Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect trojan

Started by Brianaala , May 16 2010 09:13 AM

  • Please log in to reply

#1
Brianaala
Posted 16 May 2010 - 09:13 AM

Brianaala

    Member

  • Member
  • PipPip
  • 19 posts
Hi folks,
Thanks for being here I'm at my wits end! I have been reading all sorts of ways to fix this problem but none have worked. One placed suggested to delete the wdmaud.drv, I did that now I don't have system sounds, I have downloaded and run Combofix, HJT, housecall, Microsoft onecall, and simply super soft's Trojan Remover. nothing has worked. Specifically any google search I do pops up to random sites such as "Ave 99" and other sales or "spyware" sites. if I go back and keep hitting the link, by the 3rd or 4th time it gets through. I now suppose I am doing more harm than good and I need your help!
  • 0

Advertisements

#2
RKinner
Posted 16 May 2010 - 09:23 AM

RKinner

    Malware Expert

  • Expert
  • 24,622 posts
  • MVP
Do as much of

http://www.geekstogo...uide-t2852.html

as you can. If a step won't work, skip to the next one. Copy and paste your gmer, mbam, otl, & extras logs into a reply. Do not attach them.

If you lose internet access after running MBAM or if you are not able to get to the downloads:

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.

Also post your combofix log.

Ron
  • 0

#3
Brianaala
Posted 16 May 2010 - 09:45 AM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Ron,
wow thanks for the fast reply. I will run that series immediately!\
For now here is my Combofix log:

ComboFix 10-05-15.03 - Brian 05/16/2010 10:29:22.6.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2317 [GMT -5:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-15 21:48 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-05-15 21:48 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-05-15 21:48 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-05-15 21:48 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-05-15 21:48 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-05-15 21:48 . 2010-05-15 21:48 -------- d-----w- c:\program files\Trojan Remover
2010-05-15 21:48 . 2010-05-15 21:48 -------- d-----w- c:\users\Brian\AppData\Roaming\Simply Super Software
2010-05-15 21:48 . 2010-05-15 21:48 -------- d-----w- c:\programdata\Simply Super Software
2010-05-14 22:46 . 2010-05-14 22:46 -------- d-----w- c:\windows\Sun
2010-05-14 22:45 . 2010-05-14 22:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 22:01 . 2010-05-14 22:02 -------- d-----w- c:\users\Brian\AppData\Roaming\GetRightToGo
2010-05-14 20:33 . 2010-05-14 20:33 -------- d-----w- c:\program files\Unlocker
2010-05-14 16:13 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-14 07:56 . 2010-05-14 07:56 -------- d-----w- c:\windows\system32\Wat
2010-05-12 17:26 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-09 16:32 . 2010-05-09 16:32 -------- d-----w- c:\windows\system32\AGEIA
2010-05-09 16:32 . 2010-05-09 16:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-05-09 16:26 . 2010-05-09 16:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-07 15:22 . 2010-05-07 15:22 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-05-07 15:22 . 2010-05-07 15:22 -------- d-----w- c:\users\Brian\AppData\Local\Desktop Cleanup Wizard
2010-05-07 15:22 . 2010-05-07 15:22 37888 ----a-w- c:\windows\system32\b_syspol32.dll
2010-05-07 15:22 . 2010-05-07 15:22 37888 ----a-w- c:\windows\system32\syspol32.dll
2010-05-07 15:22 . 2010-05-07 15:22 11776 ----a-w- c:\windows\system32\mousenh32.exe
2010-04-28 13:08 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 13:08 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 13:08 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-22 21:16 . 2010-04-22 21:16 -------- d-----w- c:\users\Brian\AppData\Roaming\Free Mp3 Wma Ogg Converter
2010-04-22 21:15 . 2010-04-22 21:15 -------- d-----w- c:\program files\Free Mp3 Wma Ogg Converter
2010-04-20 21:08 . 2010-02-01 01:45 38784 ----a-w- c:\users\Brian\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-20 21:08 . 2010-04-20 21:08 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-20 21:07 . 2010-04-20 21:07 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-04-20 21:07 . 2010-04-21 00:38 -------- d-----w- c:\programdata\NOS
2010-04-19 05:10 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-19 05:10 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-19 05:10 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-19 05:10 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-19 05:10 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-19 05:10 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-19 05:06 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-19 05:06 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 03:31 . 2010-05-16 00:25 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-15 23:42 . 2010-05-15 23:42 388096 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-05-15 23:42 . 2010-05-15 23:42 -------- d-----w- c:\program files\TrendMicro
2010-05-15 22:46 . 2010-05-15 22:46 -------- d-----w- c:\program files\Realtek
2010-05-15 21:23 . 2009-11-20 16:47 -------- d-----w- c:\users\Brian\AppData\Roaming\vlc
2010-05-14 20:23 . 2009-11-19 22:47 -------- d-----w- c:\users\Brian\AppData\Roaming\Azureus
2010-05-14 16:12 . 2009-11-19 23:23 -------- d-----w- c:\programdata\Microsoft Help
2010-05-14 07:56 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-10 05:14 . 2009-11-28 23:24 -------- d-----w- c:\program files\Vuze
2010-05-06 15:36 . 2009-11-19 17:45 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-04-20 21:10 . 2009-11-28 21:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 03:10 . 2009-11-19 22:37 109432 ----a-w- c:\users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-19 05:48 . 2009-12-06 17:20 -------- d-----w- c:\programdata\Yahoo! Companion
2010-04-19 05:48 . 2009-12-06 17:18 -------- d-----w- c:\program files\Yahoo!
2010-03-30 15:17 . 2010-03-30 15:17 373677 ----a-w- c:\users\Brian\msplyi4d.exe
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AcrobatUpdater.exe
2010-02-23 07:56 . 2010-03-31 13:42 977920 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-19 39408]
"Desktop Cleanup Wizard"="c:\users\Brian\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll" [2010-05-07 37888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="d:\mcafee\SHSTAT.EXE" [2009-10-16 124224]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-19 122880]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]
"Acronis Toolbar Helper"="c:\users\Brian\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll" [2010-05-07 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-09-01 65448]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-14 1343400]
R4 acrosysbackup_ex4PD0-uSaTA;Acronis System Backup;c:\windows\system32\wirepots.exe [x]
R4 winbackupdumper-id194PD0-uSaTA;Windows System Backup Dumper;c:\windows\system32\mousenh32.exe [2010-05-07 11776]
S2 McAfeeEngineService;McAfee Engine Service;d:\mcafee\engineserver.exe [2009-09-01 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-09-01 70728]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]

.
Contents of the 'Scheduled Tasks' folder

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:43]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Append Link Target to Existing PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-05-16 10:41:11
ComboFix-quarantined-files.txt 2010-05-16 15:41
ComboFix2.txt 2010-05-15 22:29
ComboFix3.txt 2010-05-15 22:09
ComboFix4.txt 2010-05-14 22:28
ComboFix5.txt 2010-05-16 15:27

Pre-Run: 6,519,336,960 bytes free
Post-Run: 6,561,865,728 bytes free

- - End Of File - - 8CFF61AB50D430E9F35F2E6106056F1C
  • 0

#4
Brianaala
Posted 16 May 2010 - 10:54 AM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi again,
OK I have run TFC, ERUNT,MBAM, and McAfee. I will run GMER and OTL next. Here are the MBAM log files:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4106

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/16/2010 11:11:28 AM
mbam-log-2010-05-16 (11-11-28).txt

Scan type: Quick scan
Objects scanned: 125578
Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\AutocompletePro.DLL (Adware.PredictAd) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acronis toolbar helper (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Brian\msplyi4d.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#5
RKinner
Posted 16 May 2010 - 10:55 AM

RKinner

    Malware Expert

  • Expert
  • 24,622 posts
  • MVP
Normally I would wait for the OTL log but it seems obvious from Combofix that you have two infections. One from

2010-03-30 15:17 . 2010-03-30 15:17 373677 ----a-w- c:\users\Brian\msplyi4d.exe

and a second one from

2010-05-07 15:22 . 2010-05-07 15:22 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-05-07 15:22 . 2010-05-07 15:22 -------- d-----w- c:\users\Brian\AppData\Local\Desktop Cleanup Wizard
2010-05-07 15:22 . 2010-05-07 15:22 37888 ----a-w- c:\windows\system32\b_syspol32.dll
2010-05-07 15:22 . 2010-05-07 15:22 37888 ----a-w- c:\windows\system32\syspol32.dll
2010-05-07 15:22 . 2010-05-07 15:22 11776 ----a-w- c:\windows\system32\mousenh32.exe

So we can go ahead and remove them.

A lot of the things in the guide are for your own protection in case something goes wrong so please finish as much as possible before you do the following.



Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\windows\system32\pcre3.dll
c:\windows\system32\b_syspol32.dll
c:\windows\system32\syspol32.dll
c:\windows\system32\mousenh32.exe
c:\users\Brian\msplyi4d.exe

Driver::
winbackupdumper-id194PD0-uSaTA
acrosysbackup_ex4PD0-uSaTA

Folder::
c:\users\Brian\AppData\Local\Desktop Cleanup Wizard

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Cleanup Wizard"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Toolbar Helper"=-


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your antivirus.

Drag it over to combofix and let it start as before.

It will probably reboot. After you get the new log, make sure your antivirus is running.

Post the new log along with all of your other logs.

Ron

Edited by RKinner, 16 May 2010 - 10:56 AM.

  • 0

#6
Brianaala
Posted 16 May 2010 - 12:43 PM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Ron,
again thank you so much!
Here is the new Combofix log:
ComboFix 10-05-16.01 - Brian 05/16/2010 13:28:11.7.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2332 [GMT -5:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point

FILE ::
"c:\users\Brian\msplyi4d.exe"
"c:\windows\system32\b_syspol32.dll"
"c:\windows\system32\mousenh32.exe"
"c:\windows\system32\pcre3.dll"
"c:\windows\system32\syspol32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Brian\AppData\Local\Desktop Cleanup Wizard
c:\users\Brian\AppData\Local\Desktop Cleanup Wizard\dskclean.dll
c:\windows\system32\%appdata%
c:\windows\system32\b_syspol32.dll
c:\windows\system32\mousenh32.exe
c:\windows\system32\pcre3.dll
c:\windows\system32\syspol32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_acrosysbackup_ex4PD0-uSaTA
-------\Service_winbackupdumper-id194PD0-uSaTA


((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 18:34 . 2010-05-16 18:36 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-05-16 18:34 . 2010-05-16 18:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-16 18:34 . 2010-05-16 18:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-16 18:34 . 2010-05-16 18:34 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-05-16 16:01 . 2010-05-16 16:01 -------- d-----w- c:\users\Brian\AppData\Roaming\Malwarebytes
2010-05-16 16:01 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 16:01 . 2010-05-16 16:01 -------- d-----w- c:\programdata\Malwarebytes
2010-05-16 16:01 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-16 16:01 . 2010-05-16 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 15:57 . 2010-05-16 15:57 -------- d-----w- c:\program files\ERUNT
2010-05-16 15:49 . 2010-05-16 15:49 -------- d-----w- C:\%APPDATA%
2010-05-16 00:25 . 2010-05-16 03:31 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-15 23:42 . 2010-05-15 23:42 388096 ----a-r- c:\users\Brian\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-05-15 23:42 . 2010-05-15 23:42 -------- d-----w- c:\program files\TrendMicro
2010-05-15 23:30 . 2010-05-15 23:30 -------- d-----w- c:\windows\system32\log
2010-05-15 22:46 . 2010-05-15 22:46 -------- d-----w- c:\windows\system32\RTCOM
2010-05-15 22:46 . 2010-05-15 22:46 -------- d-----w- c:\program files\Realtek
2010-05-15 21:48 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-05-15 21:48 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-05-15 21:48 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-05-15 21:48 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-05-15 21:48 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-05-15 21:48 . 2010-05-15 21:48 -------- d-----w- c:\program files\Trojan Remover
2010-05-15 21:48 . 2010-05-15 21:48 -------- d-----w- c:\users\Brian\AppData\Roaming\Simply Super Software
2010-05-15 21:48 . 2010-05-15 21:48 -------- d-----w- c:\programdata\Simply Super Software
2010-05-14 22:46 . 2010-05-14 22:46 -------- d-----w- c:\windows\Sun
2010-05-14 22:45 . 2010-05-14 22:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 22:01 . 2010-05-14 22:02 -------- d-----w- c:\users\Brian\AppData\Roaming\GetRightToGo
2010-05-14 20:33 . 2010-05-14 20:33 -------- d-----w- c:\program files\Unlocker
2010-05-14 16:13 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-14 07:56 . 2010-05-14 07:56 -------- d-----w- c:\windows\system32\Wat
2010-05-12 17:26 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-09 16:32 . 2010-05-09 16:32 -------- d-----w- c:\windows\system32\AGEIA
2010-05-09 16:32 . 2010-05-09 16:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-05-09 16:26 . 2010-05-09 16:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-28 13:08 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 13:08 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 13:08 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-22 21:16 . 2010-04-22 21:16 -------- d-----w- c:\users\Brian\AppData\Roaming\Free Mp3 Wma Ogg Converter
2010-04-22 21:15 . 2010-04-22 21:15 -------- d-----w- c:\program files\Free Mp3 Wma Ogg Converter
2010-04-20 21:08 . 2010-04-20 21:08 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-20 21:07 . 2010-04-20 21:07 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-04-20 21:07 . 2010-04-21 00:38 -------- d-----w- c:\programdata\NOS
2010-04-19 05:10 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-19 05:10 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-19 05:10 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-19 05:10 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-19 05:10 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-19 05:10 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-19 05:06 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-19 05:06 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 21:23 . 2009-11-20 16:47 -------- d-----w- c:\users\Brian\AppData\Roaming\vlc
2010-05-14 20:23 . 2009-11-19 22:47 -------- d-----w- c:\users\Brian\AppData\Roaming\Azureus
2010-05-14 16:12 . 2009-11-19 23:23 -------- d-----w- c:\programdata\Microsoft Help
2010-05-14 07:56 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-10 05:14 . 2009-11-28 23:24 -------- d-----w- c:\program files\Vuze
2010-05-06 15:36 . 2009-11-19 17:45 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-04-20 21:10 . 2009-11-28 21:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 03:10 . 2009-11-19 22:37 109432 ----a-w- c:\users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-19 05:48 . 2009-12-06 17:20 -------- d-----w- c:\programdata\Yahoo! Companion
2010-04-19 05:48 . 2009-12-06 17:18 -------- d-----w- c:\program files\Yahoo!
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AcrobatUpdater.exe
2010-02-23 07:56 . 2010-03-31 13:42 977920 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----


---- Directory of c:\program files\Common ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-19 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="d:\mcafee\SHSTAT.EXE" [2009-10-16 124224]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-19 122880]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-09-01 65448]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-14 1343400]
S2 McAfeeEngineService;McAfee Engine Service;d:\mcafee\engineserver.exe [2009-09-01 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-09-01 70728]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]

.
Contents of the 'Scheduled Tasks' folder

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:43]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Append Link Target to Existing PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3576)
c:\program files\Unlocker\UnlockerHook.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\windows\system32\taskhost.exe
d:\mcafee\vstskmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
d:\mcafee\mcshield.exe
d:\mcafee\mfeann.exe
c:\windows\system32\conhost.exe
c:\windows\system32\conhost.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-05-16 13:40:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-16 18:40
ComboFix2.txt 2010-05-16 15:41
ComboFix3.txt 2010-05-15 22:29
ComboFix4.txt 2010-05-15 22:09
ComboFix5.txt 2010-05-16 18:26

Pre-Run: 6,586,245,120 bytes free
Post-Run: 6,392,291,328 bytes free

- - End Of File - - 514172EC07F304791CBD1258A12891EB
  • 0

#7
Brianaala
Posted 16 May 2010 - 12:45 PM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Ron,
GMER keeps giving me a BSOD (5 times so far) and I ran OTL but that was before the new Combofix code you gave me. so I will run it again now and upload that when it's done.
  • 0

#8
Brianaala
Posted 16 May 2010 - 12:53 PM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
OK here is the new OTL.txt:
OTL logfile created on: 5/16/2010 1:48:00 PM - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Brian\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 71.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 24.81 Gb Total Space | 6.02 Gb Free Space | 24.25% Space Free | Partition Type: NTFS
Drive D: | 124.24 Gb Total Space | 43.38 Gb Free Space | 34.92% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 186.31 Gb Total Space | 111.20 Gb Free Space | 59.68% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BRIAN-PC
Current User Name: Brian
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/16 10:51:46 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Users\Brian\Desktop\OTL.exe
PRC - [2010/03/08 21:52:48 | 000,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2009/11/19 17:22:28 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/10/31 00:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/15 21:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) -- D:\Mcafee\vstskmgr.exe
PRC - [2009/09/25 05:50:00 | 000,185,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/09/25 05:50:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/09/25 05:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/09/25 05:50:00 | 000,075,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2009/08/31 21:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) -- D:\Mcafee\mcshield.exe
PRC - [2009/08/31 21:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2009/08/31 21:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- D:\Mcafee\mfeann.exe
PRC - [2009/08/31 21:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- D:\Mcafee\engineserver.exe
PRC - [2009/07/13 20:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 20:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


========== Modules (SafeList) ==========

MOD - [2010/05/16 10:51:46 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Users\Brian\Desktop\OTL.exe
MOD - [2010/03/08 21:55:54 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2009/07/13 20:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 20:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 20:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 20:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 20:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 20:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 20:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 20:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 20:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 20:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/05/14 02:55:52 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2009/10/15 21:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) [Auto | Running] -- D:\Mcafee\vstskmgr.exe -- (McTaskManager)
SRV - [2009/09/25 05:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2009/08/31 21:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) [Auto | Running] -- D:\Mcafee\mcshield.exe -- (McShield)
SRV - [2009/08/31 21:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2009/08/31 21:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Auto | Running] -- D:\Mcafee\engineserver.exe -- (McAfeeEngineService)
SRV - [2009/07/13 20:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 20:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 20:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 20:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 20:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 20:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 20:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 20:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 20:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 20:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 20:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 20:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 20:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 20:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 20:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 20:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 20:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - [2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/08/31 21:07:00 | 000,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/08/31 21:07:00 | 000,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/08/31 21:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/08/31 21:07:00 | 000,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/08/31 21:07:00 | 000,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/08/31 21:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/08/04 09:48:20 | 002,744,800 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/07/13 20:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 20:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 20:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 20:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 20:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 20:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 20:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 20:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 20:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 20:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 20:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 20:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 20:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 20:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 20:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 20:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 20:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 20:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 20:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 20:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 20:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 20:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 20:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 20:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 20:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 20:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 20:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 20:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 20:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 20:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 20:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 20:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 20:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 20:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 20:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 20:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 20:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 20:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 20:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 20:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 20:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 19:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 19:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 19:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 18:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 18:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 18:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 18:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 18:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 18:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 18:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 18:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 18:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 18:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 18:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 18:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 18:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 18:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 18:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 18:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 18:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 17:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 17:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 17:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 17:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 17:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 17:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 17:13:47 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)
DRV - [2009/07/13 17:13:46 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (VST_DPV)
DRV - [2009/07/13 17:13:45 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (winachsf)
DRV - [2009/07/13 17:09:17 | 004,194,816 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/07/13 17:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 17:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 17:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2006/11/30 16:18:18 | 000,027,416 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\x10ufx2.sys -- (XUIF)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 6C 10 52 C7 3D 69 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/05/16 13:36:09 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [ShStatEXE] D:\Mcafee\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 21:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/16 13:40:54 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/05/16 13:36:22 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/05/16 13:34:24 | 000,000,000 | ---D | C] -- C:\Users\Brian\AppData\Local\temp
[2010/05/16 13:26:26 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/05/16 11:01:55 | 000,000,000 | ---D | C] -- C:\Users\Brian\AppData\Roaming\Malwarebytes
[2010/05/16 11:01:41 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/16 11:01:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/16 11:01:35 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/16 11:01:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/16 10:57:32 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/16 10:51:32 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Users\Brian\Desktop\OTL.exe
[2010/05/16 10:49:10 | 000,000,000 | ---D | C] -- C:\%APPDATA%
[2010/05/16 10:47:22 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Users\Brian\Desktop\TFC.exe
[2010/05/15 19:25:50 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/05/15 18:42:22 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/05/15 18:30:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\log
[2010/05/15 17:46:49 | 000,000,000 | ---D | C] -- C:\Windows\System32\RTCOM
[2010/05/15 17:46:49 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek
[2010/05/15 16:48:21 | 000,000,000 | ---D | C] -- C:\Users\Brian\Documents\Simply Super Software
[2010/05/15 16:48:11 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2010/05/15 16:48:11 | 000,000,000 | ---D | C] -- C:\Users\Brian\AppData\Roaming\Simply Super Software
[2010/05/15 16:48:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software
[2010/05/14 17:46:09 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2010/05/14 17:45:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/05/14 17:16:51 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/05/14 17:16:27 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/14 17:01:02 | 000,000,000 | ---D | C] -- C:\Users\Brian\AppData\Roaming\GetRightToGo
[2010/05/14 16:07:49 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/05/14 16:07:46 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/05/14 16:07:45 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/05/14 15:33:13 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2010/05/14 02:56:04 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2010/05/09 23:05:04 | 000,000,000 | ---D | C] -- C:\Users\Brian\Documents\Two Worlds Demo Saves
[2010/05/09 11:32:57 | 000,000,000 | ---D | C] -- C:\Windows\System32\AGEIA
[2010/05/09 11:32:55 | 000,000,000 | ---D | C] -- C:\Program Files\AGEIA Technologies
[2010/05/09 11:26:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/22 16:16:24 | 000,000,000 | ---D | C] -- C:\Users\Brian\AppData\Roaming\Free Mp3 Wma Ogg Converter
[2010/04/22 16:15:53 | 000,000,000 | ---D | C] -- C:\Program Files\Free Mp3 Wma Ogg Converter
[2010/04/22 09:30:26 | 000,000,000 | ---D | C] -- C:\Users\Brian\Desktop\Rap
[2010/04/20 16:08:52 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2010/04/20 16:08:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/20 16:07:33 | 000,000,000 | ---D | C] -- C:\ProgramData\NOS
[2010/04/06 12:30:32 | 000,000,000 | ---D | C] -- C:\Users\Brian\AppData\Local\ElevatedDiagnostics

========== Files - Modified Within 90 Days ==========

[2010/05/16 13:50:42 | 007,864,320 | -HS- | M] () -- C:\Users\Brian\ntuser.dat
[2010/05/16 13:44:21 | 000,016,896 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/16 13:44:21 | 000,016,896 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/16 13:36:17 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/05/16 13:36:09 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/05/16 13:35:50 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/16 13:35:46 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/16 13:35:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/16 13:35:39 | 2414,706,688 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/16 13:26:14 | 003,689,722 | R--- | M] () -- C:\Users\Brian\Desktop\ComboFix.exe
[2010/05/16 13:15:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/16 12:59:46 | 000,293,376 | ---- | M] () -- C:\Users\Brian\Desktop\gmer.exe
[2010/05/16 11:12:15 | 001,534,914 | -H-- | M] () -- C:\Users\Brian\AppData\Local\IconCache.db
[2010/05/16 11:01:44 | 000,000,983 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/16 10:57:34 | 000,000,898 | ---- | M] () -- C:\Users\Brian\Desktop\NTREGOPT.lnk
[2010/05/16 10:57:34 | 000,000,879 | ---- | M] () -- C:\Users\Brian\Desktop\ERUNT.lnk
[2010/05/16 10:51:46 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Users\Brian\Desktop\OTL.exe
[2010/05/16 10:47:36 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Users\Brian\Desktop\TFC.exe
[2010/05/15 18:42:24 | 000,002,961 | ---- | M] () -- C:\Users\Brian\Desktop\HiJackThis.lnk
[2010/05/15 17:24:40 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.bak
[2010/05/15 16:48:18 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Trojan Remover.lnk
[2010/05/14 16:51:30 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100515-161816.backup
[2010/05/08 13:18:55 | 907,812,877 | ---- | M] () -- C:\Users\Brian\Desktop\2WDemo_English.exe
[2010/05/04 12:19:23 | 000,717,892 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/04 12:19:23 | 000,618,026 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/04 12:19:23 | 000,104,340 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/04/19 22:10:25 | 000,109,432 | ---- | M] () -- C:\Users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/04/19 21:50:07 | 000,487,440 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/19 14:35:03 | 000,000,036 | ---- | M] () -- C:\Users\Brian\AppData\Local\housecall.guid.cache
[2010/04/19 01:01:11 | 000,392,034 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100507-152752.backup
[2010/04/05 08:35:25 | 000,385,990 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts.20100419-010111.backup
[2010/03/30 10:17:18 | 000,000,002 | ---- | M] () -- C:\Users\Brian\tenmy.ini

========== Files Created - No Company Name ==========

[2010/05/16 13:26:05 | 003,689,722 | R--- | C] () -- C:\Users\Brian\Desktop\ComboFix.exe
[2010/05/16 11:01:44 | 000,000,983 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/16 10:57:34 | 000,000,898 | ---- | C] () -- C:\Users\Brian\Desktop\NTREGOPT.lnk
[2010/05/16 10:57:34 | 000,000,879 | ---- | C] () -- C:\Users\Brian\Desktop\ERUNT.lnk
[2010/05/15 18:42:24 | 000,002,961 | ---- | C] () -- C:\Users\Brian\Desktop\HiJackThis.lnk
[2010/05/15 16:48:18 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Trojan Remover.lnk
[2010/05/15 16:48:14 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2010/05/15 16:48:14 | 000,153,088 | ---- | C] () -- C:\Windows\System32\UNRAR3.dll
[2010/05/15 16:48:14 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2010/05/15 16:48:14 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2010/05/14 16:07:49 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/05/14 16:07:46 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/05/14 16:07:46 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/05/14 16:07:45 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/05/14 16:07:45 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/05/08 13:17:57 | 907,812,877 | ---- | C] () -- C:\Users\Brian\Desktop\2WDemo_English.exe
[2010/04/19 14:35:03 | 000,000,036 | ---- | C] () -- C:\Users\Brian\AppData\Local\housecall.guid.cache
[2010/03/30 10:17:18 | 000,000,002 | ---- | C] () -- C:\Users\Brian\tenmy.ini
[2009/12/26 17:56:10 | 001,481,728 | ---- | C] () -- C:\Windows\LegitCheckControl.dll
[2009/12/26 17:56:10 | 000,190,976 | ---- | C] () -- C:\Windows\WgaLogon.dll
[2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/02/11 16:30:02 | 001,481,728 | ---- | C] () -- C:\Windows\System32\legitcheckcontrol.dll.bak
[2009/02/11 16:30:02 | 001,481,728 | ---- | C] () -- C:\Windows\System32\LegitCheckControl.dll
[2009/02/11 16:30:02 | 000,190,976 | ---- | C] () -- C:\Windows\System32\wgalogon.dll.bak
[2009/02/11 16:30:02 | 000,190,976 | ---- | C] () -- C:\Windows\System32\WgaLogon.dll
[2007/02/20 13:59:08 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/02/20 13:59:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/02/20 13:59:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/02/20 13:59:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/02/20 13:59:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/02/20 13:59:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/02/20 13:59:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/02/20 13:59:06 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2007/02/20 13:59:04 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/02/20 12:24:46 | 000,071,208 | ---- | C] () -- C:\Windows\System32\PhysXLoader.dll

========== LOP Check ==========

[2009/12/06 12:56:55 | 000,000,000 | ---D | M] -- C:\Users\Brian\AppData\Roaming\Affixa
[2009/11/19 18:00:39 | 000,000,000 | ---D | M] -- C:\Users\Brian\AppData\Roaming\Auslogics
[2010/05/14 15:23:00 | 000,000,000 | ---D | M] -- C:\Users\Brian\AppData\Roaming\Azureus
[2010/04/22 16:16:24 | 000,000,000 | ---D | M] -- C:\Users\Brian\AppData\Roaming\Free Mp3 Wma Ogg Converter
[2009/12/28 15:55:55 | 000,000,000 | ---D | M] -- C:\Users\Brian\AppData\Roaming\GARMIN
[2010/05/14 17:02:42 | 000,000,000 | ---D | M] -- C:\Users\Brian\AppData\Roaming\GetRightToGo
[2010/05/15 16:48:11 | 000,000,000 | ---D | M] -- C:\Users\Brian\AppData\Roaming\Simply Super Software
[2010/02/28 09:54:36 | 000,032,644 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/11/28 16:36:27 | 000,000,000 | ---- | M] () -- C:\AdobeDebug.txt
[2009/06/10 16:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2010/05/16 13:40:52 | 000,012,540 | ---- | M] () -- C:\ComboFix.txt
[2009/06/10 16:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/05/16 13:35:39 | 2414,706,688 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/19 14:06:10 | 000,000,077 | ---- | M] () -- C:\mmcInst.log
[2010/05/16 13:35:41 | 3219,611,648 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /180 >
[2009/12/11 02:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecpkg.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/02/27 02:32:05 | 000,123,392 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb.sys
[2010/02/27 02:32:26 | 000,221,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2010/02/27 02:32:12 | 000,095,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys
[2009/12/08 03:05:40 | 000,310,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv.sys
[2009/12/08 03:05:09 | 000,113,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srvnet.sys

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:63238B95
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:CB0AACC9
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:0CE7F3C9

< End of report >
  • 0

#9
RKinner
Posted 16 May 2010 - 06:21 PM

RKinner

    Malware Expert

  • Expert
  • 24,622 posts
  • MVP
You may have something funny with your environment. Start, Programs, Accessories, then right click on Command Prompt and select Run As Administrator.

Then type each line in the code box and follow it with an Enter.
I use two spaces to show you where one space goes.

set  >  junk.txt

notepad  junk.txt

There should be another copy of wdmaud.drv on your computer somewhere.

Let's see if combofix can find it for us.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************



MIA::
C:\Windows\System32\wdmaud.drv



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to combofix and let it start as before.

Post the new log.

Ron
  • 0

#10
Brianaala
Posted 16 May 2010 - 09:08 PM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Ron,
Thanks again for helping me!
I will run the new combofix next.
Here is the text from the Junk thing:

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Brian\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BRIAN-PC
ComSpec=C:\Windows\system32\cmd.exe
DEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Brian
LOCALAPPDATA=C:\Users\Brian\AppData\Local
LOGONSERVER=\\BRIAN-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\System32\WindowsPowerShell\v1.0
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0605
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Brian\AppData\Local\Temp
TMP=C:\Users\Brian\AppData\Local\Temp
USERDOMAIN=Brian-PC
USERNAME=Brian
USERPROFILE=C:\Users\Brian
VSEDEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
windir=C:\Windows
  • 0

Advertisements

#11
Brianaala
Posted 16 May 2010 - 09:31 PM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Ron,
OK here's the new ComboFix log:
ComboFix 10-05-16.01 - Brian 05/16/2010 22:19:39.8.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2486 [GMT -5:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian\Desktop\Cfscript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-17 03:25 . 2010-05-17 03:25 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-05-17 03:25 . 2010-05-17 03:25 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-17 03:25 . 2010-05-17 03:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-16 23:08 . 2010-05-16 23:08 -------- d-----w- c:\windows\LastGood
2010-05-16 21:43 . 2010-05-16 21:43 -------- d-----w- c:\program files\CCleaner
2010-05-16 19:30 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-05-16 19:30 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
2010-05-16 19:30 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-05-16 19:30 . 2010-04-16 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-05-16 19:30 . 2010-05-16 19:30 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-05-16 19:17 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-05-16 18:34 . 2010-05-17 03:26 -------- d-----w- c:\users\Brian\AppData\Local\temp
2010-05-16 16:01 . 2010-05-16 16:01 -------- d-----w- c:\users\Brian\AppData\Roaming\Malwarebytes
2010-05-16 16:01 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 16:01 . 2010-05-16 16:01 -------- d-----w- c:\programdata\Malwarebytes
2010-05-16 16:01 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-16 16:01 . 2010-05-16 16:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 15:57 . 2010-05-16 15:57 -------- d-----w- c:\program files\ERUNT
2010-05-16 15:49 . 2010-05-16 15:49 -------- d-----w- C:\%APPDATA%
2010-05-16 00:25 . 2010-05-16 03:31 -------- d-----w- c:\program files\Windows Live Safety Center
2010-05-15 23:42 . 2010-05-15 23:42 -------- d-----w- c:\program files\TrendMicro
2010-05-15 23:30 . 2010-05-15 23:30 -------- d-----w- c:\windows\system32\log
2010-05-15 22:46 . 2010-05-16 23:08 -------- d-----w- c:\windows\system32\RTCOM
2010-05-15 22:46 . 2010-05-15 22:46 -------- d-----w- c:\program files\Realtek
2010-05-14 22:46 . 2010-05-14 22:46 -------- d-----w- c:\windows\Sun
2010-05-14 22:45 . 2010-05-14 22:45 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-14 22:01 . 2010-05-14 22:02 -------- d-----w- c:\users\Brian\AppData\Roaming\GetRightToGo
2010-05-14 20:33 . 2010-05-14 20:33 -------- d-----w- c:\program files\Unlocker
2010-05-14 16:13 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-05-14 07:56 . 2010-05-14 07:56 -------- d-----w- c:\windows\system32\Wat
2010-05-12 17:26 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-09 16:32 . 2010-05-09 16:32 -------- d-----w- c:\windows\system32\AGEIA
2010-05-09 16:32 . 2010-05-09 16:33 -------- d-----w- c:\program files\AGEIA Technologies
2010-05-09 16:26 . 2010-05-09 16:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-28 13:08 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 13:08 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 13:08 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-22 21:16 . 2010-04-22 21:16 -------- d-----w- c:\users\Brian\AppData\Roaming\Free Mp3 Wma Ogg Converter
2010-04-22 21:15 . 2010-04-22 21:15 -------- d-----w- c:\program files\Free Mp3 Wma Ogg Converter
2010-04-20 21:08 . 2010-04-20 21:08 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-20 21:07 . 2010-04-20 21:07 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-04-20 21:07 . 2010-04-21 00:38 -------- d-----w- c:\programdata\NOS
2010-04-19 05:10 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-19 05:10 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-19 05:10 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-19 05:10 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-19 05:10 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-19 05:10 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-19 05:06 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-19 05:06 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 19:34 . 2009-11-20 16:47 -------- d-----w- c:\users\Brian\AppData\Roaming\vlc
2010-05-16 19:03 . 2003-03-26 00:48 22016 ----a-w- c:\windows\system32\wdmaud.drv
2010-05-14 20:23 . 2009-11-19 22:47 -------- d-----w- c:\users\Brian\AppData\Roaming\Azureus
2010-05-14 16:12 . 2009-11-19 23:23 -------- d-----w- c:\programdata\Microsoft Help
2010-05-14 07:56 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-10 05:14 . 2009-11-28 23:24 -------- d-----w- c:\program files\Vuze
2010-05-06 15:36 . 2009-11-19 17:45 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-04-20 21:10 . 2009-11-28 21:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 03:10 . 2009-11-19 22:37 109432 ----a-w- c:\users\Brian\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-19 05:48 . 2009-12-06 17:20 -------- d-----w- c:\programdata\Yahoo! Companion
2010-04-19 05:48 . 2009-12-06 17:18 -------- d-----w- c:\program files\Yahoo!
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\programdata\Adobe\Acrobat\9.3\ARM\28762\AcrobatUpdater.exe
2010-02-23 07:56 . 2010-03-31 13:42 977920 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-19 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="d:\mcafee\SHSTAT.EXE" [2009-10-16 124224]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-11-19 122880]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-03-09 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 135664]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-09-01 65448]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-14 1343400]
S2 McAfeeEngineService;McAfee Engine Service;d:\mcafee\engineserver.exe [2009-09-01 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-09-01 70728]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]

.
Contents of the 'Scheduled Tasks' folder

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:43]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 17:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Append Link Target to Existing PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-16 22:28:59
ComboFix-quarantined-files.txt 2010-05-17 03:28
ComboFix2.txt 2010-05-16 18:40
ComboFix3.txt 2010-05-16 15:41
ComboFix4.txt 2010-05-15 22:29
ComboFix5.txt 2010-05-17 03:18

Pre-Run: 6,407,622,656 bytes free
Post-Run: 6,379,339,776 bytes free

- - End Of File - - 83850AF9A9CAAB953FB1E7FDA3E1F1D1
  • 0

#12
RKinner
Posted 16 May 2010 - 09:48 PM

RKinner

    Malware Expert

  • Expert
  • 24,622 posts
  • MVP
Can't really tell if it found the wdmaud.drv file or not.

You can look and see if it's back where it belongs at:
C:\Windows\System32\wdmaud.drv

There should be several more hiding on your system.

If it's not there then do a search and see where else it is (pick the newest) then copy it and put it where it belongs.

Ron

Edited by RKinner, 16 May 2010 - 09:49 PM.

  • 0

#13
Brianaala
Posted 16 May 2010 - 11:41 PM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Ron,
well it finds one in the correct directory, but I still have no system sounds. Also that's the only one windows is finding. I'm not sure where else I should look for it.
  • 0

#14
RKinner
Posted 17 May 2010 - 12:22 AM

RKinner

    Malware Expert

  • Expert
  • 24,622 posts
  • MVP
We can try registering the file:

start, Programs, Accessories, then right click on Command Prompt and select Run As Administrator.

Type (with an Enter after each line in the code box (double spaces uses to show where single spaces go) :

cd  \windows\system32

regsvr32  wdmaud.drv


It's possible that the registry entry was also removed.

Copy the next line:

reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32" /s > junk.txt

move to a command window and right click then Paste and Enter.

Now type:
notepad  junk.txt

Copy the text from notepad and paste it into a reply.

Ron
  • 0

#15
Brianaala
Posted 17 May 2010 - 10:26 AM

Brianaala

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Hi Ron,
when I typed the code into the command prompt it gave me the following error message (as a pop-up):
the module "wdmaud.drv" was loaded but the entry point DllRegisterServer was not found. Make sure "wdmaud.drv" is a valid Dll or OCX file and then try again.

Not sure but it sounds like the wdmaud.drv I have is messed up.
anyway here's the notepad:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.msadpcm REG_SZ msadp32.acm
midimapper REG_SZ midimap.dll
vidc.uyvy REG_SZ msyuv.dll
vidc.yuy2 REG_SZ msyuv.dll
vidc.yvyu REG_SZ msyuv.dll
vidc.iyuv REG_SZ iyuv_32.dll
vidc.yvu9 REG_SZ tsbyuv.dll
vidc.cvid REG_SZ iccvid.dll
VIDC.XVID REG_SZ xvidvfw.dll
VIDC.YV12 REG_SZ yv12vfw.dll
msacm.ac3acm REG_SZ ac3acm.acm
msacm.lameacm REG_SZ lameACM.acm
VIDC.FFDS REG_SZ ff_vfw.dll
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iv41 REG_SZ ir41_32.ax
msacm.iac2 REG_SZ C:\WINDOWS\system32\iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
MSVideo REG_SZ vfwwdm32.dll
MSVideo8 REG_SZ VfWWDM32.dll
wave1 REG_SZ wdmaud.drv
midi1 REG_SZ wdmaud.drv
mixer1 REG_SZ wdmaud.drv
wave2 REG_SZ wdmaud.drv
midi2 REG_SZ wdmaud.drv
mixer2 REG_SZ wdmaud.drv
aux1 REG_SZ wdmaud.drv
wave3 REG_SZ wdmaud.drv
midi3 REG_SZ wdmaud.drv
mixer3 REG_SZ wdmaud.drv
aux2 REG_SZ wdmaud.drv
wave4 REG_SZ wdmaud.drv
midi4 REG_SZ wdmaud.drv
mixer4 REG_SZ wdmaud.drv
aux3 REG_SZ wdmaud.drv
wavemapper REG_SZ msacm32.drv
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
aux REG_SZ wdmaud.drv
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP