Page 5 of 6 FirstFirst 123456 LastLast
Results 41 to 50 of 53

Thread: Browser/host problem after malware

  1. 2010-07-23, 19:23 #41
    IndiGenus
    IndiGenus is offline
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Backup Your Registry with ERUNT

    * Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
    * For version with the Installer:
    Use the setup program to install ERUNT on your computer
    * For the zipped version:
    Unzip all the files into a folder of your choice.

    Click Erunt.exe to backup your registry to the folder of your choice.

    Note: to restore your registry, go to the folder and start ERDNT.exe

    Open Notepad (press Start->Run, enter notepad and press OK)
    Copy everything inside the code box below (Starting with Windows Registry Editor Version 5.00) and paste it into a new notepad file.
    Change the Save As Type to All Files and save it as fix.reg to your Desktop.

    Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
    Code:
    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCI]
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,70,00,63,00,69,00,2e,00,73,00,79,\
  00,73,00,00,00
    Then double-click on the fix.reg file, and when it prompts to merge say yes.

    Please run combofix again and post the log.
    IndiGenus
  2. 2010-07-23, 23:33 #42
    jobrown
    jobrown is offline
    Junior Member
    Join Date
    Jul 2010
    Posts
    29

    Default

    ComboFix 10-07-21.01 - Jonathan 07/23/2010 17:24:36.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2759 [GMT -4:00]
    Running from: c:\documents and settings\Jonathan\Desktop\ComboFix.exe
    AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
    .

    2010-07-17 21:19 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-15 16:50 . 2010-07-15 16:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-15 13:08 . 2010-07-15 13:08 -------- d-----w- c:\documents and settings\Jonathan\Application Data\PeaZip
    2010-07-15 13:08 . 2010-07-15 13:08 -------- d-----w- c:\program files\PeaZip
    2010-07-05 17:27 . 2010-07-05 17:27 293376 ----a-w- C:\7fuz0599.exe
    2010-07-05 02:37 . 2010-07-05 02:37 -------- d-----w- c:\program files\Sun
    2010-07-05 02:36 . 2010-07-05 02:36 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-04 17:10 . 2010-07-23 21:17 -------- d-----w- c:\program files\ERUNT
    2010-07-02 23:25 . 2010-07-02 23:25 -------- d-----w- c:\program files\Trend Micro
    2010-07-02 23:17 . 2010-07-02 23:17 -------- d-----w- c:\documents and settings\Jonathan\Local Settings\Application Data\Threat Expert
    2010-06-30 03:17 . 2010-06-30 03:17 -------- d-----w- C:\c3b08df3689e6543c69b76d6

