View Full Version : Potential Rootkit/internet quarrantine
HeadlessChief
2010-08-29, 21:03
Hello! We have a Windows XP SP3 Media Center edition PC that has a nasty virus on it - we have tried to kill it several different times, with limited success.
We have run ComboFix today as we received more evidence of a rootkit - we got an email from a yahoo account that I haven't used in years that was sent to several folks in my address book that was contaminated and contained links to random sites.
A few weeks ago we were quarantined from our ISP (Brighthouse) because they claimed that we had a rootkit virus. We followed their steps to remove/kill the malware, and thought we were out of the woods, but it seems as though we are not.
Any help you can offer is fantastic. We backed up the registry with ERUNT and have a DDS log, posted below.
Thank you! :bigthumb:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Brooke and Nick at 13:30:12.13 on Sun 08/29/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.553 [GMT -4:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brooke and Nick\Desktop\dds.scr
============== Pseudo HJT Report ===============
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://firefox/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\brooke~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: safer-networking.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183257388593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\brooke~1\applic~1\mozilla\firefox\profiles\vj8qx2x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\brooke and nick\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\brooke and nick\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\brooke and nick\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-26 133104]
S4 MSWU-38adf938;MSWU-38adf938;c:\windows\system32\38adf938.exe --> c:\windows\system32\38adf938.exe [?]
S4 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]
=============== Created Last 30 ================
2010-08-29 16:32:59 0 d-----w- c:\program files\Safer Networking
2010-08-21 01:01:20 0 d-----w- c:\docume~1\brooke~1\applic~1\Photo! Web Album
2010-08-17 19:40:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 19:40:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 19:40:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 01:35:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-16 01:32:06 0 d-----r- c:\program files\Skype
2010-08-15 16:54:47 0 d-----w- c:\program files\iPod
2010-08-12 00:01:30 186 ----a-w- c:\windows\system32\MRT.INI
2010-08-12 00:01:30 0 d-----w- c:\windows\system32\MpEngineStore
2010-08-01 19:13:42 117760 -c--a-w- c:\windows\system32\dllcache\e100b325.sys
2010-08-01 19:13:42 117760 ----a-w- c:\windows\system32\drivers\e100b325.sys
==================== Find3M ====================
2010-08-02 23:16:26 132220 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15:26 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-06-01 14:14:37 12 ----a-w- c:\docume~1\brooke~1\applic~1\czyiwa.dat
2009-02-26 18:56:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022620090227\index.dat
============= FINISH: 13:30:56.41 ===============
Hello and :welcome: to Safer Networking
My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
Please observe these rules while we work:
If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
Download and run OTL
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) by Old Timer and save it to your Desktop.
Double click on OTL.exe to run it.
Under Output, ensure that Minimal Output is selected.
Under Extra Registry section, select Use SafeList.
Click the Scan All Users checkbox.
Click on Run Scan at the top left hand corner.
When done, two Notepad files will open.
OTL.txt <-- Will be opened
Extras.txt <-- Will be minimized
Please post the contents of these 2 Notepad files in your next reply.
Please download GMER Rootkit Scanner from here (http://www.gmer.net/download.php).
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)
Important! Please do not select the "Show all" checkbox during the scan..
Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply
Thanks peku006
HeadlessChief
2010-09-01, 22:41
OTL logfile created on: 9/1/2010 11:17:15 AM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Brooke and Nick\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1,023.00 Mb Total Physical Memory | 662.00 Mb Available Physical Memory | 65.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 15.92 Gb Free Space | 21.38% Space Free | Partition Type: NTFS
Drive D: | 5.37 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 57.25 Gb Total Space | 32.01 Gb Free Space | 55.92% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: BROOKE
Current User Name: Brooke and Nick
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Brooke and Nick\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\WINDOWS\system32\ASTSRV.EXE (Nalpeiron Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\WINDOWS\system32\devldr32.exe (Creative Technology Ltd.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Brooke and Nick\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (MSWU-f36decbb) -- C:\WINDOWS\System32\f36decbb.exe File not found
SRV - (MSWU-38adf938) -- C:\WINDOWS\System32\38adf938.exe File not found
SRV - (getPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper.dll File not found
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (astcc) -- C:\WINDOWS\system32\ASTSRV.EXE (Nalpeiron Ltd.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
========== Driver Services (SafeList) ==========
DRV - (SBRE) -- C:\WINDOWS\System32\drivers\SBREdrv.sys File not found
DRV - (catchme) -- C:\DOCUME~1\BROOKE~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (NuidFltr) -- C:\WINDOWS\system32\drivers\nuidfltr.sys (Microsoft Corporation)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (GoProto) -- C:\WINDOWS\system32\drivers\goprot51.sys (Gteko Ltd.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (sfman) Creative SoundFont Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\sfmanm.sys (Creative Technology Ltd.)
DRV - (emu10k1) Creative Interface Manager Driver (WDM) -- C:\WINDOWS\system32\drivers\ctlfacem.sys (Creative Technology Ltd.)
DRV - (emu10k) Creative SB Live! (WDM) -- C:\WINDOWS\system32\drivers\emu10k1m.sys (Creative Technology Ltd.)
DRV - (ctljystk) -- C:\WINDOWS\system32\drivers\ctljystk.sys (Creative Technology Ltd.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-842925246-606747145-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-842925246-606747145-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
========== FireFox ==========
FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://google.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..keyword.URL: "http://search.search-star.net/?sid=10101038100&s="
FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.search-star.net/?sid=10101038100&s="
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/28 16:23:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/26 14:38:31 | 000,000,000 | ---D | M]
[2009/02/27 10:27:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\Extensions
[2010/08/31 12:41:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions
[2010/04/26 21:45:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/18 19:45:24 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/08/29 11:11:39 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/15 21:32:39 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2007/06/21 18:38:54 | 000,079,432 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
[2007/06/21 18:38:56 | 000,071,240 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
[2007/06/21 18:39:18 | 000,034,376 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\logging.dll
[2007/06/21 18:39:34 | 000,325,200 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
[2007/06/21 18:40:02 | 000,030,280 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll
O1 HOSTS File: ([2010/08/29 12:49:21 | 000,416,183 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14390 more lines...
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKU\S-1-5-21-842925246-606747145-682003330-1006\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - Startup: C:\Documents and Settings\Brooke and Nick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-842925246-606747145-682003330-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-842925246-606747145-682003330-1006\..Trusted Domains: safer-networking.org ([www] https in Trusted sites)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photo.walgreens.com/WalgreensActivia.cab (Snapfish Activia)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183257388593 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.32.5.111 65.32.5.112
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/01 22:54:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/10/16 06:51:33 | 000,054,544 | R--- | M] (Electronic Arts) - D:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2009/09/21 15:58:35 | 000,000,049 | R--- | M] () - D:\Autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2010/09/01 10:48:47 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Brooke and Nick\Desktop\OTL.exe
[2010/08/29 13:24:09 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/08/29 12:32:59 | 000,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2010/08/29 11:57:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/20 21:09:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brooke and Nick\Application Data\Image Zone Express
[2010/08/20 21:01:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brooke and Nick\Application Data\Photo! Web Album
[2010/08/17 15:40:13 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/17 15:40:11 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/17 15:40:11 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/15 21:35:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brooke and Nick\Application Data\skypePM
[2010/08/15 21:33:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Brooke and Nick\Application Data\Skype
[2010/08/15 21:32:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/08/15 21:32:06 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/08/15 21:31:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/08/15 12:54:47 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/08/11 21:43:27 | 012,049,864 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Brooke and Nick\Desktop\windows-kb890830-v3.10.exe
[2010/08/11 20:01:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/08/03 19:41:27 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2010/08/02 19:36:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2010/09/01 10:48:44 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Brooke and Nick\Desktop\OTL.exe
[2010/09/01 10:30:00 | 000,001,018 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-606747145-682003330-1006UA.job
[2010/09/01 10:24:00 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/01 10:16:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/01 10:16:02 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/01 10:15:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/01 10:15:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/01 10:15:32 | 1072,775,168 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/01 02:50:15 | 009,437,184 | -H-- | M] () -- C:\Documents and Settings\Brooke and Nick\NTUSER.DAT
[2010/09/01 02:50:15 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Brooke and Nick\ntuser.ini
[2010/08/31 20:04:59 | 008,035,668 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Desktop\Halo Reach Target Poster 08312010.pdf
[2010/08/31 17:30:00 | 000,000,966 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-842925246-606747145-682003330-1006Core.job
[2010/08/31 09:09:00 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/08/30 16:34:55 | 002,214,304 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Desktop\Writers_Ultimate_Resource_Guide.pdf
[2010/08/30 15:33:49 | 000,011,624 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\My Documents\boudior Bio.odt
[2010/08/29 13:30:01 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Desktop\dds.scr
[2010/08/29 13:24:24 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/08/29 13:24:09 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Desktop\ERUNT.lnk
[2010/08/29 12:49:21 | 000,416,183 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/29 12:39:07 | 000,000,422 | RHS- | M] () -- C:\boot.ini
[2010/08/29 11:45:06 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/29 11:30:41 | 003,830,790 | R--- | M] () -- C:\Documents and Settings\Brooke and Nick\Desktop\ComboFix.exe
[2010/08/27 13:56:42 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/08/26 14:43:21 | 000,416,183 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100829-124921.backup
[2010/08/26 14:41:18 | 000,416,183 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100826-144321.backup
[2010/08/26 14:38:32 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/20 23:18:09 | 000,416,119 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100826-144118.backup
[2010/08/18 00:47:47 | 004,847,880 | -H-- | M] () -- C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\IconCache.db
[2010/08/17 15:40:17 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/17 13:29:40 | 000,011,890 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\My Documents\letter for payment.odt
[2010/08/17 11:24:21 | 000,415,912 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100820-231809.backup
[2010/08/15 21:35:59 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/08/15 13:37:01 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2010/08/15 13:36:30 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\OpenOffice.org 3.2.lnk
[2010/08/15 13:00:49 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/08/15 13:00:49 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
[2010/08/15 12:45:44 | 000,000,629 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2010/08/13 08:36:46 | 000,415,912 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100817-112421.backup
[2010/08/11 21:47:40 | 012,049,864 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Brooke and Nick\Desktop\windows-kb890830-v3.10.exe
[2010/08/11 21:16:01 | 000,278,944 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/11 20:07:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/11 20:06:31 | 000,501,230 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/11 20:06:31 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/11 20:06:31 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/11 20:01:30 | 000,000,186 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/08/11 16:02:26 | 000,415,912 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100813-083646.backup
[2010/08/10 10:51:10 | 000,000,829 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\Magic the Gathering.lnk
[2010/08/09 18:28:43 | 000,415,172 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100811-160226.backup
[2010/08/03 20:09:33 | 000,414,870 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100809-182843.backup
[2010/08/03 17:32:54 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/03 10:48:06 | 000,414,870 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100803-200933.backup
[2010/08/02 19:16:26 | 000,132,220 | ---- | M] () -- C:\WINDOWS\System32\drivers\KmxAgent.asc
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/08/31 20:03:42 | 008,035,668 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Desktop\Halo Reach Target Poster 08312010.pdf
[2010/08/30 16:34:59 | 002,214,304 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Desktop\Writers_Ultimate_Resource_Guide.pdf
[2010/08/30 15:33:48 | 000,011,624 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\My Documents\boudior Bio.odt
[2010/08/29 13:30:02 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Desktop\dds.scr
[2010/08/29 13:24:24 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/08/29 13:24:09 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Desktop\ERUNT.lnk
[2010/08/26 14:38:31 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/17 15:40:17 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/17 13:13:41 | 000,011,890 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\My Documents\letter for payment.odt
[2010/08/15 21:35:59 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/08/15 21:32:12 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/08/15 13:00:49 | 000,001,854 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/08/15 12:56:37 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/08/11 20:01:30 | 000,000,186 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/08/03 19:41:23 | 1072,775,168 | -HS- | C] () -- C:\hiberfil.sys
[2010/08/03 11:01:37 | 003,830,790 | R--- | C] () -- C:\Documents and Settings\Brooke and Nick\Desktop\ComboFix.exe
[2010/06/01 10:14:35 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Application Data\czyiwa.dat
[2010/05/29 08:50:40 | 000,000,238 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/01/10 02:11:15 | 000,000,026 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.811261211181235583101118113995
[2009/08/01 22:00:59 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\mkghj.dll
[2009/06/19 22:13:19 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/05/22 23:23:12 | 000,000,387 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/04/04 10:01:29 | 000,000,173 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2009/04/04 10:00:39 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/04/02 19:01:42 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/13 13:01:37 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Application Data\AVSMediaPlayer.m3u
[2009/03/13 12:56:46 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/03/13 12:56:46 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/03/13 12:38:47 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\fusioncache.dat
[2008/04/29 14:42:24 | 000,503,808 | ---- | C] () -- C:\WINDOWS\System32\ICCProfiles.dll
[2007/11/10 20:13:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/10/21 13:09:18 | 000,001,372 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/01/01 20:34:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/05 18:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[1999/01/22 14:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
< End of report >
OTL Extras logfile created on: 9/1/2010 11:17:15 AM - Run 1
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Brooke and Nick\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1,023.00 Mb Total Physical Memory | 662.00 Mb Available Physical Memory | 65.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 15.92 Gb Free Space | 21.38% Space Free | Partition Type: NTFS
Drive D: | 5.37 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 57.25 Gb Total Space | 32.01 Gb Free Space | 55.92% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: BROOKE
Current User Name: Brooke and Nick
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
[HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\CA Personal Firewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
"DisableMonitoring" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Disabled:File Transfer Program -- (Microsoft Corporation)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)
"C:\Program Files\Games\Zoo Tycoon 2\zt.exe" = C:\Program Files\Games\Zoo Tycoon 2\zt.exe:*:Disabled:Zoo Tycoon 2 Executable -- File not found
"E:\Desktop\Copied stuff from F drive\Backup Data Disc 2\Magic\Manalink.exe" = E:\Desktop\Copied stuff from F drive\Backup Data Disc 2\Magic\Manalink.exe:*:Disabled:manalink -- (MicroProse Software, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}" = Medieval II Total War : Kingdoms : Crusades
"{02F6993D-B763-4F40-8F93-2A9CD97586E3}" = Microsoft IntelliType Pro 6.3
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{11051835-560C-9E8F-C9B5-C376F4A46580}" = Catalyst Control Center Graphics Previews Common
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{16D354E4-63D4-B300-AFBC-8D22A94CE6D6}" = ccc-utility
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1C2CD847-D196-079D-E004-C1D82B57E3A7}" = Catalyst Control Center Graphics Full Existing
"{1E99F5D7-4262-4C7C-9135-F066E7485811}" = System Requirements Lab
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{26A24AE4-039D-4CA4-87B4-2F83216013F0}" = Java(TM) 6 Update 13
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{2EEC2A94-7204-45C6-93BB-67EAEB19E4D6}" = Safari
"{335B1821-D274-4EFD-9EFE-3C0FD38EBE65}" = BN eReader
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{37E9E443-FA8E-095F-CF2A-90A18B0B206B}" = CCC Help English
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}" = Google Earth
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{448A1BF6-B110-5C4B-2220-30F5ECE6DD83}" = Catalyst Control Center Core Implementation
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4F3C8CEE-89D6-891E-D728-80A8CF0DCB32}" = ccc-core-preinstall
"{606BC780-101C-41DB-808D-4539BFA0774A}" = MobileMe Control Panel
"{654870E9-EF38-D3B3-328C-ABA367163D15}" = Catalyst Control Center Graphics Full New
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{66A9D30D-1464-4C7F-B2F3-507DADAF2595}" = Microsoft IntelliPoint 6.3
"{6815FCDD-401D-481E-BA88-31B4754C2B46}" = Macromedia Flash Player 8
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{751910E3-ECF1-44D0-BF3F-2936A4424514}" = ImageMixer3
"{75983B66-804C-40D1-BA13-64DAF652A6F1}" = Medieval II Total War : Kingdoms : Americas
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}" = Medieval II Total War : Kingdoms : Teutonic
"{7C3C895B-AE02-4F30-8A6A-051D37A38DD0}" = Final Draft
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CD8CCC0-3C5C-DF21-DAC3-D5834E803F1E}" = Catalyst Control Center Graphics Light
"{8F6A89F1-F04A-6FD8-1802-D7D5BAE382E1}" = ccc-core-static
"{8F7A4D82-B168-4F89-99C2-B9873EC877AF}" = HP Image Zone Express
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9E1BAB75-EB78-440D-94C0-A3857BE2E733}" = System Requirements Lab
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{B3B20D3D-92F9-5EBA-B557-CECA02984F05}" = Catalyst Control Center HydraVision Full
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = The Sims™ 3 World Adventures
"{BEFBEDDF-1417-4C8A-92FB-F003C0D41199}" = OpenOffice.org 3.2
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C0698BDA-0D29-40EE-8570-A31106DF9AB1}" = Medieval II Total War
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C49067A8-8212-4A82-A4D9-1519701644F0}" = Citrix Presentation Server Client - Web Only
"{C9618743-1A5C-461E-91C4-E013A3D70F3C}" = Adobe® Photoshop® Album Starter Edition 3.0.1
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}" = Medieval II Total War : Kingdoms : Britannia
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 ESD
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{F0601E2E-8FB3-1C63-F72D-54EB2F908767}" = Skins
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"ACDSee" = ACDSee
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"EADM" = EA Download Manager
"EasyLinkAdvisor" = Linksys EasyLink Advisor 1.5 (1010)
"ERUNT_is1" = ERUNT 1.1j
"HP Photo & Imaging" = HP Image Zone 4.7
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InterActual Player" = InterActual Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PhotoToolkit_is1" = Photo Toolkit 1.7
"Picasa 3" = Picasa 3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 8/12/2010 8:24:05 AM | Computer Name = BROOKE | Source = Google Update | ID = 20
Description =
Error - 8/12/2010 8:30:05 AM | Computer Name = BROOKE | Source = Google Update | ID = 20
Description =
Error - 8/15/2010 12:58:35 PM | Computer Name = BROOKE | Source = Bonjour Service | ID = 100
Description = 244: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)
Error - 8/15/2010 12:58:35 PM | Computer Name = BROOKE | Source = Bonjour Service | ID = 100
Description = 232: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)
Error - 8/15/2010 12:58:35 PM | Computer Name = BROOKE | Source = Bonjour Service | ID = 100
Description = 392: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)
Error - 8/15/2010 12:58:35 PM | Computer Name = BROOKE | Source = Bonjour Service | ID = 100
Description = 388: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)
Error - 8/15/2010 12:58:35 PM | Computer Name = BROOKE | Source = Bonjour Service | ID = 100
Description = 404: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)
Error - 8/26/2010 8:17:29 PM | Computer Name = BROOKE | Source = Bonjour Service | ID = 100
Description = 264: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)
Error - 8/29/2010 11:35:33 AM | Computer Name = BROOKE | Source = Application Error | ID = 1000
Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe,
version 0.0.0.0, fault address 0x00082899.
Error - 8/29/2010 11:43:52 AM | Computer Name = BROOKE | Source = Application Error | ID = 1000
Description = Faulting application pev.cfxxe, version 0.0.0.0, faulting module pev.cfxxe,
version 0.0.0.0, fault address 0x0008d560.
[ System Events ]
Error - 8/30/2010 2:50:39 PM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126
Error - 8/30/2010 2:50:41 PM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SBRE
Error - 8/31/2010 8:50:03 AM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126
Error - 8/31/2010 8:50:04 AM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SBRE
Error - 8/31/2010 12:10:51 PM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126
Error - 8/31/2010 12:11:27 PM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SBRE
Error - 8/31/2010 2:40:35 PM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126
Error - 8/31/2010 2:40:35 PM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SBRE
Error - 9/1/2010 10:15:52 AM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126
Error - 9/1/2010 10:15:53 AM | Computer Name = BROOKE | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SBRE
< End of report >
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-01 14:01:20
Windows 5.1.2600 Service Pack 3
Running: w4v3o0ts.exe; Driver: C:\DOCUME~1\BROOKE~1\LOCALS~1\Temp\uwtdqpog.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9B71000, 0x1BDE76, 0xE8000020]
---- EOF - GMER 1.0.15 ----
Thank you for your help :)
Hi HeadlessChief
TFC (Temp File Cleaner)
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.
NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
re-run combofix please.........
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply
Thanks peku006
HeadlessChief
2010-09-02, 15:18
I'm not sure if this matters, or if it helps, but at Stage 3 of ComboFix a warning popped up saying, Pev.cfxx has encountered an error & needs to close. I sent the crash report to Microsoft.
Also for the first time ever after running Combofix & getting the report, my computer went idle. My desktop was blank. I let it sit for a few minutes. When it looked as though it wasn't coming back, I re-booted & everything seemed back to normal.
ComboFix 10-09-01.04 - Brooke and Nick 09/02/2010 8:44.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.684 [GMT -4:00]
Running from: c:\documents and settings\Brooke and Nick\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-02 to 2010-09-02 )))))))))))))))))))))))))))))))
.
2010-08-29 17:24 . 2010-08-29 17:24 -------- d-----w- c:\program files\ERUNT
2010-08-29 16:32 . 2010-08-29 16:32 -------- d-----w- c:\program files\Safer Networking
2010-08-21 01:09 . 2010-08-21 01:09 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Image Zone Express
2010-08-21 01:01 . 2010-08-21 01:07 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Photo! Web Album
2010-08-17 19:40 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 19:40 . 2010-08-17 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 19:40 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 01:35 . 2010-08-16 01:35 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-16 01:35 . 2010-09-02 02:50 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\skypePM
2010-08-16 01:33 . 2010-09-02 02:51 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Skype
2010-08-16 01:32 . 2010-08-16 01:32 -------- d-----w- c:\program files\Common Files\Skype
2010-08-16 01:32 . 2010-08-16 01:32 -------- d-----r- c:\program files\Skype
2010-08-16 01:31 . 2010-08-16 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-15 16:57 . 2010-08-15 16:57 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-08-15 16:54 . 2010-08-15 16:54 -------- d-----w- c:\program files\iPod
2010-08-15 16:45 . 2010-08-15 16:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-12 00:01 . 2010-08-12 00:01 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-10 15:09 . 2010-08-10 15:09 568832 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-10 15:09 . 2010-08-10 15:09 686080 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-10 15:09 . 2010-08-10 15:09 655872 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-10 15:09 . 2010-08-10 15:09 583168 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-10 15:09 . 2010-08-10 15:09 224768 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcm90.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 11:05 . 2009-06-22 14:06 1 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-08-29 17:33 . 2009-05-19 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-29 16:03 . 2007-05-12 17:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-29 16:03 . 2009-02-27 16:11 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Microsoft Games
2010-08-29 16:03 . 2009-02-27 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-08-24 04:46 . 2009-10-03 03:15 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-08-21 01:00 . 2009-04-12 19:03 -------- d-----w- c:\program files\Web Photo Album
2010-08-17 19:40 . 2010-06-11 23:42 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Malwarebytes
2010-08-17 19:40 . 2010-06-11 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-15 17:00 . 2010-05-07 00:48 -------- d-----w- c:\program files\Safari
2010-08-15 16:56 . 2010-07-04 20:29 -------- d-----w- c:\program files\iTunes
2010-08-15 16:54 . 2007-08-17 01:13 -------- d-----w- c:\program files\Common Files\Apple
2010-08-02 23:16 . 2010-06-16 01:37 132220 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2010-07-26 01:20 . 2010-07-26 01:17 -------- d-----w- c:\program files\CA
2010-07-26 01:12 . 2010-07-26 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-07-26 01:05 . 2010-06-15 13:57 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2010-07-26 01:05 . 2010-06-15 13:57 243976 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\unicows.dll
2010-07-25 16:23 . 2007-01-02 03:05 -------- d-----w- c:\program files\GemMaster
2010-07-23 19:59 . 2009-02-27 18:45 72384 ----a-w- c:\documents and settings\Brooke and Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 17:13 . 2009-06-22 14:00 -------- d-----w- c:\program files\OpenOffice.org 3
2010-07-23 02:09 . 2010-07-23 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-23 01:40 . 2010-07-23 01:40 120 ----a-w- c:\windows\Bfulez.dat
2010-07-23 01:40 . 2010-07-23 01:40 0 ----a-w- c:\windows\Eyuzuw.bin
2010-07-04 20:18 . 2007-05-12 17:03 -------- d-----w- c:\program files\QuickTime
2010-07-04 20:08 . 2010-07-04 20:07 -------- d-----w- c:\program files\Bonjour
2010-07-03 03:33 . 2007-01-09 00:18 72384 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 17:20 . 2010-06-28 17:20 72384 ----a-w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:15 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-10 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-10 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 13:57 . 2010-06-15 13:57 615688 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe.exe
2010-06-15 13:57 . 2010-06-15 13:57 353544 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2010-06-15 13:57 . 2010-06-15 13:57 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
2010-06-15 01:19 . 2010-06-15 01:19 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-14 14:31 . 2007-01-02 02:51 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2007-06-21 22:38 . 2007-06-21 22:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 22:38 . 2007-06-21 22:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 22:38 . 2007-06-21 22:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 22:38 . 2007-06-21 22:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 22:39 . 2007-06-21 22:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 22:39 . 2007-06-21 22:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 22:39 . 2007-06-21 22:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 22:39 . 2007-06-21 22:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 22:40 . 2007-06-21 22:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-08-29_15.45.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-02 12:38 . 2010-09-02 12:38 16384 c:\windows\temp\Perflib_Perfdata_76c.dat
+ 2010-09-02 10:59 . 2010-09-02 10:59 249856 c:\windows\ERDNT\AutoBackup\9-2-2010\Users\00000002\UsrClass.dat
+ 2010-09-02 10:59 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-2-2010\ERDNT.EXE
+ 2010-09-01 14:16 . 2010-09-01 14:16 249856 c:\windows\ERDNT\AutoBackup\9-1-2010\Users\00000002\UsrClass.dat
+ 2010-09-01 14:16 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\9-1-2010\ERDNT.EXE
+ 2010-08-31 12:50 . 2010-08-31 12:50 249856 c:\windows\ERDNT\AutoBackup\8-31-2010\Users\00000002\UsrClass.dat
+ 2010-08-31 12:50 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-31-2010\ERDNT.EXE
+ 2010-08-30 15:02 . 2010-08-30 15:03 249856 c:\windows\ERDNT\AutoBackup\8-30-2010\Users\00000002\UsrClass.dat
+ 2010-08-30 15:03 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-30-2010\ERDNT.EXE
+ 2010-08-29 17:37 . 2010-08-29 17:37 249856 c:\windows\ERDNT\AutoBackup\8-29-2010\Users\00000002\UsrClass.dat
+ 2010-08-29 17:37 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-29-2010\ERDNT.EXE
+ 2010-08-29 17:24 . 2010-08-29 17:24 249856 c:\windows\ERDNT\8-29-2010\Users\00000002\UsrClass.dat
+ 2010-08-29 17:24 . 2005-10-20 16:02 163328 c:\windows\ERDNT\8-29-2010\ERDNT.EXE
+ 2010-09-02 10:59 . 2010-09-02 10:59 9416704 c:\windows\ERDNT\AutoBackup\9-2-2010\Users\00000001\NTUSER.DAT
+ 2010-09-01 14:16 . 2010-09-01 14:16 9416704 c:\windows\ERDNT\AutoBackup\9-1-2010\Users\00000001\NTUSER.DAT
+ 2010-08-31 12:50 . 2010-08-31 12:50 9416704 c:\windows\ERDNT\AutoBackup\8-31-2010\Users\00000001\NTUSER.DAT
+ 2010-08-30 15:02 . 2010-08-30 15:02 9416704 c:\windows\ERDNT\AutoBackup\8-30-2010\Users\00000001\NTUSER.DAT
+ 2010-08-29 17:37 . 2010-08-29 17:37 9416704 c:\windows\ERDNT\AutoBackup\8-29-2010\Users\00000001\NTUSER.DAT
+ 2010-08-29 17:24 . 2010-08-29 17:24 9416704 c:\windows\ERDNT\8-29-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
c:\documents and settings\Brooke and Nick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2006-04-03 03:07 389120 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-05-22 12:07 133104 ----atw- c:\documents and settings\Brooke and Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
2006-10-28 01:34 65536 ----a-w- c:\program files\Photo Toolkit\IvBar\phototoolkitmem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2008-06-10 17:56 1406024 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2008-06-10 17:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-02-04 03:21 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 19:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSWU-f36decbb"=2 (0x2)
"MSWU-38adf938"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Desktop\\Copied stuff from F drive\\Backup Data Disc 2\\Magic\\Manalink.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 10:50 AM 133104]
S4 MSWU-38adf938;MSWU-38adf938;c:\windows\system32\38adf938.exe --> c:\windows\system32\38adf938.exe [?]
S4 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2010-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-606747145-682003330-1006Core.job
- c:\documents and settings\Brooke and Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-22 12:07]
2010-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-606747145-682003330-1006UA.job
- c:\documents and settings\Brooke and Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-22 12:07]
2009-02-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://firefox/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
Trusted Zone: safer-networking.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-02 08:51
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3984)
c:\windows\system32\WININET.dll
c:\docume~1\BROOKE~1\LOCALS~1\Temp\catchme.dll
.
Completion time: 2010-09-02 08:55:32
ComboFix-quarantined-files.txt 2010-09-02 12:55
ComboFix2.txt 2010-08-29 15:50
ComboFix3.txt 2010-08-03 15:20
ComboFix4.txt 2010-08-02 23:36
ComboFix5.txt 2010-09-02 12:41
Pre-Run: 17,281,626,112 bytes free
Post-Run: 17,275,142,144 bytes free
- - End Of File - - 9F25CD167E401A7A802FDDA2F756F2CA
Hi HeadlessChief
please post the contents of c:\Qoobox\ComboFix-quarantined-files.txt.
HeadlessChief
2010-09-02, 19:49
2010-08-29 15:48:45 . 2010-08-29 15:48:45 1,388 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7}.reg.dat
2010-07-23 02:31:06 . 2010-07-23 02:31:06 626 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-$NtUninstallMTF1011$.reg.dat
2010-07-23 02:30:23 . 2010-07-23 02:30:23 147 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Wbobeseduz.reg.dat
2010-07-23 02:30:22 . 2010-07-23 02:30:23 200 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-vqwqybva.reg.dat
2010-07-23 02:30:22 . 2010-07-23 02:30:22 123 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-MChk.reg.dat
2010-07-23 02:30:22 . 2010-07-23 02:30:22 117 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-sta.reg.dat
2010-07-23 02:30:21 . 2010-07-23 02:30:21 199 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-vqwqybva.reg.dat
2010-07-23 02:30:20 . 2010-07-23 02:30:21 221 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-patchsetup70700.exe.reg.dat
2010-07-23 02:30:20 . 2010-07-23 02:30:20 144 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Slekocij.reg.dat
2010-07-23 02:09:04 . 2010-07-23 02:09:04 2,410 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NetLogin.reg.dat
2010-07-23 02:09:04 . 2010-07-23 02:09:04 1,040 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NETLOGIN.reg.dat
2010-07-23 01:40:38 . 2010-07-23 01:40:38 5,954 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Local Settings\Application Data\{945BB068-01E9-4F7B-A946-7380DBA26D37}\chrome\content\overlay.xul.vir
2010-07-23 01:40:38 . 2010-07-23 01:40:38 2,140 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Local Settings\Application Data\{945BB068-01E9-4F7B-A946-7380DBA26D37}\chrome\content\_cfg.js.vir
2010-07-23 01:40:38 . 2010-07-23 01:40:38 764 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Local Settings\Application Data\{945BB068-01E9-4F7B-A946-7380DBA26D37}\install.rdf.vir
2010-07-23 01:40:38 . 2010-07-23 01:40:38 122 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Local Settings\Application Data\{945BB068-01E9-4F7B-A946-7380DBA26D37}\chrome.manifest.vir
2010-07-23 01:38:55 . 2010-07-23 01:38:55 1,219 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk.vir
2010-07-23 01:38:54 . 2010-07-23 01:38:55 1,253 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Start Menu\Programs\Startup\Antimalware Doctor.lnk.vir
2010-07-23 01:38:54 . 2010-07-23 01:38:54 2,287 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk.vir
2010-07-23 01:38:54 . 2010-07-23 01:38:54 1,253 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk.vir
2010-07-23 01:38:53 . 2010-07-23 01:38:53 1,241 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Start Menu\Antimalware Doctor.lnk.vir
2010-07-23 01:38:53 . 2010-07-23 01:38:53 1,241 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Desktop\Antimalware Doctor.lnk.vir
2010-07-23 01:38:50 . 2010-07-23 01:39:04 150 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallMTF1011$\zrpt.xml.vir
2010-07-23 01:38:50 . 2010-07-23 01:38:50 64,235 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe.vir
2010-07-23 01:38:35 . 2010-07-23 01:38:35 28,842 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Application Data\AB0D030D038FD8DE7AAAB5A7168A8006\enemies-names.txt.vir
2010-07-23 01:38:35 . 2010-07-23 01:38:35 26,204 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Brooke and Nick\Application Data\AB0D030D038FD8DE7AAAB5A7168A8006\local.ini.vir
2010-07-22 11:17:34 . 2010-07-22 11:17:34 2,076 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\searchplugins\google_search.xml.vir
2010-07-15 23:04:48 . 2010-07-15 23:04:48 612 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-avgnt.reg.dat
2010-06-11 23:34:25 . 2010-06-11 23:34:25 590 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-M5T8QL3YW3.reg.dat
2010-06-11 23:16:05 . 2010-06-11 23:16:05 1,020 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_ffwqqt.reg.dat
2010-06-11 23:15:17 . 2010-09-02 12:50:01 6,705 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-06-11 23:06:24 . 2010-09-02 12:40:57 1,479 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-05-28 22:03:01 . 2010-05-28 22:03:01 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\VolumeMSPrLam.dll.vir
2009-07-15 02:56:10 . 2009-07-15 02:56:10 416,206 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Temp\eReader_Install\eReader.ico.vir
Hi HeadlessChief
Malwarebytes' Anti-Malware
Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
Click on the Show Results button to see a list of any malware that was found.
Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
We will take care of the System Volume Information items later.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Please reply with
Malwarebytes' Anti-Malware Log
Thanks peku006
HeadlessChief
2010-09-02, 22:47
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4532
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
9/2/2010 4:04:06 PM
mbam-log-2010-09-02 (16-04-06).txt
Scan type: Full scan (C:\|E:\|)
Objects scanned: 255359
Time elapsed: 1 hour(s), 34 minute(s), 7 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi HeadlessChief
do not see anything suspicious.........
TFC (Temp File Cleaner)
Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.
NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
ESET online scannner
Note: You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Hold down Control then click on the following link to open a new window to ESET online scannner (http://www.eset.com/onlinescan/)
Then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
Thanks peku006
HeadlessChief
2010-09-03, 19:25
Ran all of those - here is the ESET log file...
C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe.vir Win32/Adware.Lifze.O application
E:\Desktop\Copied stuff from F drive\Backup Data Disc 1\Writings\New Folder\Install_AIM.exe
Those were the only two things that it found. There was not a log file in the directory you specified - I didn't see somewhere to export the log file.
Thank you for all of your help!
Hi HeadlessChief
looks good........
Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.
Thanks peku006
HeadlessChief
2010-09-04, 15:57
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 13
Java(TM) 6 Update 18
Out of date Java installed!
Adobe Flash Player 10.1.82.76
Adobe Reader 9.3.4
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)
``````````End of Log````````````
Hi HeadlessChief
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Download the latest version of Java Runtime Environment (JRE) 21 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says JDK 6 Update 21 (JDK or JRE)
Click the Download JRE button to the right
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and Applets
Trace and Log Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.
How's the computer running now?
Thanks peku006
HeadlessChief
2010-09-05, 17:55
Java is now updated. Thank you. :crowned:
I'm not sure how to answer your question about how the computer is running now. Besides being a little slow every once in a while, we didn't know there was still a problem until we got the spam/virus E-mail from ourselves. The virus has been able to hide from Malwarebytes for a long time. So, I'm not sure if the computer is clean.
Hi HeadlessChief
Download and run OTS
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) by Oldtimer to your Desktop and double-click on it to extract the files.
NOTE: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Click the Scan All Users checkbox on the toolbar.
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Close Notepad (saving the change if necessry).
Thanks peku006
HeadlessChief
2010-09-05, 19:26
I wasn't sure if you wanted it posted...:flowers:
OTS logfile created on: 9/5/2010 1:14:08 PM - Run 1
OTS by OldTimer - Version 3.1.36.0 Folder = C:\Documents and Settings\Brooke and Nick\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1,023.00 Mb Total Physical Memory | 670.00 Mb Available Physical Memory | 65.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.47 Gb Total Space | 14.06 Gb Free Space | 18.88% Space Free | Partition Type: NTFS
Drive D: | 5.37 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 57.25 Gb Total Space | 31.40 Gb Free Space | 54.85% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: BROOKE
Current User Name: Brooke and Nick
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\OTS.exe -> [2010/09/05 13:12:24 | 000,641,024 | ---- | M] (OldTimer Tools)
applemobiledeviceservice.exe -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.)
astsrv.exe -> C:\WINDOWS\system32\ASTSRV.EXE -> [2009/06/15 12:54:16 | 000,061,760 | ---- | M] (Nalpeiron Ltd.)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
hpzipm12.exe -> C:\WINDOWS\system32\HPZipm12.exe -> [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP)
devldr32.exe -> C:\WINDOWS\system32\devldr32.exe -> [2001/08/17 18:36:42 | 000,024,064 | ---- | M] (Creative Technology Ltd.)
[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\OTS.exe -> [2010/09/05 13:12:24 | 000,641,024 | ---- | M] (OldTimer Tools)
msscript.ocx -> C:\WINDOWS\system32\msscript.ocx -> [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation)
[Win32 Services - Safe List]
(MSWU-f36decbb) MSWU-f36decbb [Disabled | Stopped] -> C:\WINDOWS\System32\f36decbb.exe -> File not found
(MSWU-38adf938) MSWU-38adf938 [Disabled | Stopped] -> C:\WINDOWS\System32\38adf938.exe -> File not found
(getPlusHelper) getPlus(R) Helper [On_Demand | Stopped] -> C:\Program Files\NOS\bin\getPlus_Helper.dll -> File not found
(Apple Mobile Device) Apple Mobile Device [Auto | Running] -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.)
(astcc) AST Service [Auto | Running] -> C:\WINDOWS\system32\ASTSRV.EXE -> [2009/06/15 12:54:16 | 000,061,760 | ---- | M] (Nalpeiron Ltd.)
(Pml Driver HPZ12) Pml Driver HPZ12 [Auto | Running] -> C:\WINDOWS\system32\HPZipm12.exe -> [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP)
[Driver Services - Safe List]
(SBRE) SBRE [Kernel | System | Stopped] -> C:\WINDOWS\System32\drivers\SBREdrv.sys -> File not found
(catchme) catchme [Kernel | On_Demand | Stopped] -> C:\DOCUME~1\BROOKE~1\LOCALS~1\Temp\catchme.sys -> File not found
(NuidFltr) NUID filter driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\nuidfltr.sys -> [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation)
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ati2mtag.sys -> [2009/02/04 03:27:21 | 003,488,768 | ---- | M] (ATI Technologies Inc.)
(gameenum) Game Port Enumerator [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\gameenum.sys -> [2008/04/13 14:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation)
(GoProto) GoProto Protocol Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\goprot51.sys -> [2007/04/15 18:20:18 | 000,029,184 | ---- | M] (Gteko Ltd.)
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\RTL8139.sys -> [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(nv) nv [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\nv4_mini.sys -> [2004/08/03 18:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation)
(MODEMCSA) Unimodem Streaming Filter Device [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\MODEMCSA.sys -> [2001/08/17 09:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation)
(sfman) Creative SoundFont Manager Driver (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sfmanm.sys -> [2001/08/17 08:19:34 | 000,036,480 | ---- | M] (Creative Technology Ltd.)
(emu10k1) Creative Interface Manager Driver (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ctlfacem.sys -> [2001/08/17 08:19:28 | 000,006,912 | ---- | M] (Creative Technology Ltd.)
(emu10k) Creative SB Live! (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\emu10k1m.sys -> [2001/08/17 08:19:26 | 000,283,904 | ---- | M] (Creative Technology Ltd.)
(ctljystk) Creative SBLive! Gameport [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ctljystk.sys -> [2001/08/17 08:19:20 | 000,003,712 | ---- | M] (Creative Technology Ltd.)
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\] > -> ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\: Main\\"Default_Search_URL" -> http://www.google.com/ie ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\: Search\\"Default_Search_URL" -> http://www.google.com/ie ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\: Search\\"SearchAssistant" -> http://www.google.com/ie ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\: SearchURL\\"" -> http://www.google.com/search?q=%s ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\: "ProxyEnable" -> 0 ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\: "ProxyOverride" -> <local> ->
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\FireFox\Profiles\vj8qx2x8.default\prefs.js ->
browser.search.order.1 -> "Google" ->
browser.search.selectedEngine -> "Google" ->
browser.startup.homepage -> "http://google.com/" ->
extensions.enabledItems -> {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1 ->
extensions.enabledItems -> 6 ->
extensions.enabledItems -> 2 ->
extensions.enabledItems -> 41 ->
extensions.enabledItems -> jqs@sun.com:1.0 ->
extensions.enabledItems -> moveplayer@movenetworks.com:7 ->
extensions.enabledItems -> {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21 ->
keyword.URL -> "http://search.search-star.net/?sid=10101038100&s=" ->
< FireFox Settings [User.js] > -> C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\FireFox\Profiles\vj8qx2x8.default\user.js ->
browser.search.selectedEngine -> "Google" ->
browser.search.order.1 -> "Google" ->
keyword.URL -> "http://search.search-star.net/?sid=10101038100&s=" ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\extensions -> ->
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions -> ->
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2010/07/28 16:23:54 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/09/05 11:43:31 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Thunderbird\Extensions -> ->
< FireFox Extensions [User Folders] > ->
-> C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\Extensions -> [2009/02/27 10:27:36 | 000,000,000 | ---D | M]
-> C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions -> [2010/09/05 11:44:38 | 000,000,000 | ---D | M]
Microsoft .NET Framework Assistant -> C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} -> [2010/04/26 21:45:05 | 000,000,000 | ---D | M]
Adobe DLM (powered by getPlus(R)) -> C:\Documents and Settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} -> [2009/08/18 19:45:24 | 000,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > ->
-> C:\Program Files\Mozilla Firefox\extensions -> [2010/09/05 11:44:38 | 000,000,000 | ---D | M]
Java Console -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} -> [2010/09/05 11:43:33 | 000,000,000 | ---D | M]
< HOSTS File > ([2010/08/29 12:49:21 | 000,416,183 | R--- | M] - 14416 lines) -> C:\WINDOWS\system32\drivers\etc\hosts ->
First 25 entries...
Reset Hosts
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\] > -> HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{10134636-E7AF-4AC5-A1DC-C7C44BB97D81}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AppleSyncNotifier" -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe] -> [2010/07/13 15:10:30 | 000,047,904 | ---- | M] (Apple Inc.)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Brooke and Nick Startup Folder > -> C:\Documents and Settings\Brooke and Nick\Start Menu\Programs\Startup ->
C:\Documents and Settings\Brooke and Nick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> C:\Program Files\ERUNT\AUTOBACK.EXE -> [2005/10/20 12:04:08 | 000,038,912 | ---- | M] ()
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< Jen Startup Folder > -> C:\Documents and Settings\Jen\Start Menu\Programs\Startup ->
< New User Startup Folder > -> C:\Documents and Settings\New User\Start Menu\Programs\Startup ->
< Paul Startup Folder > -> C:\Documents and Settings\Paul\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< Software Policy Settings [HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006] > -> HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" -> [1] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"InstallVisualStyle" -> C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles [C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles] -> [2004/08/10 07:39:00 | 001,347,728 | ---- | M] (Microsoft)
\\"InstallTheme" -> C:\WINDOWS\Resources\Themes\Royale.Theme [C:\WINDOWS\Resources\Themes\Royale.theme] -> [2004/07/28 06:03:28 | 000,001,293 | ---- | M] ()
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"CDRAutoRun" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"CDRAutoRun" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006] > -> HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"_NoDriveTypeAutoRun" -> [145] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006] > -> HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000] -> File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000] -> File not found
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\ ->
Add to Google Photos Screensa&ver -> C:\WINDOWS\System32\GPhotos.scr [res://C:\WINDOWS\system32\GPhotos.scr/200] -> [2010/06/02 22:41:44 | 003,600,384 | ---- | M] (Google Inc.)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\ ->
Add to Google Photos Screensa&ver -> C:\WINDOWS\System32\GPhotos.scr [res://C:\WINDOWS\system32\GPhotos.scr/200] -> [2010/06/02 22:41:44 | 003,600,384 | ---- | M] (Google Inc.)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\] > -> HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\Software\Microsoft\Internet Explorer\MenuExt\ ->
Add to Google Photos Screensa&ver -> C:\WINDOWS\System32\GPhotos.scr [res://C:\WINDOWS\system32\GPhotos.scr/200] -> [2010/06/02 22:41:44 | 003,600,384 | ---- | M] (Google Inc.)
E&xport to Microsoft Excel -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7401 domain(s) found. ->
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7401 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7401 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\] > -> HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7401 domain(s) found. ->
www_safer-networking.org [https] -> Trusted sites ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\] > -> HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-21-842925246-606747145-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{406B5949-7190-4245-91A9-30A17DE16AD0} [HKLM] -> http://photo.walgreens.com/WalgreensActivia.cab [Snapfish Activia] ->
{5ED80217-570B-4DA9-BF44-BE107C0EC166} [HKLM] -> http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab [Windows Live Safety Center Base Module] ->
{644E432F-49D3-41A1-8DD5-E099162EEEC5} [HKLM] -> http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab [Symantec RuFSI Utility Class] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183257388593 [MUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab [Java Plug-in 1.6.0_21] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab [Reg Error: Key error.] ->
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab [Java Plug-in 1.6.0_21] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab [Java Plug-in 1.6.0_21] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
Microsoft XML Parser for Java [HKLM] -> file://C:\WINDOWS\Java\classes\xmldso.cab [Reg Error: Key error.] ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ ->
DhcpNameServer -> 65.32.5.111 65.32.5.112 ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{4B48B2D9-AB34-4C0D-9609-A7ECCBBE1277}\\DhcpNameServer -> 65.32.5.111 65.32.5.112 (Intel(R) PRO/100+ PCI Adapter) ->
{DBC3AC70-79EE-4786-90B5-65133850EB66}\\DhcpNameServer -> 66.90.0.6 216.53.130.3 (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
AtiExtEvent -> C:\WINDOWS\System32\ati2evxx.dll -> [2009/02/04 00:43:29 | 000,155,648 | ---- | M] (ATI Technologies Inc.)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Program Files\Electronic Arts\EADM\Core.exe" -> C:\Program Files\Electronic Arts\EADM\Core.exe [C:\Program Files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager] -> [2009/09/03 17:17:14 | 003,342,336 | ---- | M] (Electronic Arts)
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2010/07/21 15:53:00 | 010,358,568 | ---- | M] (Apple Inc.)
"C:\WINDOWS\system32\ftp.exe" -> C:\WINDOWS\System32\ftp.exe [C:\WINDOWS\system32\ftp.exe:*:Disabled:File Transfer Program] -> [2008/04/13 20:12:20 | 000,042,496 | ---- | M] (Microsoft Corporation)
"E:\Desktop\Copied stuff from F drive\Backup Data Disc 2\Magic\Manalink.exe" -> E:\Desktop\Copied stuff from F drive\Backup Data Disc 2\Magic\Manalink.exe [E:\Desktop\Copied stuff from F drive\Backup Data Disc 2\Magic\Manalink.exe:*:Disabled:manalink] -> [2001/07/11 06:10:50 | 000,306,176 | ---- | M] (MicroProse Software, Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > -> ->
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2007/01/01 22:54:38 | 000,000,000 | ---- | M] ()
D:\Autorun.exe [MZ | ] -> D:\Autorun.exe [ UDF ] -> [2009/10/16 06:51:33 | 000,054,544 | R--- | M] (Electronic Arts)
D:\Autorun.inf [[autorun] | open=Autorun.exe | icon=Sims3EP01.ico | ] -> D:\Autorun.inf [ UDF ] -> [2009/09/21 15:58:35 | 000,000,049 | R--- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.com [@ = ComFile] -> "%1" %* ->
.exe [@ = exefile] -> "%1" %* ->
[Files/Folders - Created Within 30 Days]
OTS.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\OTS.exe -> [2010/09/05 13:12:25 | 000,641,024 | ---- | C] (OldTimer Tools)
Java -> C:\Program Files\Common Files\Java -> [2010/09/05 11:44:06 | 000,000,000 | ---D | C]
deployJava1.dll -> C:\WINDOWS\System32\deployJava1.dll -> [2010/09/05 11:43:31 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.)
javaws.exe -> C:\WINDOWS\System32\javaws.exe -> [2010/09/05 11:43:31 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.)
javaw.exe -> C:\WINDOWS\System32\javaw.exe -> [2010/09/05 11:43:31 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.)
java.exe -> C:\WINDOWS\System32\java.exe -> [2010/09/05 11:43:31 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.)
javacpl.cpl -> C:\WINDOWS\System32\javacpl.cpl -> [2010/09/05 11:43:31 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.)
Nick Work Stuff -> C:\Documents and Settings\Brooke and Nick\Desktop\Nick Work Stuff -> [2010/09/03 14:01:00 | 000,000,000 | ---D | C]
TFC(2).exe -> C:\Documents and Settings\Brooke and Nick\Desktop\TFC(2).exe -> [2010/09/03 10:20:08 | 000,446,464 | ---- | C] (OldTimer Tools)
RECYCLER -> C:\RECYCLER -> [2010/09/03 01:12:35 | 000,000,000 | -HSD | C]
ComboFix -> C:\ComboFix -> [2010/09/02 08:40:55 | 000,000,000 | ---D | C]
TFC.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\TFC.exe -> [2010/09/02 08:34:41 | 000,446,464 | ---- | C] (OldTimer Tools)
OTL.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\OTL.exe -> [2010/09/01 10:48:47 | 000,574,976 | ---- | C] (OldTimer Tools)
ERUNT -> C:\Program Files\ERUNT -> [2010/08/29 13:24:09 | 000,000,000 | ---D | C]
Safer Networking -> C:\Program Files\Safer Networking -> [2010/08/29 12:32:59 | 000,000,000 | ---D | C]
Image Zone Express -> C:\Documents and Settings\Brooke and Nick\Application Data\Image Zone Express -> [2010/08/20 21:09:05 | 000,000,000 | ---D | C]
Photo! Web Album -> C:\Documents and Settings\Brooke and Nick\Application Data\Photo! Web Album -> [2010/08/20 21:01:20 | 000,000,000 | ---D | C]
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/08/17 15:40:13 | 000,038,224 | ---- | C] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/08/17 15:40:11 | 000,020,952 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2010/08/17 15:40:11 | 000,000,000 | ---D | C]
skypePM -> C:\Documents and Settings\Brooke and Nick\Application Data\skypePM -> [2010/08/15 21:35:58 | 000,000,000 | ---D | C]
Skype -> C:\Documents and Settings\Brooke and Nick\Application Data\Skype -> [2010/08/15 21:33:00 | 000,000,000 | ---D | C]
Skype -> C:\Program Files\Common Files\Skype -> [2010/08/15 21:32:11 | 000,000,000 | ---D | C]
Skype -> C:\Program Files\Skype -> [2010/08/15 21:32:06 | 000,000,000 | R--D | C]
Skype -> C:\Documents and Settings\All Users\Application Data\Skype -> [2010/08/15 21:31:58 | 000,000,000 | ---D | C]
iPod -> C:\Program Files\iPod -> [2010/08/15 12:54:47 | 000,000,000 | ---D | C]
windows-kb890830-v3.10.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\windows-kb890830-v3.10.exe -> [2010/08/11 21:43:27 | 012,049,864 | ---- | C] (Microsoft Corporation)
MpEngineStore -> C:\WINDOWS\System32\MpEngineStore -> [2010/08/11 20:01:30 | 000,000,000 | ---D | C]
[Files/Folders - Modified Within 30 Days]
OTS.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\OTS.exe -> [2010/09/05 13:12:24 | 000,641,024 | ---- | M] (OldTimer Tools)
GoogleUpdateTaskMachineUA.job -> C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job -> [2010/09/05 12:24:00 | 000,000,904 | ---- | M] ()
deployJava1.dll -> C:\WINDOWS\System32\deployJava1.dll -> [2010/09/05 11:43:09 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.)
javaws.exe -> C:\WINDOWS\System32\javaws.exe -> [2010/09/05 11:43:09 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.)
javaw.exe -> C:\WINDOWS\System32\javaw.exe -> [2010/09/05 11:43:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.)
java.exe -> C:\WINDOWS\System32\java.exe -> [2010/09/05 11:43:09 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.)
javacpl.cpl -> C:\WINDOWS\System32\javacpl.cpl -> [2010/09/05 11:43:09 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.)
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/09/05 11:41:04 | 000,002,206 | ---- | M] ()
GoogleUpdateTaskMachineCore.job -> C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job -> [2010/09/05 11:41:00 | 000,000,900 | ---- | M] ()
SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2010/09/05 11:40:41 | 000,000,006 | -H-- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/09/05 11:40:38 | 000,002,048 | --S- | M] ()
hiberfil.sys -> C:\hiberfil.sys -> [2010/09/05 11:40:35 | 1072,775,168 | -HS- | M] ()
NTUSER.DAT -> C:\Documents and Settings\Brooke and Nick\NTUSER.DAT -> [2010/09/05 11:39:42 | 009,437,184 | -H-- | M] ()
ntuser.ini -> C:\Documents and Settings\Brooke and Nick\ntuser.ini -> [2010/09/05 11:39:42 | 000,000,278 | -HS- | M] ()
iTunes.lnk -> C:\Documents and Settings\All Users\Desktop\iTunes.lnk -> [2010/09/04 23:25:37 | 000,002,137 | ---- | M] ()
BrookeBook.pdf -> C:\Documents and Settings\Brooke and Nick\Desktop\BrookeBook.pdf -> [2010/09/04 10:35:58 | 003,580,936 | ---- | M] ()
SecurityCheck.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\SecurityCheck.exe -> [2010/09/04 02:35:35 | 000,869,051 | ---- | M] ()
esetsmartinstaller_enu.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\esetsmartinstaller_enu.exe -> [2010/09/03 10:38:04 | 002,672,312 | ---- | M] ()
TFC(2).exe -> C:\Documents and Settings\Brooke and Nick\Desktop\TFC(2).exe -> [2010/09/03 10:20:05 | 000,446,464 | ---- | M] (OldTimer Tools)
system.ini -> C:\WINDOWS\system.ini -> [2010/09/02 08:51:46 | 000,000,227 | ---- | M] ()
ComboFix.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\ComboFix.exe -> [2010/09/02 08:40:20 | 003,830,422 | R--- | M] ()
TFC.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\TFC.exe -> [2010/09/02 08:34:35 | 000,446,464 | ---- | M] (OldTimer Tools)
Skype.lnk -> C:\Documents and Settings\All Users\Desktop\Skype.lnk -> [2010/09/01 22:50:07 | 000,002,265 | ---- | M] ()
w4v3o0ts.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\w4v3o0ts.exe -> [2010/09/01 11:28:11 | 000,293,376 | ---- | M] ()
OTL.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\OTL.exe -> [2010/09/01 10:48:44 | 000,574,976 | ---- | M] (OldTimer Tools)
Halo Reach Target Poster 08312010.pdf -> C:\Documents and Settings\Brooke and Nick\Desktop\Halo Reach Target Poster 08312010.pdf -> [2010/08/31 20:04:59 | 008,035,668 | ---- | M] ()
Writers_Ultimate_Resource_Guide.pdf -> C:\Documents and Settings\Brooke and Nick\Desktop\Writers_Ultimate_Resource_Guide.pdf -> [2010/08/30 16:34:55 | 002,214,304 | ---- | M] ()
boudior Bio.odt -> C:\Documents and Settings\Brooke and Nick\My Documents\boudior Bio.odt -> [2010/08/30 15:33:49 | 000,011,624 | ---- | M] ()
dds.scr -> C:\Documents and Settings\Brooke and Nick\Desktop\dds.scr -> [2010/08/29 13:30:01 | 000,525,824 | ---- | M] ()
ERUNT AutoBackup.lnk -> C:\Documents and Settings\Brooke and Nick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2010/08/29 13:24:24 | 000,000,767 | ---- | M] ()
ERUNT.lnk -> C:\Documents and Settings\Brooke and Nick\Desktop\ERUNT.lnk -> [2010/08/29 13:24:09 | 000,000,592 | ---- | M] ()
hosts -> C:\WINDOWS\System32\drivers\etc\hosts -> [2010/08/29 12:49:21 | 000,416,183 | R--- | M] ()
boot.ini -> C:\boot.ini -> [2010/08/29 12:39:07 | 000,000,422 | RHS- | M] ()
hosts.20100829-124921.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100829-124921.backup -> [2010/08/26 14:43:21 | 000,416,183 | R--- | M] ()
hosts.20100826-144321.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100826-144321.backup -> [2010/08/26 14:41:18 | 000,416,183 | R--- | M] ()
Adobe Reader 9.lnk -> C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk -> [2010/08/26 14:38:32 | 000,001,729 | ---- | M] ()
hosts.20100826-144118.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100826-144118.backup -> [2010/08/20 23:18:09 | 000,416,119 | R--- | M] ()
IconCache.db -> C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\IconCache.db -> [2010/08/18 00:47:47 | 004,847,880 | -H-- | M] ()
Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2010/08/17 15:40:17 | 000,000,696 | ---- | M] ()
letter for payment.odt -> C:\Documents and Settings\Brooke and Nick\My Documents\letter for payment.odt -> [2010/08/17 13:29:40 | 000,011,890 | ---- | M] ()
hosts.20100820-231809.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100820-231809.backup -> [2010/08/17 11:24:21 | 000,415,912 | R--- | M] ()
ezsidmv.dat -> C:\WINDOWS\System32\ezsidmv.dat -> [2010/08/15 21:35:59 | 000,000,056 | -H-- | M] ()
Spybot - Search & Destroy.lnk -> C:\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk -> [2010/08/15 13:37:01 | 000,000,819 | ---- | M] ()
OpenOffice.org 3.2.lnk -> C:\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\OpenOffice.org 3.2.lnk -> [2010/08/15 13:36:30 | 000,000,867 | ---- | M] ()
Safari.lnk -> C:\Documents and Settings\All Users\Desktop\Safari.lnk -> [2010/08/15 13:00:49 | 000,001,854 | ---- | M] ()
Apple Safari.lnk -> C:\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk -> [2010/08/15 13:00:49 | 000,001,854 | ---- | M] ()
mapisvc.inf -> C:\WINDOWS\System32\mapisvc.inf -> [2010/08/15 12:45:44 | 000,000,629 | ---- | M] ()
hosts.20100817-112421.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100817-112421.backup -> [2010/08/13 08:36:46 | 000,415,912 | R--- | M] ()
windows-kb890830-v3.10.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\windows-kb890830-v3.10.exe -> [2010/08/11 21:47:40 | 012,049,864 | ---- | M] (Microsoft Corporation)
FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2010/08/11 21:16:01 | 000,278,944 | ---- | M] ()
imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2010/08/11 20:07:58 | 000,001,374 | ---- | M] ()
PerfStringBackup.INI -> C:\WINDOWS\System32\PerfStringBackup.INI -> [2010/08/11 20:06:31 | 000,501,230 | ---- | M] ()
perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2010/08/11 20:06:31 | 000,441,124 | ---- | M] ()
perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2010/08/11 20:06:31 | 000,071,060 | ---- | M] ()
MRT.INI -> C:\WINDOWS\System32\MRT.INI -> [2010/08/11 20:01:30 | 000,000,186 | ---- | M] ()
hosts.20100813-083646.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100813-083646.backup -> [2010/08/11 16:02:26 | 000,415,912 | R--- | M] ()
Magic the Gathering.lnk -> C:\Documents and Settings\Brooke and Nick\Application Data\Microsoft\Internet Explorer\Quick Launch\Magic the Gathering.lnk -> [2010/08/10 10:51:10 | 000,000,829 | ---- | M] ()
hosts.20100811-160226.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100811-160226.backup -> [2010/08/09 18:28:43 | 000,415,172 | R--- | M] ()
[Files - No Company Name]
BrookeBook.pdf -> C:\Documents and Settings\Brooke and Nick\Desktop\BrookeBook.pdf -> [2010/09/04 10:36:14 | 003,580,936 | ---- | C] ()
SecurityCheck.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\SecurityCheck.exe -> [2010/09/04 02:35:37 | 000,869,051 | ---- | C] ()
esetsmartinstaller_enu.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\esetsmartinstaller_enu.exe -> [2010/09/03 10:38:10 | 002,672,312 | ---- | C] ()
w4v3o0ts.exe -> C:\Documents and Settings\Brooke and Nick\Desktop\w4v3o0ts.exe -> [2010/09/01 11:28:57 | 000,293,376 | ---- | C] ()
Halo Reach Target Poster 08312010.pdf -> C:\Documents and Settings\Brooke and Nick\Desktop\Halo Reach Target Poster 08312010.pdf -> [2010/08/31 20:03:42 | 008,035,668 | ---- | C] ()
Writers_Ultimate_Resource_Guide.pdf -> C:\Documents and Settings\Brooke and Nick\Desktop\Writers_Ultimate_Resource_Guide.pdf -> [2010/08/30 16:34:59 | 002,214,304 | ---- | C] ()
boudior Bio.odt -> C:\Documents and Settings\Brooke and Nick\My Documents\boudior Bio.odt -> [2010/08/30 15:33:48 | 000,011,624 | ---- | C] ()
dds.scr -> C:\Documents and Settings\Brooke and Nick\Desktop\dds.scr -> [2010/08/29 13:30:02 | 000,525,824 | ---- | C] ()
ERUNT AutoBackup.lnk -> C:\Documents and Settings\Brooke and Nick\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2010/08/29 13:24:24 | 000,000,767 | ---- | C] ()
ERUNT.lnk -> C:\Documents and Settings\Brooke and Nick\Desktop\ERUNT.lnk -> [2010/08/29 13:24:09 | 000,000,592 | ---- | C] ()
Adobe Reader 9.lnk -> C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk -> [2010/08/26 14:38:31 | 000,001,729 | ---- | C] ()
Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2010/08/17 15:40:17 | 000,000,696 | ---- | C] ()
letter for payment.odt -> C:\Documents and Settings\Brooke and Nick\My Documents\letter for payment.odt -> [2010/08/17 13:13:41 | 000,011,890 | ---- | C] ()
ezsidmv.dat -> C:\WINDOWS\System32\ezsidmv.dat -> [2010/08/15 21:35:59 | 000,000,056 | -H-- | C] ()
Skype.lnk -> C:\Documents and Settings\All Users\Desktop\Skype.lnk -> [2010/08/15 21:32:12 | 000,002,265 | ---- | C] ()
Safari.lnk -> C:\Documents and Settings\All Users\Desktop\Safari.lnk -> [2010/08/15 13:00:49 | 000,001,854 | ---- | C] ()
iTunes.lnk -> C:\Documents and Settings\All Users\Desktop\iTunes.lnk -> [2010/08/15 12:56:37 | 000,002,137 | ---- | C] ()
MRT.INI -> C:\WINDOWS\System32\MRT.INI -> [2010/08/11 20:01:30 | 000,000,186 | ---- | C] ()
czyiwa.dat -> C:\Documents and Settings\Brooke and Nick\Application Data\czyiwa.dat -> [2010/06/01 10:14:35 | 000,000,012 | ---- | C] ()
wininit.ini -> C:\WINDOWS\wininit.ini -> [2010/05/29 08:50:40 | 000,000,238 | ---- | C] ()
.811261211181235583101118113995 -> C:\Documents and Settings\All Users\Application Data\.811261211181235583101118113995 -> [2010/01/10 02:11:15 | 000,000,026 | -H-- | C] ()
mkghj.dll -> C:\WINDOWS\System32\mkghj.dll -> [2009/08/01 22:00:59 | 000,000,007 | ---- | C] ()
WORDPAD.INI -> C:\WINDOWS\WORDPAD.INI -> [2009/06/19 22:13:19 | 000,000,754 | ---- | C] ()
hpzinstall.log -> C:\Documents and Settings\All Users\Application Data\hpzinstall.log -> [2009/05/22 23:23:12 | 000,000,387 | ---- | C] ()
KPCMS.INI -> C:\WINDOWS\KPCMS.INI -> [2009/04/04 10:01:29 | 000,000,173 | ---- | C] ()
MSVCRT10.DLL -> C:\WINDOWS\System32\MSVCRT10.DLL -> [2009/04/04 10:00:39 | 000,210,944 | ---- | C] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2009/04/02 19:01:42 | 000,009,216 | ---- | C] ()
AVSMediaPlayer.m3u -> C:\Documents and Settings\Brooke and Nick\Application Data\AVSMediaPlayer.m3u -> [2009/03/13 13:01:37 | 000,000,000 | ---- | C] ()
xvidcore.dll -> C:\WINDOWS\System32\xvidcore.dll -> [2009/03/13 12:56:46 | 000,524,288 | ---- | C] ()
xvidvfw.dll -> C:\WINDOWS\System32\xvidvfw.dll -> [2009/03/13 12:56:46 | 000,139,264 | ---- | C] ()
fusioncache.dat -> C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\fusioncache.dat -> [2009/03/13 12:38:47 | 000,000,138 | ---- | C] ()
GDIPFONTCACHEV1.DAT -> C:\Documents and Settings\Brooke and Nick\Application Data\GDIPFONTCACHEV1.DAT -> [2009/02/27 19:17:14 | 000,064,664 | ---- | C] ()
GDIPFONTCACHEV1.DAT -> C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2009/02/27 14:45:34 | 000,072,384 | ---- | C] ()
IconCache.db -> C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\IconCache.db -> [2009/02/27 12:18:57 | 004,847,880 | -H-- | C] ()
desktop.ini -> C:\Documents and Settings\Brooke and Nick\Application Data\desktop.ini -> [2009/02/27 10:23:37 | 000,000,062 | -HS- | C] ()
ICCProfiles.dll -> C:\WINDOWS\System32\ICCProfiles.dll -> [2008/04/29 14:42:24 | 000,503,808 | ---- | C] ()
iPlayer.INI -> C:\WINDOWS\iPlayer.INI -> [2007/11/10 20:13:39 | 000,000,000 | ---- | C] ()
QTSBandwidthCache -> C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache -> [2007/10/21 13:09:18 | 000,001,372 | ---- | C] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2007/01/01 20:34:06 | 000,000,376 | ---- | C] ()
desktop.ini -> C:\Documents and Settings\All Users\Application Data\desktop.ini -> [2007/01/01 14:15:44 | 000,000,062 | -HS- | C] ()
GlobalUserInterface.CompositeFont -> C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont -> [2006/06/29 14:58:52 | 000,030,808 | ---- | C] ()
GlobalSansSerif.CompositeFont -> C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont -> [2006/06/29 14:53:56 | 000,026,489 | ---- | C] ()
GlobalSerif.CompositeFont -> C:\WINDOWS\Fonts\GlobalSerif.CompositeFont -> [2006/04/18 15:39:28 | 000,029,779 | ---- | C] ()
GlobalMonospace.CompositeFont -> C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont -> [2006/04/18 15:39:28 | 000,026,040 | ---- | C] ()
psisdecd.dll -> C:\WINDOWS\System32\psisdecd.dll -> [2005/08/05 18:01:54 | 000,235,008 | ---- | C] ()
MSRTEDIT.DLL -> C:\WINDOWS\System32\MSRTEDIT.DLL -> [1999/01/22 14:46:58 | 000,065,536 | ---- | C] ()
< End of report >
Hi HeadlessChief
Of course, I wanted it.........:oops:
do you know what this program is ?
C:\Documents and Settings\Brooke and Nick\Desktop\w4v3o0ts.exe
Start OTS. Copy/Paste the information in the Code box below into the pane where it says Paste fix here and then click the Run Fix button.
[Win32 Services - Safe List]
YN -> (MSWU-f36decbb) MSWU-f36decbb [Disabled | Stopped] -> C:\WINDOWS\System32\f36decbb.exe
YN -> (MSWU-38adf938) MSWU-38adf938 [Disabled | Stopped] -> C:\WINDOWS\System32\38adf938.exe
[Files - No Company Name]
NY -> mkghj.dll -> C:\WINDOWS\System32\mkghj.dll
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.
Post that information back here.
HeadlessChief
2010-09-06, 17:33
[Win32 Services - Safe List]
Service MSWU-f36decbb stopped successfully!
Service MSWU-38adf938 stopped successfully!
[Files - No Company Name]
C:\WINDOWS\System32\mkghj.dll moved successfully.
C:\Documents and Settings\Brooke and Nick\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.36.0 fix logfile created on 09062010_113239
Thank you!
HeadlessChief
2010-09-06, 17:34
Also, I have no idea what that program is, you identified. :red:
Hi HeadlessChief
I'd like you to check a file for Viruses.
Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)
C:\Documents and Settings\Brooke and Nick\Desktop\w4v3o0ts.exe
Copy/Paste file into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Copy and Paste results in your next reply.
Thanks peku006
HeadlessChief
2010-09-06, 20:00
It didn't really pop up a report, but I copied everything on the page...:spider:
Antivirus Version Last Update Result
AhnLab-V3 2010.09.05.00 2010.09.04 -
AntiVir 8.2.4.50 2010.09.06 -
Antiy-AVL 2.0.3.7 2010.09.03 -
Authentium 5.2.0.5 2010.09.06 -
Avast 4.8.1351.0 2010.09.06 -
Avast5 5.0.594.0 2010.09.06 -
AVG 9.0.0.851 2010.09.06 -
BitDefender 7.2 2010.09.06 -
CAT-QuickHeal 11.00 2010.09.06 -
ClamAV 0.96.2.0-git 2010.09.06 -
Comodo 5990 2010.09.06 -
DrWeb 5.0.2.03300 2010.09.06 -
Emsisoft 5.0.0.37 2010.09.06 -
eSafe 7.0.17.0 2010.09.05 Win32.TrojanHorse
eTrust-Vet 36.1.7839 2010.09.06 -
F-Prot 4.6.1.107 2010.09.01 -
F-Secure 9.0.15370.0 2010.09.06 -
Fortinet 4.1.143.0 2010.09.05 -
GData 21 2010.09.06 -
Ikarus T3.1.1.88.0 2010.09.06 -
Jiangmin 13.0.900 2010.09.06 -
K7AntiVirus 9.63.2453 2010.09.06 -
Kaspersky 7.0.0.125 2010.09.06 -
McAfee 5.400.0.1158 2010.09.06 -
McAfee-GW-Edition 2010.1B 2010.09.06 -
Microsoft 1.6103 2010.09.06 -
NOD32 5428 2010.09.06 -
Norman 6.05.11 2010.09.06 -
nProtect 2010-09-07.01 2010.09.06 -
Panda 10.0.2.7 2010.09.06 -
PCTools 7.0.3.5 2010.09.06 -
Prevx 3.0 2010.09.06 -
Rising 22.64.00.04 2010.09.06 -
Sophos 4.57.0 2010.09.06 -
Sunbelt 6839 2010.09.06 -
SUPERAntiSpyware 4.40.0.1006 2010.09.06 -
Symantec 20101.1.1.7 2010.09.06 -
TheHacker 6.5.2.1.365 2010.09.06 -
TrendMicro 9.120.0.1004 2010.09.06 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.06 -
VBA32 3.12.14.0 2010.09.06 -
ViRobot 2010.9.6.4028 2010.09.06 -
VirusBuster 12.64.20.0 2010.09.06 -
MD5 : f80f6e09e7f4bafe478ca0da6137e1e2
SHA1 : 719082766cf4f60c8bdaa2b2c9f6967ecbcf8722
SHA256: 682fd0d13d7caf4b17a1eb9bafa0a3c3598139bb3623d3f5fba3bfbd0a6d424a
ssdeep: 6144:Uwbg2xeuJgWM/S1tm/xCIoQPJVZCzw5bEPb3cV9iYpTkyTFHS2:Uw82IZWM61tUXRd9IPb
3cVZkyp/
File size : 293376 bytes
First seen: 2009-12-15 11:56:33
Last seen : 2010-09-06 17:49:11
TrID:
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: 1, 0, 15, 15281
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers (F-Prot): UPX
packers (Kaspersky): UPX, PE_Patch
PEInfo: PE structure information
[[ basic data ]]
entrypointaddress: 0xB3F40
timedatestamp....: 0x4B2763F0 (Tue Dec 15 10:24:48 2009)
machinetype......: 0x14c (I386)
[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x6D000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x6E000, 0x47000, 0x46200, 7.93, 7b777c30b7f75e5eb654691bb1616dcb
.rsrc, 0xB5000, 0x2000, 0x1400, 3.38, 710fb4291f153e98a3a03f3473b8bfd6
[[ 1 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
Hi HeadlessChief
Please download Rootkit Unhooker (http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE) Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here. Post fresh dds logs (dds.txt + attach.txt) too.
Note** you may get this warning it is ok, just ignore
Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?
Thanks peku006
HeadlessChief
2010-09-06, 21:25
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF1CC000 C:\WINDOWS\System32\ati3duag.dll 3887104 bytes (ATI Technologies Inc. , ati3duag.dll)
0xB9ABD000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 3817472 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF9C5000 C:\WINDOWS\System32\ativvaxx.dll 2646016 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9934000 C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB988C000 C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xBF065000 C:\WINDOWS\System32\ati2cqag.dll 626688 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xF7F16000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF0FE000 C:\WINDOWS\System32\atikvmag.dll 536576 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xA855F000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xA8628000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB970C000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA870D000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA5EF9000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 339968 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF181000 C:\WINDOWS\System32\atiok3x2.dll 307200 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9846000 C:\WINDOWS\system32\drivers\emu10k1m.sys 286720 bytes (Creative Technology Ltd., Creative SB Live! Adapter Driver)
0xA5FA0000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9A56000 C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xB9792000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF79AC000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA6199000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7D1E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8698000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA86E5000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF78B6000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA8602000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9822000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB97EA000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9A33000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA86C3000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7C2B000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF78DC000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9A8C000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 118784 bytes (Intel Corporation, NDIS 5 driver)
0xF7DF9000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF789E000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA8496000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7886000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7C02000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB97D3000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA5D04000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB980E000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9AA9000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8766000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7C19000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF799B000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB97C2000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA84AE000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF7A7B000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA4F9000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA529000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7A8B000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA5E31000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF796B000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7A3B000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA509000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7A9B000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7A1B000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7846000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF7ABB000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7A5B000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF78FB000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA4E9000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7A0B000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7AAB000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF79FB000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF795B000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF797B000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7A2B000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7856000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA539000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF798B000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF790B000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA559000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7A4B000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA519000 C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes (Creative Technology Ltd., SoundFont(R) Manager)
0xF7876000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7ADB000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF7B73000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7BDB000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7B7B000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7AF3000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7AFB000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xF7ACB000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7BE3000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7B8B000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7B83000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7BB3000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7B03000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xF7B93000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7BCB000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7BBB000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7BD3000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7AD3000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7BA3000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7BAB000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF7B9B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7B33000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA7BF000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA6422000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA7F0000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7C5B000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB965C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7D03000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA60B1000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7D07000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA7E8000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7CDF000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7D7D000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7D71000 C:\WINDOWS\system32\drivers\ctlfacem.sys 8192 bytes (Creative Technology Ltd., Creative SB Live! Interface Driver)
0xF7D51000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7D99000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7D7B000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7D4F000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7D4B000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7D7F000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7D5D000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7D81000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7D75000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7D77000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7D4D000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7E2B000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB9F4F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7E33000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
[1084]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1084]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1084]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1084]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1084]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1084]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->00000000 [shimeng.dll]
[1084]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
DDS (Ver_10-03-17.01) - NTFSx86
Run by Brooke and Nick at 15:18:17.39 on Mon 09/06/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.728 [GMT -4:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Brooke and Nick\Desktop\dds.scr
============== Pseudo HJT Report ===============
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://firefox/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\brooke~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: safer-networking.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183257388593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\brooke~1\applic~1\mozilla\firefox\profiles\vj8qx2x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - plugin: c:\documents and settings\brooke and nick\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\brooke and nick\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-26 133104]
S4 MSWU-38adf938;MSWU-38adf938;c:\windows\system32\38adf938.exe --> c:\windows\system32\38adf938.exe [?]
S4 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]
=============== Created Last 30 ================
2010-09-06 15:32:39 0 d-----w- C:\_OTS
2010-09-05 15:43:31 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-05 15:43:31 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-02 12:40:55 0 d-----w- C:\ComboFix
2010-08-29 16:32:59 0 d-----w- c:\program files\Safer Networking
2010-08-21 01:01:20 0 d-----w- c:\docume~1\brooke~1\applic~1\Photo! Web Album
2010-08-17 19:40:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 19:40:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 19:40:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 01:35:59 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-16 01:32:06 0 d-----r- c:\program files\Skype
2010-08-15 16:54:47 0 d-----w- c:\program files\iPod
2010-08-12 00:01:30 186 ----a-w- c:\windows\system32\MRT.INI
2010-08-12 00:01:30 0 d-----w- c:\windows\system32\MpEngineStore
==================== Find3M ====================
2010-08-02 23:16:26 132220 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15:26 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15:26 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-02-26 18:56:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022620090227\index.dat
============= FINISH: 15:18:54.20 ===============
DDS (Ver_10-03-17.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/1/2007 9:58:52 PM
System Uptime: 9/6/2010 10:21:18 AM (5 hours ago)
Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | Microprocessor | 1993/100mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 14.084 GiB free.
D: is CDROM (UDF)
E: is FIXED (NTFS) - 57 GiB total, 31.399 GiB free.
G: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Unimodem Half-Duplex Audio Device
Device ID: MODEMWAVE\0\{65C2FF3D-A18F-4C9E-916D-D485CEEF7D18}
Manufacturer: Microsoft
Name: Unimodem Half-Duplex Audio Device
PNP Device ID: MODEMWAVE\0\{65C2FF3D-A18F-4C9E-916D-D485CEEF7D18}
Service: MODEMCSA
Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Creative SBLive! Gameport
Device ID: PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_0A\4&19FD8D60&0&49F0
Manufacturer: Creative
Name: Creative SBLive! Gameport
PNP Device ID: PCI\VEN_1102&DEV_7002&SUBSYS_00201102&REV_0A\4&19FD8D60&0&49F0
Service: gameenum
==== System Restore Points ===================
RP650: 8/3/2010 4:54:05 PM - Software Distribution Service 3.0
RP651: 8/9/2010 4:00:03 PM - System Checkpoint
RP652: 8/10/2010 9:12:59 PM - System Checkpoint
RP653: 8/11/2010 7:56:00 PM - Software Distribution Service 3.0
RP654: 8/12/2010 12:31:51 AM - Installed Microsoft Fix it 50102
RP655: 8/13/2010 9:05:42 PM - System Checkpoint
RP656: 8/14/2010 11:24:04 PM - System Checkpoint
RP657: 8/15/2010 11:37:44 PM - System Checkpoint
RP658: 8/17/2010 2:37:18 PM - System Checkpoint
RP659: 8/19/2010 9:58:25 AM - System Checkpoint
RP660: 8/20/2010 1:44:53 PM - System Checkpoint
RP661: 8/21/2010 2:00:28 PM - System Checkpoint
RP662: 8/22/2010 7:25:40 PM - System Checkpoint
RP663: 8/24/2010 11:06:38 AM - System Checkpoint
RP664: 8/25/2010 2:35:44 PM - System Checkpoint
RP665: 8/26/2010 4:56:23 PM - System Checkpoint
RP666: 8/28/2010 2:00:00 PM - System Checkpoint
RP667: 8/29/2010 12:02:24 PM - Removed Zoo Tycoon 2 - Extinct Animals
RP668: 8/30/2010 8:10:41 PM - System Checkpoint
RP669: 8/31/2010 10:54:25 PM - System Checkpoint
RP670: 9/1/2010 11:46:30 PM - System Checkpoint
RP671: 9/3/2010 2:39:30 PM - System Checkpoint
RP672: 9/4/2010 3:46:37 PM - System Checkpoint
RP673: 9/5/2010 11:30:03 AM - Removed Java(TM) 6 Update 13
RP674: 9/5/2010 11:36:10 AM - Removed Java(TM) 6 Update 18
RP675: 9/5/2010 11:37:38 AM - Removed Skype Toolbars
RP676: 9/5/2010 11:42:58 AM - Installed Java(TM) 6 Update 21
RP677: 9/6/2010 12:12:59 PM - System Checkpoint
==== Installed Programs ======================
ACDSee
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
BN eReader
Bonjour
BufferChm
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Citrix Presentation Server Client - Web Only
Critical Update for Windows Media Player 11 (KB959772)
Destinations
Director
EA Download Manager
ERUNT 1.1j
Fax
Final Draft
GIMP 2.6.8
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.7
HP Image Zone Express
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Update
HPSystemDiagnostics
ImageMixer3
InterActual Player
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Linksys EasyLink Advisor 1.5 (1010)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Medieval II Total War
Medieval II Total War : Kingdoms : Americas
Medieval II Total War : Kingdoms : Britannia
Medieval II Total War : Kingdoms : Crusades
Medieval II Total War : Kingdoms : Teutonic
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.3
Microsoft IntelliType Pro 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft WSE 3.0 Runtime
MobileMe Control Panel
Move Media Player
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.2
Paint Shop Pro 7 ESD
Photo Toolkit 1.7
Picasa 3
QFolder
QuickTime
Readme
Safari
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skins
Skype™ 4.2
Sonic Encoders
Spybot - Search & Destroy
System Requirements Lab
The Sims™ 3
The Sims™ 3 World Adventures
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebFldrs XP
WebReg
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
==== Event Viewer Messages From Past Week ========
9/2/2010 8:38:09 AM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
9/2/2010 8:35:12 AM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
9/2/2010 8:35:12 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/2/2010 8:35:12 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
9/2/2010 8:35:12 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
9/2/2010 8:35:12 AM, error: Service Control Manager [7034] - The AST Service service terminated unexpectedly. It has done this 1 time(s).
9/2/2010 8:35:12 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/2/2010 6:56:23 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
==== End Of File ===========================
Hi HeadlessChief
We need to run MBRCheck
Please download MBRCheck from one of these locations:
Link 1 (http://ad13.geekstogo.com/MBRCheck.exe)
Link 2 (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe)
Link 3 (http://www.kernelmode.info/MBRCheck.exe)
Double click MBRCheck.exe to run
A report called MBRcheck will be on your desktop once the program is done
Please copy and paste that into your reply
In your next reply, please include the following:
MBRCheck Log
Thanks peku006
HeadlessChief
2010-09-07, 15:07
Thank you for all your help, by the way. :angel:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000005d
Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7D4B000 \WINDOWS\system32\KDCOM.DLL
0xF7C5B000 \WINDOWS\system32\BOOTVID.dll
0xF79AC000 ACPI.sys
0xF7D4D000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF799B000 pci.sys
0xF79FB000 isapnp.sys
0xF7D4F000 intelide.sys
0xF7ACB000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A0B000 MountMgr.sys
0xF78DC000 ftdisk.sys
0xF7D51000 dmload.sys
0xF78B6000 dmio.sys
0xF7AD3000 PartMgr.sys
0xF7A1B000 VolSnap.sys
0xF789E000 atapi.sys
0xF7ADB000 cercsr6.sys
0xF7886000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7A2B000 disk.sys
0xF7A3B000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7C2B000 fltmgr.sys
0xF7C19000 sr.sys
0xF7A4B000 PxHelp20.sys
0xF7C02000 KSecDD.sys
0xF7F16000 Ntfs.sys
0xF7D1E000 NDIS.sys
0xF7DF9000 Mup.sys
0xF7A5B000 agp440.sys
0xBA3AB000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9AE3000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9ACF000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9AB2000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xB9A7C000 \SystemRoot\system32\DRIVERS\HSFBS2S2.sys
0xB9A59000 \SystemRoot\system32\DRIVERS\ks.sys
0xB995A000 \SystemRoot\system32\DRIVERS\HSFDPSP2.sys
0xB98B2000 \SystemRoot\system32\DRIVERS\HSFCXTS2.sys
0xF7B7B000 \SystemRoot\System32\Drivers\Modem.SYS
0xB986C000 \SystemRoot\system32\drivers\emu10k1m.sys
0xB9848000 \SystemRoot\system32\drivers\portcls.sys
0xBA39B000 \SystemRoot\system32\drivers\drmk.sys
0xBA38B000 \SystemRoot\system32\drivers\sfmanm.sys
0xF7D6D000 \SystemRoot\system32\drivers\ctlfacem.sys
0xF7B83000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA37B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B8B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA36B000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA7EC000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9834000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA35B000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA34B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA33B000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7B93000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7B9B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9810000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7E1F000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7A7B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7E4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB97F9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7A8B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7A9B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7BA3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB97E8000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7AAB000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7BAB000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7BB3000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB97B8000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7ABB000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7BBB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7D6F000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB975A000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7BB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF798B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D71000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF797B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7BC3000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7D73000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB9FA1000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D75000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7BD3000 \SystemRoot\System32\drivers\vga.sys
0xF7D77000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D79000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7BDB000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7BE3000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9EA9000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA87BE000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA8765000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA873D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA871B000 \SystemRoot\System32\drivers\afd.sys
0xF792B000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA86F0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA8680000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF791B000 \SystemRoot\System32\Drivers\Fips.SYS
0xA865A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF790B000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7AF3000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7CDF000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7876000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7AFB000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7B03000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xF7866000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xA85AD000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xF7CE3000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7B0B000 \SystemRoot\system32\DRIVERS\point32.sys
0xA84FC000 \SystemRoot\System32\Drivers\Udfs.SYS
0xA84E4000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7D97000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9659000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B33000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7E5E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF065000 \SystemRoot\System32\ati2cqag.dll
0xBF0FE000 \SystemRoot\System32\atikvmag.dll
0xBF181000 \SystemRoot\System32\atiok3x2.dll
0xBF1CC000 \SystemRoot\System32\ati3duag.dll
0xBF9C5000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA6468000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA61FF000 \SystemRoot\system32\drivers\wdmaud.sys
0xF78FB000 \SystemRoot\system32\drivers\sysaudio.sys
0xA5EFC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7D8B000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA5DB7000 \SystemRoot\System32\Drivers\HTTP.sys
0xA5EE0000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA5C70000 \SystemRoot\system32\DRIVERS\srv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 34):
0 System Idle Process
4 System
536 C:\WINDOWS\system32\smss.exe
600 csrss.exe
632 C:\WINDOWS\system32\winlogon.exe
676 C:\WINDOWS\system32\services.exe
688 C:\WINDOWS\system32\lsass.exe
848 C:\WINDOWS\system32\svchost.exe
928 svchost.exe
1020 C:\WINDOWS\system32\svchost.exe
1064 svchost.exe
1132 svchost.exe
1412 C:\WINDOWS\system32\spoolsv.exe
1704 C:\WINDOWS\explorer.exe
1860 svchost.exe
1896 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1908 C:\WINDOWS\system32\ASTSRV.EXE
1952 C:\Program Files\Bonjour\mDNSResponder.exe
1992 C:\WINDOWS\ehome\ehrecvr.exe
168 C:\WINDOWS\ehome\ehSched.exe
376 C:\Program Files\Java\jre6\bin\jqs.exe
452 C:\WINDOWS\system32\HPZipm12.exe
1184 C:\Program Files\iTunes\iTunesHelper.exe
1224 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1260 C:\WINDOWS\system32\ctfmon.exe
1248 svchost.exe
1292 C:\WINDOWS\system32\svchost.exe
1592 mcrdsvc.exe
2260 C:\WINDOWS\system32\devldr32.exe
2352 C:\WINDOWS\system32\dllhost.exe
2472 C:\Program Files\iPod\bin\iPodService.exe
2684 C:\WINDOWS\system32\wscntfy.exe
2844 alg.exe
1048 C:\Documents and Settings\Brooke and Nick\Desktop\SafernetworkHelper\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
PhysicalDrive0 Model Number: WDCWD800BB-75CAA0, Rev: 16.06V16
PhysicalDrive1 Model Number: Maxtor4D060H3, Rev: DAH017K0
Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
57 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
Done!
Hi HeadlessChief
nothing unusual...........
we need to update combofix........
we start by removing the old version
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
download a fresh copy from here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Please include the C:\ComboFix.txt in your next reply
Thanks peku006
HeadlessChief
2010-09-07, 19:02
ComboFix 10-09-06.04 - Brooke and Nick 09/07/2010 12:03:03.12.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.683 [GMT -4:00]
Running from: c:\documents and settings\Brooke and Nick\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.
2010-09-05 15:44 . 2010-09-05 15:44 -------- d-----w- c:\program files\Common Files\Java
2010-09-05 15:43 . 2010-09-05 15:43 503808 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\msvcp71.dll
2010-09-05 15:43 . 2010-09-05 15:43 61440 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2061f8d4-n\decora-sse.dll
2010-09-05 15:43 . 2010-09-05 15:43 499712 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\jmc.dll
2010-09-05 15:43 . 2010-09-05 15:43 348160 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\msvcr71.dll
2010-09-05 15:43 . 2010-09-05 15:43 12800 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2061f8d4-n\decora-d3d.dll
2010-09-05 15:43 . 2010-09-05 15:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-29 17:24 . 2010-08-29 17:24 -------- d-----w- c:\program files\ERUNT
2010-08-29 16:32 . 2010-08-29 16:32 -------- d-----w- c:\program files\Safer Networking
2010-08-21 01:09 . 2010-08-21 01:09 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Image Zone Express
2010-08-21 01:01 . 2010-08-21 01:07 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Photo! Web Album
2010-08-17 19:40 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 19:40 . 2010-08-17 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 19:40 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 01:35 . 2010-08-16 01:35 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-16 01:35 . 2010-09-02 02:50 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\skypePM
2010-08-16 01:33 . 2010-09-02 02:51 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Skype
2010-08-16 01:32 . 2010-08-16 01:32 -------- d-----w- c:\program files\Common Files\Skype
2010-08-16 01:32 . 2010-09-05 15:37 -------- d-----r- c:\program files\Skype
2010-08-16 01:31 . 2010-08-16 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-15 16:57 . 2010-08-15 16:57 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-08-15 16:54 . 2010-08-15 16:54 -------- d-----w- c:\program files\iPod
2010-08-15 16:45 . 2010-08-15 16:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-12 00:01 . 2010-08-12 00:01 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-10 15:09 . 2010-08-10 15:09 568832 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-10 15:09 . 2010-08-10 15:09 686080 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-10 15:09 . 2010-08-10 15:09 655872 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-10 15:09 . 2010-08-10 15:09 583168 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-10 15:09 . 2010-08-10 15:09 224768 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcm90.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 02:11 . 2009-06-22 14:06 1 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-05 15:30 . 2009-02-26 01:59 -------- d-----w- c:\program files\Java
2010-08-29 17:33 . 2009-05-19 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-29 16:03 . 2007-05-12 17:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-29 16:03 . 2009-02-27 16:11 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Microsoft Games
2010-08-29 16:03 . 2009-02-27 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-08-24 04:46 . 2009-10-03 03:15 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-08-21 01:00 . 2009-04-12 19:03 -------- d-----w- c:\program files\Web Photo Album
2010-08-17 19:40 . 2010-06-11 23:42 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Malwarebytes
2010-08-17 19:40 . 2010-06-11 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-15 17:00 . 2010-05-07 00:48 -------- d-----w- c:\program files\Safari
2010-08-15 16:56 . 2010-07-04 20:29 -------- d-----w- c:\program files\iTunes
2010-08-15 16:54 . 2007-08-17 01:13 -------- d-----w- c:\program files\Common Files\Apple
2010-08-02 23:16 . 2010-06-16 01:37 132220 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2010-07-26 01:20 . 2010-07-26 01:17 -------- d-----w- c:\program files\CA
2010-07-26 01:12 . 2010-07-26 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-07-26 01:05 . 2010-06-15 13:57 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2010-07-26 01:05 . 2010-06-15 13:57 243976 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\unicows.dll
2010-07-25 16:23 . 2007-01-02 03:05 -------- d-----w- c:\program files\GemMaster
2010-07-23 19:59 . 2009-02-27 18:45 72384 ----a-w- c:\documents and settings\Brooke and Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 17:13 . 2009-06-22 14:00 -------- d-----w- c:\program files\OpenOffice.org 3
2010-07-23 02:09 . 2010-07-23 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-23 01:40 . 2010-07-23 01:40 120 ----a-w- c:\windows\Bfulez.dat
2010-07-23 01:40 . 2010-07-23 01:40 0 ----a-w- c:\windows\Eyuzuw.bin
2010-07-03 03:33 . 2007-01-09 00:18 72384 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 17:20 . 2010-06-28 17:20 72384 ----a-w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:15 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-10 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-10 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 13:57 . 2010-06-15 13:57 615688 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe.exe
2010-06-15 13:57 . 2010-06-15 13:57 353544 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2010-06-15 13:57 . 2010-06-15 13:57 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
2010-06-15 01:19 . 2010-06-15 01:19 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-14 14:31 . 2007-01-02 02:51 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2007-06-21 22:38 . 2007-06-21 22:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 22:38 . 2007-06-21 22:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 22:38 . 2007-06-21 22:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 22:38 . 2007-06-21 22:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 22:39 . 2007-06-21 22:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 22:39 . 2007-06-21 22:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 22:39 . 2007-06-21 22:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 22:39 . 2007-06-21 22:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 22:40 . 2007-06-21 22:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\documents and settings\Brooke and Nick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2006-04-03 03:07 389120 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
2006-10-28 01:34 65536 ----a-w- c:\program files\Photo Toolkit\IvBar\phototoolkitmem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2008-06-10 17:56 1406024 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2008-06-10 17:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-02-04 03:21 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSWU-f36decbb"=2 (0x2)
"MSWU-38adf938"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Desktop\\Copied stuff from F drive\\Backup Data Disc 2\\Magic\\Manalink.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 10:50 AM 133104]
S4 MSWU-38adf938;MSWU-38adf938;c:\windows\system32\38adf938.exe --> c:\windows\system32\38adf938.exe [?]
S4 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2009-02-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://firefox/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
Trusted Zone: safer-networking.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Google Update - c:\documents and settings\Brooke and Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 12:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1168)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-07 12:14:41
ComboFix-quarantined-files.txt 2010-09-07 16:14
Pre-Run: 15,040,024,576 bytes free
Post-Run: 15,260,172,288 bytes free
- - End Of File - - 965234F120DC0F1386DD330AA12CC092
At Step 3, I encountered the same warning about pev.cfxxe having to close, & reported it to Microsoft. So I took some of your earlier advice & ran Combofix in safemode. I got the same error, but didn't report it this time. It's log is below. :oops:
ComboFix 10-09-06.04 - Brooke and Nick 09/07/2010 12:22:17.13.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.690 [GMT -4:00]
Running from: c:\documents and settings\Brooke and Nick\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.
2010-09-05 15:44 . 2010-09-05 15:44 -------- d-----w- c:\program files\Common Files\Java
2010-09-05 15:43 . 2010-09-05 15:43 503808 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\msvcp71.dll
2010-09-05 15:43 . 2010-09-05 15:43 61440 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2061f8d4-n\decora-sse.dll
2010-09-05 15:43 . 2010-09-05 15:43 499712 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\jmc.dll
2010-09-05 15:43 . 2010-09-05 15:43 348160 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\msvcr71.dll
2010-09-05 15:43 . 2010-09-05 15:43 12800 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2061f8d4-n\decora-d3d.dll
2010-09-05 15:43 . 2010-09-05 15:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-29 17:24 . 2010-08-29 17:24 -------- d-----w- c:\program files\ERUNT
2010-08-29 16:32 . 2010-08-29 16:32 -------- d-----w- c:\program files\Safer Networking
2010-08-21 01:09 . 2010-08-21 01:09 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Image Zone Express
2010-08-21 01:01 . 2010-08-21 01:07 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Photo! Web Album
2010-08-17 19:40 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 19:40 . 2010-08-17 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 19:40 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 01:35 . 2010-08-16 01:35 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-16 01:35 . 2010-09-02 02:50 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\skypePM
2010-08-16 01:33 . 2010-09-02 02:51 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Skype
2010-08-16 01:32 . 2010-08-16 01:32 -------- d-----w- c:\program files\Common Files\Skype
2010-08-16 01:32 . 2010-09-05 15:37 -------- d-----r- c:\program files\Skype
2010-08-16 01:31 . 2010-08-16 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-15 16:57 . 2010-08-15 16:57 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-08-15 16:54 . 2010-08-15 16:54 -------- d-----w- c:\program files\iPod
2010-08-15 16:45 . 2010-08-15 16:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-12 00:01 . 2010-08-12 00:01 -------- d-----w- c:\windows\system32\MpEngineStore
2010-08-10 15:09 . 2010-08-10 15:09 568832 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-10 15:09 . 2010-08-10 15:09 686080 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-10 15:09 . 2010-08-10 15:09 655872 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-10 15:09 . 2010-08-10 15:09 583168 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-10 15:09 . 2010-08-10 15:09 224768 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcm90.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 02:11 . 2009-06-22 14:06 1 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-05 15:30 . 2009-02-26 01:59 -------- d-----w- c:\program files\Java
2010-08-29 17:33 . 2009-05-19 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-29 16:03 . 2007-05-12 17:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-29 16:03 . 2009-02-27 16:11 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Microsoft Games
2010-08-29 16:03 . 2009-02-27 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-08-24 04:46 . 2009-10-03 03:15 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-08-21 01:00 . 2009-04-12 19:03 -------- d-----w- c:\program files\Web Photo Album
2010-08-17 19:40 . 2010-06-11 23:42 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Malwarebytes
2010-08-17 19:40 . 2010-06-11 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-15 17:00 . 2010-05-07 00:48 -------- d-----w- c:\program files\Safari
2010-08-15 16:56 . 2010-07-04 20:29 -------- d-----w- c:\program files\iTunes
2010-08-15 16:54 . 2007-08-17 01:13 -------- d-----w- c:\program files\Common Files\Apple
2010-08-02 23:16 . 2010-06-16 01:37 132220 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2010-07-26 01:20 . 2010-07-26 01:17 -------- d-----w- c:\program files\CA
2010-07-26 01:12 . 2010-07-26 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-07-26 01:05 . 2010-06-15 13:57 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2010-07-26 01:05 . 2010-06-15 13:57 243976 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\unicows.dll
2010-07-25 16:23 . 2007-01-02 03:05 -------- d-----w- c:\program files\GemMaster
2010-07-23 19:59 . 2009-02-27 18:45 72384 ----a-w- c:\documents and settings\Brooke and Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 17:13 . 2009-06-22 14:00 -------- d-----w- c:\program files\OpenOffice.org 3
2010-07-23 02:09 . 2010-07-23 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-23 01:40 . 2010-07-23 01:40 120 ----a-w- c:\windows\Bfulez.dat
2010-07-23 01:40 . 2010-07-23 01:40 0 ----a-w- c:\windows\Eyuzuw.bin
2010-07-03 03:33 . 2007-01-09 00:18 72384 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 17:20 . 2010-06-28 17:20 72384 ----a-w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:15 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-10 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-10 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 13:57 . 2010-06-15 13:57 615688 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe.exe
2010-06-15 13:57 . 2010-06-15 13:57 353544 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SoftwareUpdater.exe
2010-06-15 13:57 . 2010-06-15 13:57 632072 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\msvcr80.dll
2010-06-15 01:19 . 2010-06-15 01:19 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-14 14:31 . 2007-01-02 02:51 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2007-06-21 22:38 . 2007-06-21 22:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 22:38 . 2007-06-21 22:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 22:38 . 2007-06-21 22:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 22:38 . 2007-06-21 22:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 22:39 . 2007-06-21 22:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 22:39 . 2007-06-21 22:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 22:39 . 2007-06-21 22:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 22:39 . 2007-06-21 22:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 22:40 . 2007-06-21 22:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\documents and settings\Brooke and Nick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2006-04-03 03:07 389120 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
2006-10-28 01:34 65536 ----a-w- c:\program files\Photo Toolkit\IvBar\phototoolkitmem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2008-06-10 17:56 1406024 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2008-06-10 17:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-02-04 03:21 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSWU-f36decbb"=2 (0x2)
"MSWU-38adf938"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Desktop\\Copied stuff from F drive\\Backup Data Disc 2\\Magic\\Manalink.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 10:50 AM 133104]
S4 MSWU-38adf938;MSWU-38adf938;c:\windows\system32\38adf938.exe --> c:\windows\system32\38adf938.exe [?]
S4 MSWU-f36decbb;MSWU-f36decbb;c:\windows\system32\f36decbb.exe --> c:\windows\system32\f36decbb.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2009-02-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://firefox/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
Trusted Zone: safer-networking.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 12:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\l3codecx.acm
c:\windows\system32\scg726.acm
c:\windows\system32\alf2cd.acm
c:\windows\system32\AC3ACM.acm
- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
.
Completion time: 2010-09-07 12:34:55
ComboFix-quarantined-files.txt 2010-09-07 16:34
ComboFix-quarantined-files2.txt 2010-09-07 16:17
ComboFix2.txt 2010-09-07 16:14
Pre-Run: 16,337,281,024 bytes free
Post-Run: 16,327,962,624 bytes free
- - End Of File - - ED4FBD9CA61FCE38B95C303BFEF1F6E6
Hi HeadlessChief
Run CFScript
Open Notepad and copy/paste the text in the box into the window:
File::
c:\windows\system32\38adf938.exe
c:\windows\system32\f36decbb.exe
c:\windows\system32\ezsidmv.dat
c:\windows\Bfulez.dat
c:\windows\Eyuzuw.bin
Driver::
MSWU-38adf938
MSWU-f36decbb
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSWU-f36decbb"=-
"MSWU-38adf938"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Please reply with
ComboFix log(C:\ComboFix.txt)
Thanks peku006
HeadlessChief
2010-09-14, 16:43
:oops::oops: I really thought I had posted this. I am so sorry.
I thought you were just on a break. I am an idiot. Sorry.
ComboFix 10-09-07.01 - Brooke and Nick 09/07/2010 14:25:54.14.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.676 [GMT -4:00]
Running from: c:\documents and settings\Brooke and Nick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brooke and Nick\Desktop\CFScript.txt
FILE ::
"c:\windows\Bfulez.dat"
"c:\windows\Eyuzuw.bin"
"c:\windows\system32\38adf938.exe"
"c:\windows\system32\ezsidmv.dat"
"c:\windows\system32\f36decbb.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Bfulez.dat
c:\windows\Eyuzuw.bin
c:\windows\system32\ezsidmv.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MSWU-38ADF938
-------\Legacy_MSWU-F36DECBB
-------\Service_MSWU-38adf938
-------\Service_MSWU-f36decbb
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.
2010-09-05 15:44 . 2010-09-05 15:44 -------- d-----w- c:\program files\Common Files\Java
2010-09-05 15:43 . 2010-09-05 15:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-29 17:24 . 2010-08-29 17:24 -------- d-----w- c:\program files\ERUNT
2010-08-29 16:32 . 2010-08-29 16:32 -------- d-----w- c:\program files\Safer Networking
2010-08-21 01:09 . 2010-08-21 01:09 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Image Zone Express
2010-08-21 01:01 . 2010-08-21 01:07 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Photo! Web Album
2010-08-17 19:40 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 19:40 . 2010-08-17 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 19:40 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 01:35 . 2010-09-02 02:50 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\skypePM
2010-08-16 01:33 . 2010-09-02 02:51 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Skype
2010-08-16 01:32 . 2010-08-16 01:32 -------- d-----w- c:\program files\Common Files\Skype
2010-08-16 01:32 . 2010-09-05 15:37 -------- d-----r- c:\program files\Skype
2010-08-16 01:31 . 2010-08-16 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-15 16:54 . 2010-08-15 16:54 -------- d-----w- c:\program files\iPod
2010-08-12 00:01 . 2010-08-12 00:01 -------- d-----w- c:\windows\system32\MpEngineStore
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 15:30 . 2009-02-26 01:59 -------- d-----w- c:\program files\Java
2010-08-29 17:33 . 2009-05-19 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-29 16:03 . 2007-05-12 17:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-29 16:03 . 2009-02-27 16:11 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Microsoft Games
2010-08-29 16:03 . 2009-02-27 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-08-24 04:46 . 2009-10-03 03:15 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-08-21 01:00 . 2009-04-12 19:03 -------- d-----w- c:\program files\Web Photo Album
2010-08-17 19:40 . 2010-06-11 23:42 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Malwarebytes
2010-08-17 19:40 . 2010-06-11 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-15 17:00 . 2010-05-07 00:48 -------- d-----w- c:\program files\Safari
2010-08-15 16:56 . 2010-07-04 20:29 -------- d-----w- c:\program files\iTunes
2010-08-15 16:54 . 2007-08-17 01:13 -------- d-----w- c:\program files\Common Files\Apple
2010-08-02 23:16 . 2010-06-16 01:37 132220 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2010-07-26 01:20 . 2010-07-26 01:17 -------- d-----w- c:\program files\CA
2010-07-26 01:12 . 2010-07-26 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2010-07-25 16:23 . 2007-01-02 03:05 -------- d-----w- c:\program files\GemMaster
2010-07-23 19:59 . 2009-02-27 18:45 72384 ----a-w- c:\documents and settings\Brooke and Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-23 17:13 . 2009-06-22 14:00 -------- d-----w- c:\program files\OpenOffice.org 3
2010-07-23 02:09 . 2010-07-23 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-03 03:33 . 2007-01-09 00:18 72384 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 17:20 . 2010-06-28 17:20 72384 ----a-w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:15 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-10 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-10 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-10 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2004-08-10 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2007-06-21 22:38 . 2007-06-21 22:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 22:38 . 2007-06-21 22:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 22:38 . 2007-06-21 22:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 22:38 . 2007-06-21 22:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 22:39 . 2007-06-21 22:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 22:39 . 2007-06-21 22:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 22:39 . 2007-06-21 22:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 22:39 . 2007-06-21 22:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 22:40 . 2007-06-21 22:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-07-13 47904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\documents and settings\Brooke and Nick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2006-04-03 03:07 389120 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
2006-10-28 01:34 65536 ----a-w- c:\program files\Photo Toolkit\IvBar\phototoolkitmem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2008-06-10 17:56 1406024 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2008-06-10 17:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-02-04 03:21 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Desktop\\Copied stuff from F drive\\Backup Data Disc 2\\Magic\\Manalink.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 10:50 AM 133104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2009-02-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://firefox/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
Trusted Zone: safer-networking.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 14:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-07 14:47:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-07 18:47
ComboFix-quarantined-files2.txt 2010-09-07 16:17
ComboFix2.txt 2010-09-07 16:34
ComboFix3.txt 2010-09-07 16:14
Pre-Run: 15,246,053,376 bytes free
Post-Run: 15,246,028,800 bytes free
- - End Of File - - E81AEE15144E66D568E799B4F33B3014
Hi HeadlessChief
Please Download Rootkit Unhooker (http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE) Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note** you may get this warning it is ok, just ignore
Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?
Thanks peku006
HeadlessChief
2010-09-14, 19:22
:thanks::thanks::thanks:
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF1CC000 C:\WINDOWS\System32\ati3duag.dll 3887104 bytes (ATI Technologies Inc. , ati3duag.dll)
0xB9AFC000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 3817472 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF9C5000 C:\WINDOWS\System32\ativvaxx.dll 2646016 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9973000 C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB98CB000 C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xBF065000 C:\WINDOWS\System32\ati2cqag.dll 626688 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xF7F16000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF0FE000 C:\WINDOWS\System32\atikvmag.dll 536576 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xA819E000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xA86A3000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9773000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA8788000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA5915000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 339968 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF181000 C:\WINDOWS\System32\atiok3x2.dll 307200 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9885000 C:\WINDOWS\system32\drivers\emu10k1m.sys 286720 bytes (Creative Technology Ltd., Creative SB Live! Adapter Driver)
0xA59BC000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9A95000 C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys 221184 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xB97D1000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF79AC000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA5AED000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7D1E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8713000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA8760000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF78B6000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA867D000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB9861000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9829000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9A72000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA873E000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7C2B000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF78DC000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9ACB000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 118784 bytes (Intel Corporation, NDIS 5 driver)
0xF7DF9000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF789E000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA80D5000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7886000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7C02000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9812000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA5DC8000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB984D000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9AE8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA87E1000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7C19000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF799B000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9801000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA80ED000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xBA3C5000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA3E5000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA415000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7A7B000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA5EAD000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF797B000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7A3B000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA3F5000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7A8B000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7A1B000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7856000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xF7AAB000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7A5B000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF790B000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA3D5000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7A0B000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7A9B000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF79FB000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF796B000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF798B000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7A2B000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7866000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA425000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7ABB000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF791B000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA5379000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7A4B000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA405000 C:\WINDOWS\system32\drivers\sfmanm.sys 36864 bytes (Creative Technology Ltd., SoundFont(R) Manager)
0xF78FB000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7ADB000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF7B73000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7BDB000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7B7B000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7AF3000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7AFB000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xF7ACB000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7BE3000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7B8B000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7B83000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7BB3000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7B03000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xF7B93000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7BCB000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7BBB000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7BD3000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7AD3000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7BA3000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7BAB000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF7B9B000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7B23000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA7AF000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA6049000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA7E0000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7C5B000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB967A000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7CEB000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA5AE1000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7CEF000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA7D8000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9EBE000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7D89000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7D81000 C:\WINDOWS\system32\drivers\ctlfacem.sys 8192 bytes (Creative Technology Ltd., Creative SB Live! Interface Driver)
0xF7D51000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7DA3000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7D87000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7D4F000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7D4B000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7D8B000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7D8F000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7D8D000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7D83000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7D85000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7D4D000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7E3B000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7E6B000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7E85000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
[1708]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1708]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1708]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1708]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1708]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[1708]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480-->00000000 [shimeng.dll]
[1708]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
Hi HeadlessChief
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
can you explain a little more......where and what program ?
Please go to Kaspersky Online Virus Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) © Kaspersky Lab to perform an online antivirus scan.
Read the "Advantages - Requirements and Limitations" then press... the ACCEPT...button.
The latest program and definition files will be downloaded. It takes time, please be patient, let it finish.
Once the files have been downloaded, click on the SETTINGS...button.
In the scan settings make sure the following are selected:
Detect malicious programs of the following categories:
Viruses, Worms, Trojan Horses, Rootkits
Spyware, Adware, Dialers and other potentially dangerous programs
Scan compound files (doesn't apply to the File scan area):
Archives
Mail databases
By default the above items should already be checked.
Click the SAVE...button, if you made any changes.
Now under the Scan section on the left:Select My Computer
The program will start scanning your system. This takes a while, be patient... let it run.
Once the scan is complete it will display if your system has been infected.
Save the scan results as a Text file ... save it to your desktop.
Copy and paste the saved scan results file in your next reply.
Thanks peku006
HeadlessChief
2010-09-14, 20:43
Hi HeadlessChief
can you explain a little more......where and what program ?
I didn't write that. It was on the bottom of the report. I have no idea what it meant.
Doing the scan right now.:)
Hi HeadlessChief
There are a lot of rootkits that are not malicious. Some anti-virus softwares use rootkit-like behavior to try to keep malware from disabling their software. At least for a while, optical drive emulation software (such as Alcohol 120% and Daemon Tools) used rootkit-like behavior to hide their presence from copy protection in games.
the log looks good.
Thanks peku006
HeadlessChief
2010-09-14, 21:20
Kaspersky Online scanner 7 will not run for me:confused::confused:. I've tried to do it twice. The first time it pop up a timed out error. The second time it said it couldn't access it's update source. :confused:
HeadlessChief
2010-09-15, 01:20
I just tried again, & it said Java was interrupted. :confused:
What should I do?
Hi HeadlessChief
Lets´s try this......
Panda ActiveScan
Vista - W7 users:
Close your browser, right-click on the IE icon on the Start Menu or Quick Launch and select "Run as Administrator".
Please go to Panda ActiveScan (http://www.pandasecurity.com/homeusers/solutions/activescan/) © Panda Security... to perform a free online scan.
You must use Internet Explorer as the scan requires ActiveX.
Click on the Scan your PC now button.
A new window will open.
Make sure the "Full scan" scan type is CHECKED.
Press the "Scan Now" button.
You will be prompted to install an ActiveX module. Please allow it.
If your browser blocks pop-ups, you may see a bar at the top of the window asking you to click, to allow ... please allow it.
Panda Active scan will update itself... this may also be a pop-up...please allow also.
Once the program is updated, it will begin to scan your computer. This will take a long time, so be patient, let it run.
Once done, click on Export to:... save it to your Desktop.
A file named "ActiveScan.txt" will be created on your desktop.
Please copy and paste the contents of the ActiveScan.txt file in your next reply.
Thanks peku006
HeadlessChief
2010-09-15, 22:37
It took all day, but it looks like it was well worth it. :D:
ANALYSIS: 2010-09-15 16:33:22
PROTECTIONS: 0
MALWARE: 2
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
06397482 Trj/Clicker.ASH Virus/Trojan No 1 Yes No c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\user.js.bak
06397482 Trj/Clicker.ASH Virus/Trojan No 1 Yes No c:\documents and settings\paul\application data\mozilla\firefox\profiles\sk8ba9yj.default\user.js
06397482 Trj/Clicker.ASH Virus/Trojan No 1 Yes No c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\user.js
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\documents and settings\brooke and nick\desktop\combofix.exe[32788r22fwjfw\pev.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\documents and settings\brooke and nick\desktop\combofix.exe[32788r22fwjfw\license\iexplore.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp650\a0114300.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp650\a0114363.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp666\a0120832.exe[32788r22fwjfw\license\iexplore.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp666\a0120832.exe[32788r22fwjfw\pev.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp666\a0120883.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp666\a0120914.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp666\a0120982.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp670\a0121216.exe[32788r22fwjfw\license\iexplore.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp670\a0121216.exe[32788r22fwjfw\license\pev.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp670\a0121216.exe[32788r22fwjfw\pev.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp670\a0121267.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp670\a0121298.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp670\a0121361.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122003.exe[32788r22fwjfw\license\iexplore.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122003.exe[32788r22fwjfw\pev.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122025.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122085.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122113.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122174.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122203.exe[32788r22fwjfw\license\iexplore.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 No No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122203.exe[32788r22fwjfw\pev.exe]
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122253.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122284.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122362.exe
07309541 Adware/SecurityEssentials2010 Adware No 0 Yes No c:\windows\pev.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp670\a0121216.exe
No c:\system volume information\_restore{3250f431-b8bd-4aeb-8719-084dabdabf39}\rp677\a0122003.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
Hi HeadlessChief
Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.
Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.
:Files
c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\user.js.bak
c:\documents and settings\paul\application data\mozilla\firefox\profiles\sk8ba9yj.default\user.js
c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\user.js
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Thanks peku006
HeadlessChief
2010-09-16, 13:01
========== FILES ==========
c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\user.js.BAK moved successfully.
c:\documents and settings\paul\application data\mozilla\firefox\profiles\sk8ba9yj.default\user.js moved successfully.
c:\documents and settings\brooke and nick\application data\mozilla\firefox\profiles\vj8qx2x8.default\user.js moved successfully.
OTM by OldTimer - Version 3.1.16.1 log created on 09162010_065355
Hi HeadlessChief
How's the computer running now...still "problems", if so, what kinds of problems
Thanks peku006
HeadlessChief
2010-09-16, 13:48
It runs really slow sometimes. Honestly, it's performance is sporadic. We really didn't know how bad of a problem we had until it started sending out spam E-mails to people. (Including us.) So I really can't say one way or another if there is much of a difference in how it is running. Sorry.:sad:
What do I do about all of the the "stuff" the long scan from yesterday found?
Hi
you mean those in the System Volume Information ?.......We will take care of they later......
which program send out "spam" and what kind of emails they are ?
HeadlessChief
2010-09-16, 15:08
Hi
which program send out "spam" and what kind of emails they are ?
I don't know what sent it out. The e-mail address was a @yahoo one that hadn't been used in at least a year. It was a link to a site that offered "health care."
Hi HeadlessChief
perhaps your account has been compromised, and has been used as (spoofed) sender.. Have you changed your password and your security questions,
Create a new, clean System Restore point
Create a new, clean System Restore point which you can use in case of future system problems:
Press Start >> All Programs >> Accessories >>System Tools >> System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start >> Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm
Maxlook (XP)
Please download maxlook.exe (http://noahdfear.net/downloads/maxlook.exe) ... by Noahdfear. Save it to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
Restart your computer.
Before Windows loads, you will be prompted to choose which Operating System to start.
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
At the C:\Windows prompt, type the following:
batch look.bat (note the spaces) Press 'Enter'.
http://noahdfear.net/WTT/lookXP.gif
You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then log on in normal mode.
Click Start >> Run and then type the following in the run box:
maxlook -sig (note the space before the - sign)
Press OK... a file will be created on your desktop named looklog.txt.
Please post the contents of looklog.txt in your next reply.
Thanks peku006
HeadlessChief
2010-09-17, 19:48
Hello!
I executed the directions to the best of my ability - I installed maxlook, and when I got to the Windows Recovery Console, and typed "batch look.bat", it did say 1 file(s) copied over and over, but then stopped running. I let the PC sit for approximately 15 minutes, and nothing was happening. It never came back to a system prompt. I powered the computer down, and retried, with the same result...never getting back to a system prompt.
I powered down again, and booted to windows this time, and ran the log...here you go. Please let me know if I did something wrong! Thank you for your time! :)
Run from C:\Documents and Settings\Brooke and Nick\Desktop\maxlook.exe on Fri 09/17/2010 at 13:43:11.04
--------- maxlook unsigned files ---------
c:\windows\maxdrive\cdr4_xp.sys:
Verified: Unsigned
File date: 10:42 PM 10/4/2006
Publisher: Sonic Solutions
Description: CDR4 CD and DVD Place Holder Driver (see PxHelp)
Product: Drag-to-Disc
Version: 8.0.0.212
File version: 8.0.0.212
c:\windows\maxdrive\cercsr6.sys:
Verified: Unsigned
File date: 5:14 PM 12/13/2004
Publisher: Adaptec, Inc.
Description: DELL CERC SATA1.5/6ch Miniport Driver
Product: Dell RAID Controller
Version: 4.1.0.7405
File version: 4.1.0.7405
c:\windows\maxdrive\goprot51.sys:
Verified: Unsigned
File date: 6:20 PM 4/15/2007
Publisher: Gteko Ltd.
Description: Gteko's GoProto protocol driver
Product: Gteko Diagnostics Network Module
Version: 2, 1, 0, 21
File version: 2, 1, 0, 21
c:\windows\maxdrive\mhndrv.sys:
Verified: Unsigned
File date: 7:45 AM 8/10/2004
Publisher: Microsoft Corporation
Description: Microsoft Multimedia Home Network (MHN) Support Driver
Product: Microsoft® Windows® Operating System
Version: 5.1.2600.2180
File version: 5.1.2600.2180 (private/xpsp_mce.040810-0205)
c:\windows\maxdrive\pxhelp20.sys:
Verified: Unsigned
File date: 3:00 AM 10/18/2006
Publisher: Sonic Solutions
Description: Px Engine Device Driver for Windows 2000/XP
Product: PxHelp20
Version: n/a
File version: 3.00.43J
c:\windows\maxdrive\pxhelper.sys:
Verified: Unsigned
File date: 3:00 AM 10/18/2006
Publisher: Sonic Solutions
Description: PX Engine Device Driver for Windows NT
Product: PxHelper
Version: n/a
File version: 3.00.43J
--------- system32\drivers unsigned files ---------
c:\windows\system32\drivers\cdr4_xp.sys:
Verified: Unsigned
File date: 10:42 PM 10/4/2006
Publisher: Sonic Solutions
Description: CDR4 CD and DVD Place Holder Driver (see PxHelp)
Product: Drag-to-Disc
Version: 8.0.0.212
File version: 8.0.0.212
c:\windows\system32\drivers\cercsr6.sys:
Verified: Unsigned
File date: 5:14 PM 12/13/2004
Publisher: Adaptec, Inc.
Description: DELL CERC SATA1.5/6ch Miniport Driver
Product: Dell RAID Controller
Version: 4.1.0.7405
File version: 4.1.0.7405
c:\windows\system32\drivers\goprot51.sys:
Verified: Unsigned
File date: 6:20 PM 4/15/2007
Publisher: Gteko Ltd.
Description: Gteko's GoProto protocol driver
Product: Gteko Diagnostics Network Module
Version: 2, 1, 0, 21
File version: 2, 1, 0, 21
c:\windows\system32\drivers\mhndrv.sys:
Verified: Unsigned
File date: 7:45 AM 8/10/2004
Publisher: Microsoft Corporation
Description: Microsoft Multimedia Home Network (MHN) Support Driver
Product: Microsoft® Windows® Operating System
Version: 5.1.2600.2180
File version: 5.1.2600.2180 (private/xpsp_mce.040810-0205)
c:\windows\system32\drivers\pxhelp20.sys:
Verified: Unsigned
File date: 3:00 AM 10/18/2006
Publisher: Sonic Solutions
Description: Px Engine Device Driver for Windows 2000/XP
Product: PxHelp20
Version: n/a
File version: 3.00.43J
c:\windows\system32\drivers\pxhelper.sys:
Verified: Unsigned
File date: 3:00 AM 10/18/2006
Publisher: Sonic Solutions
Description: PX Engine Device Driver for Windows NT
Product: PxHelper
Version: n/a
File version: 3.00.43J
Hi HeadlessChief
you did everything right.......but still not found anything suspicious
MBR Rootkit Detector:
Please download MBR Rootkit Detector (http://www2.gmer.net/mbr/mbr.exe) by GMER and save it to your desktop.
Double click on the MBR.exe file to run it.
A window will open briefly then close.
A log will be produced & saved to the desktop, called MBR.log.
Please post the contents of that log in your next reply.
Thanks peku006
HeadlessChief
2010-09-18, 08:30
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Hi HeadlessChief
do not see anything suspicious........but we have many tools :D:
Download and Run Blacklight
Please download F-Secure Blacklight (fsbl.exe) from here (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe)
Save into C:\ with a name of fsbl.exe
Go to Start > Run
Copy and paste the contents of the below codebox into the run box
C:\fsbl.exe /expert
Click OK
This will launch BlackLight
Select I accept the agreement
Click Next
Click Scan
Wait for the scan to finish
Click on Next>
Click Exit
A logfile will have been created in the C:\ drive
It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
Use notepad to open that log
Post the contents of that log as a reply to this topic
Thanks peku006
HeadlessChief
2010-09-18, 17:41
09/18/10 11:21:48 [Info]: BlackLight Engine 2.2.1092 initialized
09/18/10 11:21:48 [Info]: OS: 5.1 build 2600 (Service Pack 3)
09/18/10 11:21:49 [Note]: 7019 4
09/18/10 11:21:49 [Note]: 7005 0
09/18/10 11:22:01 [Note]: 7006 0
09/18/10 11:22:01 [Note]: 7022 0
09/18/10 11:22:01 [Note]: 7011 1260
09/18/10 11:22:01 [Note]: 7035 0
09/18/10 11:22:01 [Note]: 7026 0
09/18/10 11:22:01 [Note]: 7026 0
09/18/10 11:22:01 [Note]: FSRAW library version 1.7.1024
Hi HeadlessChief
nothing........
RootRepeal - Rootkit Detector
Download RootRepeal from the following location and save it to your desktop.
Link 1 (http://rootrepeal.googlepages.com/RootRepeal.zip)
Link 2 (http://ad13.geekstogo.com/RootRepeal.zip)
Link 3 (http://rootrepeal.psikotick.com/RootRepeal.zip)
Unzip it to your Desktop
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT
Click the OK button
Check the box for your main system drive (Usually C:), and Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
Thanks peku006
HeadlessChief
2010-09-19, 02:57
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/18 20:55
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/18 20:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA84E4000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D97000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5E8F000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
==EOF==
Hi HeadlessChief
all the logs look good.....
can ou see e-mails in your Sent folder that you did not send ?
have you changed your password and your security questions on your yahoo account ?
check your account information if information was changed ?
HeadlessChief
2010-09-22, 19:40
It is not an active E-mail account. I don't even have access to it anymore. I haven't used it in 2 years. It just sent more spam two days ago.
It's not just that though, Brighthouse banned my account for sending some internal spam from an E-mail account that I didn't set up or have access to. They suggested we had a possible rootkit, & suggested cleaning our system. We have been trying to for months now, but it never seems to go away.
We will constantly have things come up on scans, clean them, & have them come back a few weeks later.
Hi HeadlessChief
ok....but it is "strange" that "rootkit" does not appear in any "rootkitt scanner" logs
we need to start a beginning..........:D:
Download GMER Rootkit Scanner from here (http://www.gmer.net/download.php) & save it to your desktop.
Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
http://i28.photobucket.com/albums/c227/tetonbob/gmer_th.gif (http://i28.photobucket.com/albums/c227/tetonbob/gmer_screen2-1.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ... IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Do not run any programs while Gmer is running.
NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.
Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
Double click the gmer.exe file
The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your replyTo post in next reply:
Contents of Gmer log
Thanks peku006
HeadlessChief
2010-09-23, 01:11
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-22 19:10:07
Windows 5.1.2600 Service Pack 3
Running: g5uzq9ry.exe; Driver: C:\DOCUME~1\BROOKE~1\LOCALS~1\Temp\uwtdqpog.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9B1B000, 0x1BDE76, 0xE8000020]
---- EOF - GMER 1.0.15 ---
Hi HeadlessChief
It is not an active E-mail account. I don't even have access to it anymore. I haven't used it in 2 years.
how it is possible that it is your yahoo account ,if you do not have access to it anymore , have you contact yahoo
It just sent more spam two days ago
Can I get a copy
They suggested we had a possible rootkit, & suggested cleaning our system
how do they check your computer ?or was it only spam from your yahoo account
you had Antimalware Doctor infection ,but combofix removed it, and it does not cause "spam"
We will constantly have things come up on scans, clean them, & have them come back a few weeks later.
what kind of "things"......can you give some more explanation
Thanks peku006
HeadlessChief
2010-09-24, 19:11
I tried accessing the account, and was locked out for 12 hours because I don't remember all of the security information - I haven't used this email account in about 6 years.
Here is a copy and paste of the second spam email that was sent out - the first was exactly the same. If you need me to forward you the exact email, let me know. :)
from Nick Pratt <fourspeed327@yahoo.com>
to andy.mcarthur@comcast.net,
benjohnston8@yahoo.com,
bjt_cmsu@hotmail.com,
adorabrooke@yahoo.com,
bhaber@shadesofgreen.org,
brooke.haber@gmail.com
date Sun, Sep 19, 2010 at 9:37 PM
mailed-by yahoo.com
signed-by yahoo.com
hide details Sep 19 (4 days ago)
http://change-fast.net/index.php
Brighthouse quarantined our internet access, and when I called them, they said it was because we had a rootkit that was sending out spam, and sent me to a site that had some of their cleanup tools/procedures. We cleaned sufficiently that they would reactivate my internet, but, obviously, we are still sending out spam emails.
I'm a rookie when it comes to these types of things, so I didn't write them down when it happened, but the system volume information keeps popping up (I know you said we'd deal with that later.) For a long time, things were being found in an old folder from the Sims 2 game - I have deleted the folders and files, as it is a game I no longer play. There were a lot of stuff that gets found in the win32 directory. There seems to be an endless supply of things that get found - sorry I can't give more details. I will attempt to document more thoroughly as we move forward, but for the time being, I really need my hand held.
Thank you so much for all of your help and support - I really appreciate it! :)
Hi HeadlessChief
thanks for the information......
he system volume information keeps popping up (I know you said we'd deal with that later.)
Did you this :"Create a new, clean System Restore point"
If you need me to forward you the exact email, let me know
yes,please
will continue so.........
we need to update combofix........
we start by removing the old version
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
download a fresh copy from here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Please include the C:\ComboFix.txt in your next reply
Thanks peku006
HeadlessChief
2010-09-24, 23:20
ComboFix 10-09-24.03 - Brooke and Nick 09/24/2010 16:51:56.15.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.685 [GMT -4:00]
Running from: c:\documents and settings\Brooke and Nick\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\look.bat
.
((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.
2010-09-19 00:31 . 2010-09-19 00:31 0 ----a-w- c:\documents and settings\Brooke and Nick\settings.dat
2010-09-17 17:43 . 2010-06-07 20:16 220024 ----a-w- c:\windows\sigcheck.exe
2010-09-17 16:23 . 2010-09-17 13:18 -------- d-----w- c:\windows\maxdrive
2010-09-15 15:17 . 2009-06-30 13:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-09-15 15:16 . 2010-09-15 15:16 -------- d-----w- c:\program files\Panda Security
2010-09-10 12:00 . 2010-09-10 12:00 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.18.5\SetupAdmin.exe
2010-09-10 11:57 . 2010-09-10 11:57 -------- d-----w- c:\program files\iPod
2010-09-10 11:57 . 2010-09-10 11:59 -------- d-----w- c:\program files\iTunes
2010-09-10 11:49 . 2010-09-10 11:49 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-05 15:44 . 2010-09-05 15:44 -------- d-----w- c:\program files\Common Files\Java
2010-09-05 15:43 . 2010-09-05 15:43 503808 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\msvcp71.dll
2010-09-05 15:43 . 2010-09-05 15:43 61440 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2061f8d4-n\decora-sse.dll
2010-09-05 15:43 . 2010-09-05 15:43 499712 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\jmc.dll
2010-09-05 15:43 . 2010-09-05 15:43 348160 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-11f01847-n\msvcr71.dll
2010-09-05 15:43 . 2010-09-05 15:43 12800 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2061f8d4-n\decora-d3d.dll
2010-09-05 15:43 . 2010-09-05 15:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-29 17:24 . 2010-08-29 17:24 -------- d-----w- c:\program files\ERUNT
2010-08-29 16:32 . 2010-08-29 16:32 -------- d-----w- c:\program files\Safer Networking
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 12:06 . 2009-06-22 14:06 1 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-14 22:51 . 2009-04-24 14:46 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-10 12:01 . 2010-05-07 00:48 -------- d-----w- c:\program files\Safari
2010-09-10 11:57 . 2007-08-17 01:13 -------- d-----w- c:\program files\Common Files\Apple
2010-09-10 11:53 . 2007-05-12 17:03 -------- d-----w- c:\program files\QuickTime
2010-09-07 19:51 . 2009-02-27 18:45 72384 ----a-w- c:\documents and settings\Brooke and Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-05 15:37 . 2010-08-16 01:32 -------- d-----r- c:\program files\Skype
2010-09-05 15:30 . 2009-02-26 01:59 -------- d-----w- c:\program files\Java
2010-09-02 02:51 . 2010-08-16 01:33 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Skype
2010-09-02 02:50 . 2010-08-16 01:35 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\skypePM
2010-08-29 17:33 . 2009-05-19 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-29 16:03 . 2007-05-12 17:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-29 16:03 . 2009-02-27 16:11 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Microsoft Games
2010-08-29 16:03 . 2009-02-27 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-08-24 04:46 . 2009-10-03 03:15 -------- d-----w- c:\program files\Paint Shop Pro 7
2010-08-21 01:09 . 2010-08-21 01:09 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Image Zone Express
2010-08-21 01:07 . 2010-08-21 01:01 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Photo! Web Album
2010-08-21 01:00 . 2009-04-12 19:03 -------- d-----w- c:\program files\Web Photo Album
2010-08-17 19:40 . 2010-06-11 23:42 -------- d-----w- c:\documents and settings\Brooke and Nick\Application Data\Malwarebytes
2010-08-17 19:40 . 2010-08-17 19:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 19:40 . 2010-06-11 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 13:17 . 2004-08-10 11:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 01:32 . 2010-08-16 01:32 -------- d-----w- c:\program files\Common Files\Skype
2010-08-16 01:32 . 2010-08-16 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-15 16:57 . 2010-08-15 16:57 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe
2010-08-10 15:09 . 2010-08-10 15:09 568832 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-10 15:09 . 2010-08-10 15:09 686080 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-10 15:09 . 2010-08-10 15:09 655872 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-10 15:09 . 2010-08-10 15:09 583168 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-10 15:09 . 2010-08-10 15:09 224768 ----a-w- c:\documents and settings\Brooke and Nick\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\13.tmp_\sun-pdfimport.oxt\msvcm90.dll
2010-08-02 23:16 . 2010-06-16 01:37 132220 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2010-07-26 01:05 . 2010-06-15 13:57 20232 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\SelfServe_rc.dll
2010-07-26 01:05 . 2010-06-15 13:57 243976 ----a-w- c:\documents and settings\All Users\Application Data\CA-SupportBridge\unicows.dll
2010-07-22 15:49 . 2004-08-10 11:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-15 14:22 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-03 03:33 . 2007-01-09 00:18 72384 ----a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 12:31 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 17:20 . 2010-06-28 17:20 72384 ----a-w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-21 22:38 . 2007-06-21 22:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 22:38 . 2007-06-21 22:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 22:38 . 2007-06-21 22:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 22:38 . 2007-06-21 22:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 22:39 . 2007-06-21 22:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 22:39 . 2007-06-21 22:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 22:39 . 2007-06-21 22:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 22:39 . 2007-06-21 22:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 22:40 . 2007-06-21 22:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
c:\documents and settings\Brooke and Nick\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2006-04-03 03:07 389120 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I&F Viewer toolbar]
2006-10-28 01:34 65536 ----a-w- c:\program files\Photo Toolkit\IvBar\phototoolkitmem.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2008-06-10 17:56 1406024 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2008-06-10 17:56 1442888 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 09:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-02-04 03:21 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Desktop\\Copied stuff from F drive\\Backup Data Disc 2\\Magic\\Manalink.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/15/2010 11:17 AM 28552]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 10:50 AM 133104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 14:50]
2009-02-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://firefox/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel
Trusted Zone: safer-networking.org\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101038100&s=
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Brooke and Nick\Application Data\Mozilla\Firefox\Profiles\vj8qx2x8.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-24 17:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-09-24 17:10:08
ComboFix-quarantined-files.txt 2010-09-24 21:09
Pre-Run: 11,808,075,776 bytes free
Post-Run: 12,150,239,232 bytes free
- - End Of File - - 50CFE0AEA8693D3F3A21E3AE48596F22
Hi HeadlessChief
you are not the only one with that problem (http://getsatisfaction.com/yahoo/topics/something_is_emailing_my_yahoo_address_book_with_spam_sending_it_from_me) :D:
If you're only using the Web browser to email through Yahoo, I don't see how a spammer or virus could infiltrate your contact list. Are you sure you don't have your contact list locally, in Outlook or some other contacts program?
Thanks peku006
Due to a lack of response, this topic is now closed
If you still require help, please open a new thread in the Malware Removal forum (http://forums.spybot.info/forumdisplay.php?f=22), include a
fresh DDS log, and wait for a new helper.
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)