\windows\system32\DRIVERS\V0270Dev.sys [2007-08-20 227488]
S3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\DRIVERS\V0270VFx.sys [2007-03-05 7424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-939453163-656404264-1916229718-1000Core.job
- c:\users\Introfeel\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 04:20]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-939453163-656404264-1916229718-1000UA.job
- c:\users\Introfeel\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 04:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/?cid=NET_mmhpset
uInternet Settings,ProxyOverride = *.local
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\users\Introfeel\AppData\Roaming\Mozilla\Firefox\Profiles\jq6w6nho.default\
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\users\Introfeel\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Introfeel\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\Introfeel\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Rushmore Casino - c:\program files\Rushmore Casino\Install.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 12:02
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2692)
c:\windows\System32\netshell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\DllHost.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-07-24 12:12:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-24 17:12

Pre-Run: 351,074,013,184 bytes free
Post-Run: 351,081,975,808 bytes free

- - End Of File - - 75E806A05A25FF82C58883E8A9E544FC

#10
Introfeel

Posted 24 July 2010 - 11:19 AM

Member

Topic Starter
Member
24 posts

I tried to disable the virus software as best as I could, but there is no one disable switch and I had to do it manually. Perhaps it was not all done.

#11
hammerman

Posted 24 July 2010 - 05:29 PM

Member 4k

Member
4,183 posts

Hi,

Can you give me an update on the problems you are having.

#12
Introfeel

Posted 24 July 2010 - 09:52 PM

Member

Topic Starter
Member
24 posts

Hi,

Can you give me an update on the problems you are having.

I scaned again with Norton. Says smb.sys (Backdoor.Tidserv!inf) must remove manually.

#13
hammerman

Posted 25 July 2010 - 01:56 AM

Member 4k

Member
4,183 posts

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

Driver::

TDL::
c:\windows\system32\drivers\smb.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#14
Introfeel

Posted 25 July 2010 - 09:44 AM

Member

Topic Starter
Member
24 posts

ComboFix 10-07-24.03 - Introfeel 07/25/2010 10:25:54.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2036.1038 [GMT -5:00]
Running from: c:\users\Introfeel\Desktop\ComboFix.exe
Command switches used :: c:\users\Introfeel\Desktop\CFScript.txt
AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Security Suite *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.

2010-07-25 15:35 . 2010-07-25 15:35 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-25 15:35 . 2010-07-25 15:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-25 15:35 . 2010-07-25 15:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-23 16:35 . 2010-07-24 17:44 -------- d-----w- c:\program files\Spyware Doctor
2010-07-22 22:23 . 2010-07-22 22:23 -------- d-----w- c:\program files\iPod
2010-07-22 21:55 . 2010-07-24 23:12 -------- d-----w- c:\users\Introfeel\AppData\Roaming\vlc
2010-07-21 22:11 . 2010-07-21 22:11 -------- d-----w- c:\users\Introfeel\AppData\Roaming\Creative
2010-07-12 05:52 . 2010-07-12 05:52 -------- d-----w- c:\program files\IDI Magic
2010-07-12 01:12 . 2010-07-12 01:12 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\CrashDumps
2010-07-10 11:29 . 2010-07-10 11:34 -------- d-----w- c:\program files\Cherry Red Casino
2010-07-07 11:56 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-06-26 20:51 . 2010-07-14 20:40 -------- d-----w- c:\program files\Rushmore Casino
2010-06-26 11:36 . 2010-06-26 11:36 -------- d-----w- c:\program files\Microsoft.NET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 17:45 . 2010-05-14 22:45 -------- d-----w- c:\users\Introfeel\AppData\Roaming\LimeWire
2010-07-23 16:09 . 2010-05-15 23:22 126920 ----a-w- c:\windows\hppins01.dat
2010-07-22 23:05 . 2010-05-06 17:29 -------- d-----w- c:\programdata\Roxio
2010-07-22 22:24 . 2010-05-07 05:52 -------- d-----w- c:\program files\iTunes
2010-07-22 22:23 . 2010-05-07 05:45 -------- d-----w- c:\program files\Common Files\Apple
2010-07-22 22:19 . 2010-07-22 22:19 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-20 15:51 . 2010-05-08 14:50 1 ----a-w- c:\users\Introfeel\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-20 13:49 . 2010-05-06 19:43 3072 ----a-w- c:\users\Introfeel\AppData\Roaming\wklnhst.dat
2010-07-15 12:00 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-12 05:51 . 2010-05-06 17:20 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-09 20:48 . 2010-05-06 08:15 -------- d-----w- c:\users\Introfeel\AppData\Roaming\Skype
2010-07-09 16:12 . 2010-05-08 00:07 -------- d-----w- c:\users\Introfeel\AppData\Roaming\skypePM
2010-07-03 22:37 . 2010-05-06 17:37 -------- d-----w- c:\users\Introfeel\AppData\Roaming\Roxio
2010-07-02 02:44 . 2010-05-07 02:49 -------- d-----w- c:\users\Introfeel\AppData\Roaming\HpUpdate
2010-07-01 17:01 . 2010-05-07 02:47 -------- d-----w- c:\users\Introfeel\AppData\Roaming\HP
2010-06-27 21:15 . 2010-06-27 21:15 79367 ----a-w- c:\users\Introfeel\AppData\Roaming\Google\Google Talk\uninstall.exe
2010-06-27 01:18 . 2010-05-15 04:50 10134 ----a-r- c:\users\Introfeel\AppData\Roaming\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2010-06-19 02:59 . 2010-05-06 01:56 101496 ----a-w- c:\users\Introfeel\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-19 02:55 . 2010-05-07 05:54 -------- d-----w- c:\users\Introfeel\AppData\Roaming\Apple Computer
2010-06-19 02:54 . 2010-06-19 02:54 -------- d-----w- c:\program files\Bonjour
2010-06-18 12:56 . 2010-06-18 12:55 -------- d-----w- c:\program files\GMATPrep
2010-06-18 12:55 . 2010-05-06 05:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-14 17:24 . 2010-05-08 03:39 -------- d-----w- c:\program files\Safari
2010-06-14 17:22 . 2010-06-14 17:22 71992 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-12 01:18 . 2010-06-12 01:18 -------- d-----w- c:\programdata\Hewlett-Packard
2010-06-11 21:51 . 2010-06-11 21:51 3055600 ----a-w- c:\users\Introfeel\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 21:36 . 2010-06-11 21:36 275952 ----a-w- c:\users\Introfeel\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-06-04 21:46 . 2010-05-09 00:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-11 11:23 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 11:23 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-12 17:32 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-09 01:19 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-09 01:19 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-08 23:57 . 2010-05-08 23:57 143976 ----a-w- c:\users\Introfeel\AppData\Roaming\Move Networks\uninstall.exe
2010-05-08 23:57 . 2009-10-15 00:50 5642688 ----a-w- c:\users\Introfeel\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
2010-05-08 03:52 . 2010-05-08 03:52 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-08 03:52 . 2010-05-08 03:52 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-08 03:52 . 2010-05-08 03:52 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-08 03:52 . 2010-05-08 03:52 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-08 03:52 . 2010-05-08 03:52 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-08 03:52 . 2010-05-08 03:52 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-08 03:52 . 2010-05-08 03:52 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-08 03:52 . 2010-05-08 03:52 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-08 03:52 . 2010-05-08 03:52 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-08 02:53 . 2010-05-08 02:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-08 02:45 . 2010-05-08 02:45 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-05-08 00:07 . 2010-05-08 00:07 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-05-07 15:06 . 2010-05-07 15:06 4710 ----a-r- c:\users\Introfeel\AppData\Roaming\Microsoft\Installer\{DF6DA606-904D-4C18-823F-A4CFC3035E53}\ext.exe
2010-05-06 08:05 . 2010-05-06 08:05 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-06 07:57 . 2010-05-06 07:57 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-05-06 07:57 . 2010-05-06 07:57 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-05-06 07:57 . 2010-05-06 07:57 243712 ----a-w- c:\windows\system32\rastls.dll
2010-05-06 07:57 . 2010-05-06 07:57 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-05-06 07:56 . 2010-05-06 07:56 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-05-06 07:56 . 2010-05-06 07:56 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-05-06 07:56 . 2010-05-06 07:56 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-05-06 07:56 . 2010-05-06 07:56 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-05-06 07:56 . 2010-05-06 07:56 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-05-06 07:56 . 2010-05-06 07:56 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-05-06 07:56 . 2010-05-06 07:56 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-05-06 07:56 . 2010-05-06 07:56 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-05-06 07:56 . 2010-05-06 07:56 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-05-06 07:56 . 2010-05-06 07:56 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-05-06 06:35 . 2010-05-06 06:35 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-06 06:35 . 2010-05-06 06:35 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-06 06:35 . 2010-05-06 06:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-06 06:33 . 2010-05-06 06:33 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-05-06 06:32 . 2010-05-06 06:32 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-05-06 06:32 . 2010-05-06 06:32 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-05-06 06:32 . 2010-05-06 06:32 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-05-06 06:32 . 2010-05-06 06:32 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-05-06 05:26 . 2010-05-06 01:56 680 ----a-w- c:\users\Introfeel\AppData\Local\d3d9caps.dat
2010-05-06 04:50 . 2010-05-06 04:50 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-06 04:50 . 2010-05-06 04:50 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-06 04:50 . 2010-05-06 04:50 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-06 04:50 . 2010-05-06 04:50 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-06 04:50 . 2010-05-06 04:50 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-05-06 04:50 . 2010-05-06 04:50 272896 ----a-w- c:\windows\system32\polstore.dll
2010-05-06 04:49 . 2010-05-06 04:49 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-06 04:49 . 2010-05-06 04:49 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-06 04:47 . 2010-05-06 04:47 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-05-06 04:47 . 2010-05-06 04:47 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-05-06 04:47 . 2010-05-06 04:47 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-05-06 04:47 . 2010-05-06 04:47 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-05-06 04:47 . 2010-05-06 04:47 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-05-06 04:47 . 2010-05-06 04:47 17920 ----a-w- c:\windows\system32\netevent.dll
2010-05-06 04:47 . 2010-05-06 04:47 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-05-06 04:47 . 2010-05-06 04:47 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-05-06 04:47 . 2010-05-06 04:47 10240 ----a-w- c:\windows\system32\finger.exe
2010-05-06 04:46 . 2010-05-06 04:46 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-05-06 04:46 . 2010-05-06 04:46 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-05-06 04:46 . 2010-05-06 04:46 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-06 04:46 . 2010-05-06 04:46 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-05-06 04:46 . 2010-05-06 04:46 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-05-06 04:46 . 2010-05-06 04:46 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-05-06 04:46 . 2010-05-06 04:46 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-05-06 04:45 . 2010-05-06 04:45 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-05-06 04:45 . 2010-05-06 04:45 1248768 ----a-w- c:\windows\system32\msxml3.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"Google Update"="c:\users\Introfeel\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-08 136176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"googletalk"="c:\users\Introfeel\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"V0270Mon.exe"="c:\windows\V0270Mon.exe" [2007-08-22 28672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-08 202256]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2007-05-19 741376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\users\Introfeel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):12,b1,8c,89,39,f1,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-02-02 9344]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100709.001\BHDrvx86.sys [2010-06-19 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100723.001\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0402000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-23 102448]
S3 VF0270Dev;Live! Cam Optia;c:\windows\system32\DRIVERS\V0270Dev.sys [2007-08-20 227488]
S3 VF0270Vfx;VF0270 Video FX;c:\windows\system32\DRIVERS\V0270VFx.sys [2007-03-05 7424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-939453163-656404264-1916229718-1000Core.job
- c:\users\Introfeel\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 04:20]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-939453163-656404264-1916229718-1000UA.job
- c:\users\Introfeel\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-08 04:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/?cid=NET_mmhpset
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Introfeel\AppData\Roaming\Mozilla\Firefox\Profiles\jq6w6nho.default\
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 10:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1652)
c:\windows\system32\msi.dll
.
Completion time: 2010-07-25 10:42:05
ComboFix-quarantined-files.txt 2010-07-25 15:42
ComboFix2.txt 2010-07-24 17:12

Pre-Run: 351,297,994,752 bytes free
Post-Run: 351,253,053,440 bytes free

- - End Of File - - 5D40083B9FC14284A1CDCBFA408C9E15

#15
Introfeel

Posted 25 July 2010 - 09:45 AM

Member

Topic Starter
Member
24 posts

When I got the above info I did disable the virus scanner, however it is also the firewall and that remained active which ios probably why it says it's still working.