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-23 21:23 . 2009-02-15 21:43 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-07-22 11:14 . 2010-06-01 10:57 6159294 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
    2010-07-22 11:12 . 2008-02-06 20:48 -------- d-----w- c:\program files\Spyware Doctor
    2010-07-21 12:05 . 2008-02-06 20:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-17 23:57 . 2006-08-04 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-07-17 13:35 . 2010-07-17 13:35 68224 ----a-w- c:\windows\system32\drivers\tsk35.tmp
    2010-07-05 02:34 . 2006-07-29 13:13 -------- d-----w- c:\program files\Java
    2010-07-01 02:55 . 2010-07-01 03:01 1584128 ----a-w- c:\windows\Internet Logs\xDB14.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 8704 ----a-w- c:\windows\Internet Logs\xDBB7B.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 8192 ----a-w- c:\windows\Internet Logs\xDBB79.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 1584128 ----a-w- c:\windows\Internet Logs\xDBB7A.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 8704 ----a-w- c:\windows\Internet Logs\xDBB78.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 8192 ----a-w- c:\windows\Internet Logs\xDBB77.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 1584128 ----a-w- c:\windows\Internet Logs\xDBB76.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 8704 ----a-w- c:\windows\Internet Logs\xDBB75.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 8192 ----a-w- c:\windows\Internet Logs\xDBB73.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 1584128 ----a-w- c:\windows\Internet Logs\xDBB74.tmp
    2010-07-01 02:55 . 2010-07-01 02:55 8704 ----a-w- c:\windows\Internet Logs\xDBB72.tmp
    2010-07-01 02:53 . 2010-07-01 02:55 8192 ----a-w- c:\windows\Internet Logs\xDBB71.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 1584128 ----a-w- c:\windows\Internet Logs\xDBB70.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 8704 ----a-w- c:\windows\Internet Logs\xDBB6F.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 1584128 ----a-w- c:\windows\Internet Logs\xDBB6E.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 8192 ----a-w- c:\windows\Internet Logs\xDBB6D.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 8704 ----a-w- c:\windows\Internet Logs\xDBB6B.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 1584128 ----a-w- c:\windows\Internet Logs\xDBB6C.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 8192 ----a-w- c:\windows\Internet Logs\xDBB69.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 1584128 ----a-w- c:\windows\Internet Logs\xDBB6A.tmp
    2010-07-01 02:53 . 2010-07-01 02:53 8704 ----a-w- c:\windows\Internet Logs\xDBB68.tmp
    2010-07-01 02:51 . 2010-07-01 02:51 1584128 ----a-w- c:\windows\Internet Logs\xDBB32.tmp
    2010-07-01 02:50 . 2010-07-01 02:50 8192 ----a-w- c:\windows\Internet Logs\xDBB05.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 8704 ----a-w- c:\windows\Internet Logs\xDBAF3.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 1584128 ----a-w- c:\windows\Internet Logs\xDBAF4.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 8192 ----a-w- c:\windows\Internet Logs\xDBAF1.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 1584128 ----a-w- c:\windows\Internet Logs\xDBAF2.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 8704 ----a-w- c:\windows\Internet Logs\xDBAEF.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 1584128 ----a-w- c:\windows\Internet Logs\xDBAF0.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 8192 ----a-w- c:\windows\Internet Logs\xDBAED.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 1584128 ----a-w- c:\windows\Internet Logs\xDBAEE.tmp
    2010-07-01 02:49 . 2010-07-01 02:49 8704 ----a-w- c:\windows\Internet Logs\xDBAEC.tmp
    2010-07-01 02:48 . 2010-07-01 02:49 8192 ----a-w- c:\windows\Internet Logs\xDBAEA.tmp
    2010-07-01 02:48 . 2010-07-01 02:49 1584128 ----a-w- c:\windows\Internet Logs\xDBAEB.tmp
    2010-07-01 02:48 . 2010-07-01 02:48 8704 ----a-w- c:\windows\Internet Logs\xDBAE9.tmp
    2010-07-01 02:48 . 2010-07-01 02:48 8192 ----a-w- c:\windows\Internet Logs\xDBAE8.tmp
    2010-07-01 02:48 . 2010-07-01 02:48 24064 ----a-w- c:\windows\Internet Logs\xDBAE7.tmp
    2010-06-29 21:26 . 2010-05-25 11:59 439816 ----a-w- c:\documents and settings\Jonathan\Application Data\Real\Update\setup3.10\setup.exe
    2010-06-19 01:52 . 2007-12-08 23:19 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
    2010-06-19 01:52 . 2007-12-08 23:17 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
    2010-06-14 14:31 . 2004-08-11 21:12 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-05 13:53 . 2007-09-24 01:47 -------- d-----w- c:\documents and settings\Jonathan\Application Data\Apple Computer
    2010-05-31 23:45 . 2010-05-31 23:45 503808 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3efb2bd1-n\msvcp71.dll
    2010-05-31 23:45 . 2010-05-31 23:45 499712 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3efb2bd1-n\jmc.dll
    2010-05-31 23:45 . 2010-05-31 23:45 348160 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-3efb2bd1-n\msvcr71.dll
    2010-05-31 23:45 . 2010-05-31 23:45 61440 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2b8a1184-n\decora-sse.dll
    2010-05-31 23:45 . 2010-05-31 23:45 12800 ----a-w- c:\documents and settings\Jonathan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2b8a1184-n\decora-d3d.dll
    2010-05-27 11:08 . 2010-05-27 11:08 49674 ----a-w- c:\windows\Internet Logs\GLB40_2nd_2010_05_27_00_01_01.dmp.zip
    2010-05-27 11:08 . 2010-05-27 11:08 49307 ----a-w- c:\windows\Internet Logs\GLB39_2nd_2010_05_26_23_59_44.dmp.zip
    2010-05-27 11:08 . 2010-05-27 11:08 49226 ----a-w- c:\windows\Internet Logs\GLB32_2nd_2010_05_26_23_59_31.dmp.zip
    2010-05-27 03:49 . 2009-02-15 18:34 -------- d-----w- c:\program files\AVG
    2010-05-27 03:47 . 2010-05-27 03:47 -------- d-----w- c:\documents and settings\Jonathan\Application Data\CheckPoint
    2010-05-27 03:46 . 2009-02-15 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2010-05-27 03:45 . 2010-05-27 03:45 -------- d-----w- c:\program files\CheckPoint
    2010-05-27 03:45 . 2010-05-27 03:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-05-27 02:59 . 2006-08-04 20:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-05-27 02:11 . 2010-05-27 02:11 -------- d-----w- c:\documents and settings\Regina\Application Data\Malwarebytes
    2010-05-27 02:06 . 2010-05-27 02:06 -------- d-----w- c:\documents and settings\Regina\Application Data\Apple Computer
    2010-05-20 22:10 . 2010-05-27 03:45 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-05-20 22:10 . 2010-05-27 03:45 69120 ----a-w- c:\windows\system32\zlcomm.dll
    2010-05-20 22:10 . 2010-05-27 03:45 103936 ----a-w- c:\windows\system32\zlcommdb.dll
    2010-05-06 10:41 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2004-08-11 21:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 19:39 . 2010-05-23 18:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2010-05-23 18:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-17_21.11.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-07-23 11:33 . 2010-07-23 11:33 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat
    + 2004-08-04 03:07 . 2008-04-13 17:36 68224 c:\windows\system32\drivers\pci.sys
    - 2004-08-04 03:07 . 2008-04-13 18:36 68224 c:\windows\system32\drivers\pci.sys
    + 2004-08-04 03:07 . 2008-04-13 17:36 68224 c:\windows\system32\dllcache\pci.sys
    + 2010-07-23 11:46 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-23-2010\ERDNT.EXE
    + 2010-07-22 11:20 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-22-2010\ERDNT.EXE
    + 2010-07-21 11:40 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-21-2010\ERDNT.EXE
    + 2010-07-20 00:36 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-19-2010\ERDNT.EXE
    + 2010-07-18 12:25 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\7-18-2010\ERDNT.EXE
    + 2010-07-23 21:18 . 2005-10-20 16:02 163328 c:\windows\ERDNT\7-23-2010\ERDNT.EXE
    + 2010-07-23 11:46 . 2010-07-23 11:46 3395584 c:\windows\ERDNT\AutoBackup\7-23-2010\Users\00000002\UsrClass.dat
    + 2010-07-23 11:46 . 2010-07-23 11:46 9334784 c:\windows\ERDNT\AutoBackup\7-23-2010\Users\00000001\NTUSER.DAT
    + 2010-07-22 11:20 . 2010-07-22 11:20 3395584 c:\windows\ERDNT\AutoBackup\7-22-2010\Users\00000002\UsrClass.dat
    + 2010-07-22 11:20 . 2010-07-22 11:20 9318400 c:\windows\ERDNT\AutoBackup\7-22-2010\Users\00000001\NTUSER.DAT
    + 2010-07-21 11:39 . 2010-07-21 11:39 3395584 c:\windows\ERDNT\AutoBackup\7-21-2010\Users\00000002\UsrClass.dat
    + 2010-07-21 11:39 . 2010-07-21 11:39 9318400 c:\windows\ERDNT\AutoBackup\7-21-2010\Users\00000001\NTUSER.DAT
    + 2010-07-20 00:36 . 2010-07-20 00:36 3395584 c:\windows\ERDNT\AutoBackup\7-19-2010\Users\00000002\UsrClass.dat
    + 2010-07-20 00:36 . 2010-07-20 00:36 9318400 c:\windows\ERDNT\AutoBackup\7-19-2010\Users\00000001\NTUSER.DAT
    + 2010-07-18 12:25 . 2010-07-18 12:25 3395584 c:\windows\ERDNT\AutoBackup\7-18-2010\Users\00000002\UsrClass.dat
    + 2010-07-18 12:25 . 2010-07-18 12:25 9318400 c:\windows\ERDNT\AutoBackup\7-18-2010\Users\00000001\NTUSER.DAT
    + 2010-07-23 21:19 . 2010-07-23 21:19 3395584 c:\windows\ERDNT\7-23-2010\Users\00000002\UsrClass.dat
    + 2010-07-23 21:19 . 2010-07-23 21:19 9334784 c:\windows\ERDNT\7-23-2010\Users\00000001\NTUSER.DAT
    + 2006-08-23 12:59 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "DLPSP"="c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2005-01-13 126976]
    "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-06-24 53096]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2008-09-30 125368]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-09 198160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-20 1043968]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    c:\documents and settings\Jonathan\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-29 24576]
    JHSecure VPN Client.lnk - c:\program files\JHSecure\VPN Client\vpngui.exe [2006-8-9 1524776]
    Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
    NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-12-8 118784]
    Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-7-29 921704]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
    2005-12-23 00:08 450646 ----a-w- c:\windows\system32\PRISMAPI.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Documents and Settings\\Jonathan\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    R0 IABFilt;Iomega Snapshot Volume Filter;c:\windows\system32\drivers\IABFilt.sys [8/29/2006 5:41 PM 25344]
    R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [8/4/2006 10:22 PM 19478]
    R1 NEOFLTR_600_13487;Juniper Networks TDI Filter Driver (NEOFLTR_600_13487);c:\windows\system32\drivers\NEOFLTR_600_13487.sys [8/13/2008 9:50 PM 64160]
    R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [8/4/2006 10:22 PM 634798]
    R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [8/4/2006 10:22 PM 430670]
    R2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe [8/4/2006 4:26 PM 135168]
    R2 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [7/29/2006 9:15 AM 61526]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [5/31/2010 5:47 PM 102448]
    S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [8/4/2006 10:22 PM 64093]
    S2 gupdate1c99473f33209e4;Google Update Service (gupdate1c99473f33209e4);c:\program files\Google\Update\GoogleUpdate.exe [2/21/2009 6:30 PM 133104]
    S3 PortlUSB;PortlUSB;c:\windows\system32\drivers\H10USB.sys [6/24/2004 12:52 AM 7552]
    S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/30/2008 6:41 PM 116664]
    S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [10/17/2007 11:11 PM 56448]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - klmd23

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 22:30]

    2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 22:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
    DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-23 17:30
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1280)
    c:\windows\system32\PRISMAPI.DLL
    c:\windows\system32\igfxdev.dll

    - - - - - - - > 'explorer.exe'(4452)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-07-23 17:32:13
    ComboFix-quarantined-files.txt 2010-07-23 21:32
    ComboFix2.txt 2010-07-21 22:37
    ComboFix3.txt 2010-07-17 21:16

    Pre-Run: 80,549,703,680 bytes free
    Post-Run: 80,554,008,576 bytes free

    - - End Of File - - F28C0642571F99F9E9E44059DB31641F
  3. 2010-07-23, 23:43 #43
    IndiGenus
    IndiGenus is offline
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Okay good, please run TDSSKiller one more time and post the log.

    Let me know how it's running at this point too please.
    IndiGenus
  4. 2010-07-24, 01:22 #44
    jobrown
    jobrown is offline
    Junior Member
    Join Date
    Jul 2010
    Posts
    29

    Default

    the computer seems to be running fine. I can access Windows update and I'm not getting redirected to other sites when I use Explorer.

    TDSS rootkit removing tool, Kaspersky Lab, 2010
    version 2.3.2.2 Jun 30 2010 17:23:49

    Scanning Services ...

    Scanning Drivers ...

    Completed

    Results:
    Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    File objects infected / cured / cured on reboot: 0 / 0 / 0

    Press any key to continue . . .
  5. 2010-07-24, 01:37 #45
    IndiGenus
    IndiGenus is offline
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Run OTL.exe
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :Files
c:\windows\system32\drivers\tsk35.tmp

:Commands
[emptytemp]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • Then post the resulting OTL log


    +++++++++++++++

    I would like you to run the following scan: Eset Online Scanner
    Run with Internet Explorer
    • Place a check mark in the box YES, I accept the Terms Of Use
    • Click the Start button.
    • Now click the Install button, or click the notification bar at the top of the window and choose to install.
    • Click Start. The scanner engine will initialize and update.
    • Do Not place a check mark in the box beside Remove found threats.
    • Click the Scan button. The scan will now run, please be patient.
    • When the scan finishes click the Details tab.
    • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
    IndiGenus
  6. 2010-07-24, 16:12 #46
    jobrown
    jobrown is offline
    Junior Member
    Join Date
    Jul 2010
    Posts
    29

    Default

    OTL logfile created on: 7/24/2010 10:08:48 AM - Run 2
    OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\Jonathan\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 66.00% Memory free
    5.00 Gb Paging File | 4.00 Gb Available in Paging File | 81.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 148.96 Gb Total Space | 72.92 Gb Free Space | 48.95% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: OPTIPLEX
    Current User Name: Jonathan
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard

    ========== Processes (SafeList) ==========

    PRC - [2010/07/05 10:51:00 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jonathan\Desktop\OTL.exe
    PRC - [2010/05/20 18:11:48 | 002,437,176 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    PRC - [2010/05/20 18:10:18 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    PRC - [2010/02/09 14:01:43 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    PRC - [2009/01/14 17:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    PRC - [2008/09/30 18:41:14 | 000,125,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
    PRC - [2008/09/30 18:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    PRC - [2008/09/30 18:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
    PRC - [2008/08/27 10:50:40 | 001,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    PRC - [2008/06/24 19:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    PRC - [2008/06/24 19:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    PRC - [2008/06/24 19:17:34 | 000,053,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/01/29 17:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    PRC - [2007/09/12 19:27:24 | 000,554,352 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    PRC - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    PRC - [2007/02/20 05:10:26 | 000,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    PRC - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
    PRC - [2005/12/22 21:14:54 | 000,921,704 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell Wireless\PRISMCFG.exe
    PRC - [2005/12/22 20:21:44 | 000,061,526 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\PRISMSVC.exe
    PRC - [2005/12/22 20:15:46 | 000,381,014 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\PRISMSVR.exe
    PRC - [2005/11/04 10:21:28 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\JHSecure\VPN Client\cvpnd.exe
    PRC - [2005/09/08 05:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
    PRC - [2005/01/13 00:00:30 | 000,126,976 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
    PRC - [2004/10/14 19:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
    PRC - [2004/07/27 16:50:42 | 000,221,184 | ---- | M] (InstallShield Software Corporation) -- c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    PRC - [2004/07/27 16:50:18 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    PRC - [2004/07/27 16:50:04 | 000,503,808 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
    PRC - [2004/03/12 00:00:30 | 000,135,168 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe
    PRC - [2004/03/12 00:00:30 | 000,090,112 | ---- | M] (Dell Inc.) -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe
    PRC - [2004/02/13 10:47:02 | 000,155,648 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\OpenManage\Client\Iap.exe
    PRC - [2003/10/29 02:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
    PRC - [2003/06/18 12:00:00 | 000,200,704 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft Money\System\mnyexpr.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/07/05 10:51:00 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jonathan\Desktop\OTL.exe
    MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2010/02/19 20:30:16 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2010/02/14 22:50:50 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
    SRV - [2009/01/14 17:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
    SRV - [2008/09/30 18:41:08 | 000,116,664 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
    SRV - [2008/09/30 18:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
    SRV - [2008/09/30 18:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
    SRV - [2008/08/27 10:50:40 | 001,251,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
    SRV - [2008/08/20 16:50:30 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
    SRV - [2008/06/24 19:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
    SRV - [2008/06/24 19:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
    SRV - [2008/01/29 17:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service)
    SRV - [2007/09/12 19:27:24 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
    SRV - [2007/09/12 19:27:24 | 000,554,352 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
    SRV - [2007/07/26 20:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
    SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
    SRV - [2005/12/22 20:21:44 | 000,061,526 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\WINDOWS\system32\PRISMSVC.exe -- (PRISMSVC)
    SRV - [2005/11/04 10:21:28 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\JHSecure\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2004/03/12 00:00:30 | 000,135,168 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlsdbnt.exe -- (DLSDB)
    SRV - [2004/03/12 00:00:30 | 000,090,112 | ---- | M] (Dell Inc.) [Auto | Running] -- c:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpwdnt.exe -- (DLPWD)
    SRV - [2004/02/13 10:47:02 | 000,155,648 | ---- | M] (Dell Inc) [Auto | Running] -- C:\Program Files\Dell\OpenManage\Client\Iap.exe -- (Iap)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Jonathan\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/07/14 04:00:00 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100723.024\NAVEX15.SYS -- (NAVEX15)
    DRV - [2010/07/14 04:00:00 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100723.024\NAVENG.SYS -- (NAVENG)
    DRV - [2010/05/31 04:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys -- (eeCtrl)
    DRV - [2010/05/31 04:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2009/02/15 17:44:14 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2008/08/20 16:50:02 | 000,188,808 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2008/08/20 16:49:56 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2008/08/13 21:50:50 | 000,064,160 | ---- | M] (Juniper Networks) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NEOFLTR_600_13487.sys -- (NEOFLTR_600_13487) Juniper Networks TDI Filter Driver (NEOFLTR_600_13487)
    DRV - [2008/05/28 12:31:24 | 000,337,280 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
    DRV - [2008/05/28 12:31:24 | 000,054,656 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
    DRV - [2008/04/13 14:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
    DRV - [2008/04/13 14:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
    DRV - [2007/10/17 23:11:00 | 000,056,448 | ---- | M] (SCM Microsystems Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SCR3XX2K.sys -- (SCR3XX2K)
    DRV - [2007/07/26 20:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
    DRV - [2006/07/29 09:20:09 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
    DRV - [2005/11/11 16:34:16 | 000,353,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PRISMA02.sys -- (DELL_A02)
    DRV - [2005/11/04 10:20:40 | 000,303,735 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2005/09/12 03:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
    DRV - [2005/09/08 05:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
    DRV - [2005/09/08 05:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
    DRV - [2005/09/08 05:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
    DRV - [2005/09/08 05:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
    DRV - [2005/09/08 05:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
    DRV - [2005/09/08 05:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
    DRV - [2005/09/08 05:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
    DRV - [2005/08/25 12:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
    DRV - [2005/08/25 12:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
    DRV - [2005/08/12 05:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
    DRV - [2005/07/01 10:15:06 | 000,025,344 | ---- | M] (Iomega) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\IABFilt.sys -- (IABFilt)
    DRV - [2005/06/29 19:50:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2005/05/17 04:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/04/01 16:52:46 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2005/01/26 06:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
    DRV - [2004/10/07 21:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
    DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
    DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2004/06/24 00:52:00 | 000,007,552 | ---- | M] (PortalPlayer, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\H10USB.sys -- (PortlUSB)
    DRV - [2004/02/13 10:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
    DRV - [2003/11/17 21:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
    DRV - [2003/11/17 21:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2003/11/17 21:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2003/07/01 17:23:12 | 000,634,798 | ---- | M] (Sony Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\sonypvf2.sys -- (sonypvf2)
    DRV - [2003/07/01 17:12:32 | 000,430,670 | ---- | M] (Sony Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\sonypvt2.sys -- (sonypvt2)
    DRV - [2003/06/24 10:29:36 | 000,064,093 | ---- | M] (Sony Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\sonypvd2.sys -- (sonypvd2)
    DRV - [2003/06/18 04:21:08 | 000,019,478 | ---- | M] (Sony Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sonypvl2.sys -- (sonypvl2)
    DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
    DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
    DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
    DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
    DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
    DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
    DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
    DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
    DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
    DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
    DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
    DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
    DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
    DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
    DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
    DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
    DRV - [2000/03/29 17:11:20 | 000,008,096 | ---- | M] (MicroStaff Co.,Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\MASPINT.SYS -- (MASPINT)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...rel&channel=us
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.com/ig/dell?hl=en&...rel&channel=us

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



    O1 HOSTS File: ([2010/07/17 17:11:10 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
    O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
    O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
    O4 - HKLM..\Run: [DLPSP] c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE (Dell Inc.)
    O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
    O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
    O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
    O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (Symantec Corporation)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
    O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
    O4 - HKCU..\Run: [MoneyAgent] C:\Program Files\Microsoft Money\System\mnyexpr.exe (Microsoft Corp.)
    O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\JHSecure VPN Client.lnk = C:\Program Files\JHSecure\VPN Client\vpngui.exe (Cisco Systems, Inc.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe (Dell Inc.)
    O4 - Startup: C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
    O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/...oUploader5.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/s...irector/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/micr...?1278412954625 (MUWebControl Class)
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/...Uploader55.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} http://www.cvsphoto.com/upload/activ...eX_Control.cab (Photo Upload Plugin Class)
    O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://www.ritzpix.com/net/Uploader/LPUploader57.cab (Image Uploader Control)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://dcconnect.rand.org/dana-cach...erSetupSP1.cab (JuniperSetupSP1 Control)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 71.252.0.12 71.242.0.12
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
    O20 - Winlogon\Notify\PRISMAPI.DLL: DllName - PRISMAPI.DLL - C:\WINDOWS\System32\PRISMAPI.dll (Conexant Systems, Inc.)
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jonathan\Local Settings\Application Data\Microsoft\Wallpaper2.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/07/23 19:31:03 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jonathan\Recent
    [2010/07/23 19:20:09 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2010/07/17 17:19:42 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
    [2010/07/17 16:40:14 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/07/17 16:35:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/07/17 16:35:54 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/07/17 16:35:54 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/07/17 16:35:54 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/07/17 16:32:53 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/07/17 09:36:31 | 001,013,584 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Jonathan\Desktop\TDSSKiller.exe
    [2010/07/15 12:50:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2010/07/15 12:50:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2010/07/15 09:09:00 | 000,499,712 | ---- | C] (eSage Lab) -- C:\Documents and Settings\Jonathan\Desktop\remover.exe
    [2010/07/15 09:08:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jonathan\Application Data\PeaZip
    [2010/07/15 09:08:14 | 000,000,000 | ---D | C] -- C:\Program Files\PeaZip
    [2010/07/15 09:07:47 | 006,603,176 | ---- | C] (Giorgio Tani ) -- C:\Documents and Settings\Jonathan\Desktop\peazip-3.2.1.WINDOWS.exe
    [2010/07/05 10:51:55 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jonathan\Desktop\OTL.exe
    [2010/07/04 22:37:07 | 000,000,000 | ---D | C] -- C:\Program Files\Sun
    [2010/07/04 22:36:57 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
    [2010/07/04 22:36:57 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
    [2010/07/04 22:36:56 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2010/07/04 22:36:56 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2010/07/04 22:36:56 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2010/07/04 13:10:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/07/04 13:10:03 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
    [2010/07/02 19:25:45 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2010/07/02 19:17:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jonathan\Local Settings\Application Data\Threat Expert
    [2010/07/02 18:59:51 | 001,652,664 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
    [2010/06/30 23:10:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/06/30 23:10:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/06/29 23:17:08 | 000,000,000 | ---D | C] -- C:\c3b08df3689e6543c69b76d6
    [2 C:\Documents and Settings\Jonathan\My Documents\*.tmp files -> C:\Documents and Settings\Jonathan\My Documents\*.tmp -> ]
    [127 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2010/07/24 09:25:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2010/07/24 09:25:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2010/07/24 08:19:50 | 000,485,956 | ---- | M] () -- C:\logfile
    [2010/07/24 08:07:41 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/07/24 08:05:50 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/07/24 08:05:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/07/24 08:05:39 | 3747,753,984 | -HS- | M] () -- C:\hiberfil.sys
    [2010/07/23 19:31:16 | 009,437,184 | -H-- | M] () -- C:\Documents and Settings\Jonathan\NTUSER.DAT
    [2010/07/23 19:31:16 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Jonathan\ntuser.ini
    [2010/07/23 17:30:04 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/07/23 17:20:28 | 000,000,274 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\fix.reg
    [2010/07/23 17:17:48 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    [2010/07/23 17:17:39 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\NTREGOPT.lnk
    [2010/07/23 17:17:39 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\ERUNT.lnk
    [2010/07/23 14:04:51 | 000,029,583 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\Training objectives first draft.docx
    [2010/07/23 11:58:07 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\Delivery of Mental Health Services in the Patient.doc
    [2010/07/21 18:20:02 | 003,739,807 | R--- | M] () -- C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
    [2010/07/21 13:17:10 | 000,260,213 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\JSM 2010 Presentation 07-19-2010.pptx
    [2010/07/21 13:14:04 | 000,036,864 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\SSA Transient Numbers.xls
    [2010/07/21 07:51:08 | 000,143,490 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\Medical homes issue brief.pdf
    [2010/07/17 17:11:10 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/07/17 16:40:24 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2010/07/17 15:50:45 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\jamaica.doc
    [2010/07/17 09:33:46 | 000,981,780 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\tdsskiller.zip
    [2010/07/17 09:22:06 | 000,055,296 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\MBRCheck.exe
    [2010/07/15 09:08:24 | 000,000,606 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\PeaZip.lnk
    [2010/07/15 09:07:47 | 006,603,176 | ---- | M] (Giorgio Tani ) -- C:\Documents and Settings\Jonathan\Desktop\peazip-3.2.1.WINDOWS.exe
    [2010/07/15 09:05:49 | 000,478,504 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\bootkit_remover.rar
    [2010/07/05 13:27:04 | 000,293,376 | ---- | M] () -- C:\7fuz0599.exe
    [2010/07/05 10:51:26 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\link.doc
    [2010/07/05 10:51:00 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jonathan\Desktop\OTL.exe
    [2010/07/05 08:27:35 | 000,008,886 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\kasp report.html
    [2010/07/05 00:42:47 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Jonathan\My Documents\GA Schools.doc
    [2010/07/04 22:36:36 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2010/07/04 22:36:36 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2010/07/04 22:36:35 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
    [2010/07/04 22:36:35 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2010/07/04 22:36:35 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
    [2010/07/04 21:21:32 | 080,398,104 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\jdk-6u20-windows-i586.exe
    [2010/07/02 19:25:46 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Jonathan\Desktop\HijackThis.lnk
    [2010/06/30 17:25:08 | 001,013,584 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Jonathan\Desktop\TDSSKiller.exe
    [2010/06/29 23:16:45 | 000,507,308 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/06/29 23:16:45 | 000,445,370 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/06/29 23:16:45 | 000,072,576 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2 C:\Documents and Settings\Jonathan\My Documents\*.tmp files -> C:\Documents and Settings\Jonathan\My Documents\*.tmp -> ]
    [127 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/07/23 17:20:28 | 000,000,274 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\fix.reg
    [2010/07/21 18:16:08 | 000,000,348 | ---- | C] () -- C:\Documents and Settings\Jonathan\CFScript.txt
    [2010/07/21 17:43:57 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\Delivery of Mental Health Services in the Patient.doc
    [2010/07/21 13:17:09 | 000,260,213 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\JSM 2010 Presentation 07-19-2010.pptx
    [2010/07/21 11:08:58 | 000,036,864 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\SSA Transient Numbers.xls
    [2010/07/21 07:58:03 | 000,029,583 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\Training objectives first draft.docx
    [2010/07/21 07:51:08 | 000,143,490 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\Medical homes issue brief.pdf
    [2010/07/17 16:40:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/07/17 16:40:17 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/07/17 16:35:54 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/07/17 16:35:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/07/17 16:35:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/07/17 16:35:54 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/07/17 16:35:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/07/17 16:34:27 | 003,739,807 | R--- | C] () -- C:\Documents and Settings\Jonathan\Desktop\ComboFix.exe
    [2010/07/17 14:52:51 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\jamaica.doc
    [2010/07/17 09:33:35 | 000,981,780 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\tdsskiller.zip
    [2010/07/17 09:22:06 | 000,055,296 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\MBRCheck.exe
    [2010/07/15 09:08:24 | 000,000,606 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\PeaZip.lnk
    [2010/07/15 09:05:44 | 000,478,504 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\bootkit_remover.rar
    [2010/07/05 13:27:01 | 000,293,376 | ---- | C] () -- C:\7fuz0599.exe
    [2010/07/05 08:27:35 | 000,008,886 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\kasp report.html
    [2010/07/05 00:08:48 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\Jonathan\My Documents\GA Schools.doc
    [2010/07/04 21:21:32 | 080,398,104 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\jdk-6u20-windows-i586.exe
    [2010/07/04 20:59:38 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\link.doc
    [2010/07/04 13:10:17 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Jonathan\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
    [2010/07/04 13:10:04 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\NTREGOPT.lnk
    [2010/07/04 13:10:04 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\ERUNT.lnk
    [2010/07/02 19:25:46 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Jonathan\Desktop\HijackThis.lnk
    [2010/07/02 18:59:53 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
    [2009/02/15 18:59:05 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
    [2007/11/05 14:40:23 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfmonnt.dll
    [2007/11/05 14:40:21 | 000,000,164 | ---- | C] () -- C:\WINDOWS\System32\psconv.ini
    [2006/08/09 23:41:41 | 000,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2006/08/09 23:41:40 | 000,189,480 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2006/08/04 22:02:52 | 000,030,208 | ---- | C] () -- C:\WINDOWS\System32\WNASPI32.DLL
    [2006/08/04 22:02:52 | 000,000,291 | ---- | C] () -- C:\WINDOWS\msfsetup.ini
    [2006/08/04 16:00:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2006/08/04 15:22:33 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\CoPrism.dll
    [2006/07/29 09:24:50 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2006/07/29 09:18:06 | 000,000,190 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2006/07/29 08:58:28 | 000,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2005/11/10 08:38:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
    [2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2000/09/08 18:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll

    ========== Custom Scans ==========


    < :Files >

    < c:\windows\system32\drivers\tsk35.tmp >
    [1 c:\windows\system32\drivers\*.tmp files -> c:\windows\system32\drivers\*.tmp -> ]

    < >

    < :Commands >

    < [emptytemp] >

    < [Reboot] >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FA5F15C4
    @Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
    @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    < End of report >
  7. 2010-07-24, 17:19 #47
    IndiGenus
    IndiGenus is offline
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Okay I will await the results from the ESET scan before we proceed.
    IndiGenus
  8. 2010-07-24, 19:53 #48
    jobrown
    jobrown is offline
    Junior Member
    Join Date
    Jul 2010
    Posts
    29

    Default

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=78a2746903e719478e3bf17d62830aec
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-07-24 03:58:57
    # local_time=2010-07-24 11:58:57 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 1782137 1782137 0 0
    # compatibility_mode=1024 16777215 100 0 4127922 4127922 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 70 4102176 77564434 0 0
    # scanned=173045
    # found=104
    # cleaned=0
    # scan_time=5456
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153730.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153734.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153735.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153736.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153737.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153738.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153739.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153740.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153741.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153742.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153749.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153753.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-153754.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225130.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225131.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225132.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225133.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225134.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225135.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225136.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225138.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100523-225139.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100525-101639.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100525-101640.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100525-101641.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100525-101642.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100525-101643.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100525-101644.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100525-101645.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232814.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232822.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232823.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232824.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232825.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232826.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232827.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232828.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232829.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232830.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232831.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232832.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232833.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232834.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-232835.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233406.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233408.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233409.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233410.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233411.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233412.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233413.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233414.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100526-233415.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073036.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073037.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073038.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073039.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073040.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073041.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073042.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073043.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100527-073044.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163932.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163933.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163934.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163935.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163936.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163937.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163938.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163939.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100604-163940.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174038.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174039.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174040.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174041.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174042.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174043.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174044.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174045.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174046.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100620-174047.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233849.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233851.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233852.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233853.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233854.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233857.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233858.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233859.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233900.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233901.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233902.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233903.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100630-233904.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101124.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101126.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101127.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101128.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101129.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101130.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101131.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101132.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101133.backup Win32/Qhost trojan 00000000000000000000000000000000 I
    C:\WINDOWS\system32\drivers\etc\hosts.20100702-101134.backup Win32/Qhost trojan 00000000000000000000000000000000 I
  9. 2010-07-25, 15:46 #49
    IndiGenus
    IndiGenus is offline
    Emeritus- Malware Team
    Join Date
    Oct 2009
    Location
    New England, USA
    Posts
    503

    Default

    Just need to clean out some leftovers. The items ESET found are the infected backup hosts files that were created when you used OTM to solve your HOSTS issue. They will be cleaned out when we clean up the tools.

    Run OTL.exe
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.

:Commands
[purity]
[emptytemp]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • Then post a new OTL log
    IndiGenus
  10. 2010-07-25, 17:26 #50
    jobrown
    jobrown is offline
    Junior Member
    Join Date
    Jul 2010
    Posts
    29

    Default

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 41 bytes

    User: Jonathan
    ->Temp folder emptied: 1479810 bytes
    ->Temporary Internet Files folder emptied: 57579202 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 6035 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 65670 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Java cache emptied: 4842 bytes
    ->Flash cache emptied: 20064 bytes

    User: Regina
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 12118833 bytes
    ->Flash cache emptied: 579 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 153312311 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 68224 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 11621251 bytes
    RecycleBin emptied: 41361 bytes

    Total Files Cleaned = 226.00 mb


    OTL by OldTimer - Version 3.2.7.1 log created on 07252010_105702

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\Jonathan\Local Settings\Temp\~DF6DA9.tmp not found!
    File\Folder C:\Documents and Settings\Jonathan\Local Settings\Temp\~DF6DB4.tmp not found!
    File\Folder C:\Documents and Settings\Jonathan\Local Settings\Temp\~DF6E33.tmp not found!
    File\Folder C:\Documents and Settings\Jonathan\Local Settings\Temp\~DF6E40.tmp not found!
    File\Folder C:\Documents and Settings\Jonathan\Local Settings\Temp\~DF6E92.tmp not found!
    File\Folder C:\Documents and Settings\Jonathan\Local Settings\Temp\~DF6E9D.tmp not found!
    C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\UH6SF40L\welcome[4].htm moved successfully.
    C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\UH6SF40L\_;ord=0[2].htm moved successfully.
    C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\R7J0U3WA\md[1].htm moved successfully.
    C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\R7J0U3WA\showthread[1].htm moved successfully.
    C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\R7J0U3WA\st[2] moved successfully.
    C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\R7J0U3WA\_;ord=0[3].htm moved successfully.

    Registry entries deleted on Reboot...
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules