1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible Computer Browser HiJack, Rootkit, or other Malware infection

Discussion in 'Virus & Other Malware Removal' started by rk233, Dec 30, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    My computer may have a browser hijack, rootkit, or other malware on it. I have WINDOWS XP.

    A couple weeks ago I tried to go to an airline site by typing the name in the address bar (and getting official link too via Google-confirmed by WOT) but was somehow re-directed to another site which was not the right website. I was told that my server would not let me go to that site. I contacted my internet provider and they said that they were not blocking that site so no problem at their end. This occurred when trying to go there on both Internet Explorer 8 (IE8) and Firefox (my default browser).

    The following ALERT appeared when I tried to go to the site:

    This Connection is Untrusted


    You have asked Firefox to connect
    securely to xxx.spiritair.com, but we can't confirm that your connection is secure.

    Normally, when you try to connect securely,
    sites will present trusted identification to prove that you are
    going to the right place. However, this site's identity can't be verified.

    What Should I Do?

    If you usually connect to this site without problems, this error could mean that someone is
    trying to impersonate the site, and you shouldn't continue.

    Technical Details
    xxx.spiritair.com uses an invalid security certificate.

    The certificate is only valid for the following names:
    xxx.spirit.com , spirit.com
    (Error code: ssl_error_bad_cert_domain)

    I Understand the Risks


    [Note: xxx=”www”]


    A similar thing happened last night when I tried to go to another link via a e-mail in Mozilla Thunderbird. This was for a site to which I’ve gone to many times in the past but the above ALERT appeared. (for a different site though)

    I’ve tried running various antivirus programs to check my system but can’t find any infection
    . I download updates for all- Avira Antivir free, Malwarebytes Real-time, and Super anti-spyware free, and Spybot.
    I also downloaded current McAfee Stinger and Cwshredder.

    1) I ran my Antivir antivirus –3 hidden objects (rootkits)-possible? were noted in report (see my abridged report posted below)
    2) I toggled system restore
    3) Restarted system in SAVE MODE
    4) Ran CWShredder then Stinger (at Max. heuristics)
    5) Ran Super Anti-spyware free
    6) Ran Malwarebytes
    7) Ran Spybot
    8) I think that I also ran Antivir too again in SAFE MODE but I am providing the run from NORMAL mode


    NO INFECTION WAS FOUND!


    10) Then, I re-booted system to NORMAL mode and did a search for *.tmp and *.temp files with the search program in my WINDOWS XP system..

    I did find when unusual program “C: WINDOWS\48B8222675E3…(etc.).TMP” –this is suspect and was deleted.


    Please assist me in checking out my system to ensure that there is no malware, rootkit, etc. on it. I have downloaded the programs per your procedure and the Logs are pasted below or attached as asked.

    1) HiJackThis Log-pasted
    2) DDS Log –pasted
    3) Attach.txt file -attached
    4) GMER Rootkit Log –ark.txt file-pasted


    Avira AntiVir Personal Log
    Report file date: Thursday, December 30, 2010 07:33

    Scanning for 2309058 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : DELL

    Starting search for hidden objects.
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\parseautoexec
    [NOTE] The registry entry is invisible.
    [WARNING] Unknown parameter!
    [WARNING] System error [0]: The operation completed successfully.
    [WARNING] Unknown parameter!
    HKEY_LOCAL_MACHINE\Software\Microsoft\Environment\licence0
    [NOTE] The registry entry is invisible.
    [WARNING] Unknown parameter!
    [WARNING] System error [0]: The operation completed successfully.
    [WARNING] Unknown parameter!
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
    [NOTE] The registry entry is invisible.
    [WARNING] Unknown parameter!
    [WARNING] System error [0]: The operation completed successfully.
    [WARNING] Unknown parameter!

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:32:49 PM, on 12/30/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Secunia\PSI\psi.exe
    C:\Documents and Settings\Administrator\Desktop\Emergency Malware programs 3 19 07\analyzeme122910.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk.disabled (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Secunia PSI (BETA).lnk.disabled (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Logitech . Product Registration.lnk.disabled (User 'Default user')
    O4 - .DEFAULT Startup: Secunia PSI (BETA).lnk.disabled (User 'Default user')
    O4 - .DEFAULT Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (User 'Default user')
    O4 - Startup: Logitech . Product Registration.lnk.disabled
    O4 - Startup: Secunia PSI (BETA).lnk.disabled
    O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk.disabled
    O4 - Global Startup: WD Backup Monitor.lnk.disabled
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://download.windowsupdate.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182743078562
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5434DCB3-376D-4633-89EB-AE97A9EB089D}: NameServer = 208.67.222.222,208.67.220.220
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 7743 bytes

    DDS (Ver_10-12-12.02) - NTFSx86

    Run by Owner at 12:36:11.34 on Thu 12/30/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1968 [GMT -5:00]

    AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Security Suite Firewall *Enabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uWindow Title = Windows Internet Explorer provided by Comcast
    mWindow Title = Windows Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: ZoneAlarm PopBlocker: {916c1ef1-ca89-4f1b-afda-3ca85bd0f831} - c:\windows\system32\shdocvw.dll
    uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\Logitech . Product Registration.lnk.disabled
    StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\Secunia PSI (BETA).lnk.disabled
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\HPAiODevice(hp officejet 7100 series) - 2.lnk.disabled
    StartupFolder: c:\documents and settings\all users\start menu\programs\startup\WD Backup Monitor.lnk.disabled
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: microsoft.com\*.update
    Trusted Zone: microsoft.com\*.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: windowsupdate.com\download
    Trusted Zone: musicmatch.com\online
    DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
    DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182743078562
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    TCP: {5434DCB3-376D-4633-89EB-AE97A9EB089D} = 208.67.222.222,208.67.220.220
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6xcqg4yz.profile052308\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npatgpc.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPAbacheck.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: LinkExtend: {cf47767d-5f3a-4e32-9fce-5d79565c9702} - %profile%\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\mozilla firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

    ============= SERVICES / DRIVERS ===============

    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-12-12 56208]
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-9-28 15328]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-21 11608]
    R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-6-22 148496]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-10 353672]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-21 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-21 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-21 61960]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-7-10 363344]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-7-31 203280]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-7-10 20952]
    S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
    S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [2007-4-9 23208]
    S3 grmn0400;grmn0400.Sys Garmin USB HS DCP driver (install);c:\windows\system32\drivers\grmn0400.sys [2007-4-9 22184]
    S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [2007-4-9 17448]
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2009-12-13 39048]
    S3 ma8500c;ma8500c;c:\windows\system32\drivers\ma8500c.sys [2008-5-27 24784]
    S3 MA8500M;MA8500M;c:\windows\system32\drivers\MA8500M.sys [2008-5-27 25300]
    S3 MA8500U;MA8500U;c:\windows\system32\drivers\MA8500U.sys [2008-5-27 49109]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3d.tmp --> c:\windows\system32\3D.tmp [?]
    S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2006-12-29 247808]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
    S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]
    S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\visorusb.sys --> c:\windows\system32\drivers\VisorUsb.sys [?]
    S4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-9-28 220128]

    =============== Created Last 30 ================

    2010-12-15 02:47:25 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 02:46:45 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-12 06:47:01 -------- d-----w- C:\archive_db
    2010-12-12 06:30:35 -------- d-----w- C:\New Folder 1
    2010-12-12 06:15:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\launcher
    2010-12-12 06:14:39 56208 ----a-w- c:\windows\system32\drivers\hotcore3.sys
    2010-12-12 06:13:35 -------- d-----w- c:\program files\Paragon Software
    2010-12-12 05:29:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Macrium
    2010-12-12 05:27:12 -------- d-----w- c:\program files\Macrium
    2010-12-06 01:32:39 -------- d-----w- c:\docume~1\admini~1\applic~1\Avira

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ------w- c:\windows\system32\isign32.dll
    2010-11-12 23:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ------w- c:\windows\system32\win32k.sys
    2003-07-16 16:42:33 94784 --sh--w- c:\windows\twain.dll
    2008-04-14 09:42:08 50688 --sh--w- c:\windows\twain_32.dll
    2010-09-18 06:53:25 974848 --sh--w- c:\windows\system32\mfc42.dll
    2008-04-14 09:42:02 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 09:42:02 413696 --sha-w- c:\windows\system32\msvcp60.dll
    2008-04-14 09:42:04 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 09:42:04 84992 --sh--w- c:\windows\system32\olepro32.dll
    2008-04-14 09:42:34 11776 --sh--w- c:\windows\system32\regsvr32.exe

    ============= FINISH: 12:38:12.96 ===============

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-30 13:15:44

    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3120814A rev.3.AAJ
    Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB8116FC0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB8113C80]
    SSDT B93E5D56 ZwCreateKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB8117580]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB812B900]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB812BB10]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB812FB10]
    SSDT B93E5D4C ZwCreateThread
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB8117670]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB8114210]
    SSDT B93E5D5B ZwDeleteKey
    SSDT B93E5D65 ZwDeleteValueKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB812B280]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xB81108C0]
    SSDT B93E5D6A ZwLoadKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB812EF90]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xB812FD90]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB8114070]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB812D180]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB812CF40]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB812F6F0]
    SSDT B93E5D74 ZwReplaceKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB8116BE0]
    SSDT B93E5D6F ZwRestoreKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB8117190]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB8114440]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xB81106A0]
    SSDT B93E5D60 ZwSetValueKey
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB812C200]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB812C080]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xB8110AF0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution + 12E 804E4988 12 Bytes [80, 75, 11, B8, 00, B9, 12, ...]
    .text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A54 12 Bytes [C0, 08, 11, B8, 6A, 5D, 3E, ...]
    ? srescan.sys The system cannot find the file specified. !
    init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF77F2720]
    ? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B811BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B811B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B811C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B8119E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B8119E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B811BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B811B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B811C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B811BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B8119E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B811C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B811B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B811C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B811B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B811BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B8134B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B8119E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B811BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B811B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B811C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B811BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B8119E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B811C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B811B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B81148D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B8114A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B81145E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B8114980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\Explorer.EXE[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [015D3880] C:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [015D3930] C:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [015D3A60] C:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [015D39D0] C:\WINDOWS\system32\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

    Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    I must note that I DID backup my files to an external drive. I also used an image backup program, Paragon-free, to do a drive image. I downloaded Macrium Reflect-free too but decided to use Paragon instead as it seemed easier to use.

    Should I run ComboFix or other rootkit programs to check out my computer? Please advise.

    Thanks.
     
  3. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    I have recently been getting error messages stating that I do not have enough resources (RAM?/CPU?) to perform certain apps which I have run fine in the past.

    Something WEIRD is going on with my system.

    Please HELP!


    Thanks.
     
  4. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    I scanned my system with Super Antispyware today and it found this. I may have a real problem on my system.

    Rogue.Pallidium
    HKU\S-1-5-21-1482476501-1801674531-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS#WARNONPOSTREDIRECT
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,003
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  6. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    Attached is the log for Combofix and HijackThis.

    Please let me know of any changes that I should make to my system. If I should go to any other forums for extra tweaking please let me know.

    Thanks for your assistance.

    ComboFix 11-01-08.01 - Owner 01/08/2011 17:29:47.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1957 [GMT -5:00]
    Running from: c:\documents and settings\Administrator\Desktop\puppy.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: ZoneAlarm Security Suite Antivirus *Disabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\g2mdlhlpx.exe
    C:\Install.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-08 to 2011-01-08 )))))))))))))))))))))))))))))))
    .

    2010-12-31 15:23 . 2010-12-31 15:23 -------- d-----w- c:\program files\iPod
    2010-12-31 15:23 . 2010-12-31 15:24 -------- d-----w- c:\program files\iTunes
    2010-12-31 15:19 . 2010-12-31 15:19 -------- d-----w- c:\program files\Bonjour
    2010-12-31 15:07 . 2010-12-31 15:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Secunia PSI
    2010-12-15 02:47 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 02:46 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-12 06:47 . 2010-12-12 06:47 -------- d-----w- C:\archive_db
    2010-12-12 06:30 . 2010-12-12 06:30 -------- d-----w- C:\New Folder 1
    2010-12-12 06:15 . 2010-12-12 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\launcher
    2010-12-12 06:14 . 2010-08-25 19:45 56208 ----a-w- c:\windows\system32\drivers\hotcore3.sys
    2010-12-12 06:13 . 2010-12-12 06:13 -------- d-----w- c:\program files\Paragon Software
    2010-12-12 05:29 . 2010-12-12 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
    2010-12-12 05:27 . 2010-12-12 05:56 -------- d-----w- c:\program files\Macrium

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-30 00:49 . 2009-08-22 00:30 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-20 23:09 . 2008-07-31 17:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2008-07-11 01:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-06 01:47 . 2009-08-22 00:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-11-18 18:12 . 2007-02-20 03:05 81920 ------w- c:\windows\system32\isign32.dll
    2010-11-12 23:53 . 2010-04-29 04:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 21:34 . 2010-11-09 04:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:26 . 2003-07-16 16:45 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2003-07-16 16:26 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2003-07-16 16:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2007-02-20 07:04 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2003-07-16 16:31 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2003-07-16 16:18 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2003-07-16 16:45 1853312 ------w- c:\windows\system32\win32k.sys
    2007-11-09 20:10 . 2007-11-09 20:10 30288 ------w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2007-11-09 20:10 . 2007-11-09 20:10 79440 ------w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2007-11-09 20:10 . 2007-11-09 20:10 75344 ------w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2007-11-09 20:10 . 2007-11-09 20:10 140880 ------w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2007-11-09 20:10 . 2007-11-09 20:10 42576 ------w- c:\program files\mozilla firefox\plugins\icafile.dll
    2007-11-09 20:10 . 2007-11-09 20:10 50768 ------w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2007-11-09 20:10 . 2007-11-09 20:10 34384 ------w- c:\program files\mozilla firefox\plugins\logging.dll
    2008-06-19 09:16 . 2008-06-19 09:16 118784 ------w- c:\program files\mozilla firefox\plugins\MyCamera.dll
    2007-11-09 20:11 . 2007-11-09 20:11 685648 ------w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2007-11-09 20:11 . 2007-11-09 20:11 30288 ------w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2003-07-16 16:42 94784 --sh--w- c:\windows\twain.dll
    2008-04-14 09:42 50688 --sh--w- c:\windows\twain_32.dll
    2010-09-18 06:53 974848 --sh--w- c:\windows\system32\mfc42.dll
    2008-04-14 09:42 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 09:42 413696 --sha-w- c:\windows\system32\msvcp60.dll
    2008-04-14 09:42 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 09:42 84992 --sh--w- c:\windows\system32\olepro32.dll
    2008-04-14 09:42 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Logitech . Product Registration.lnk.disabled [2010-8-31 749]
    Secunia PSI (BETA).lnk.disabled [2007-10-7 743]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HPAiODevice(hp officejet 7100 series) - 2.lnk.disabled [2008-9-30 1228]
    Secunia PSI Tray.lnk.disabled [2010-12-31 753]
    WD Backup Monitor.lnk.disabled [2007-2-21 1631]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "WD Button Manager"=WDBtnMgr.exe
    "LWS"=c:\program files\Logitech\LWS\Webcam Software\LWS.exe -hide
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" /min
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    "ZoneAlarm Client"="c:\program files\ZoneAlarm\zlclient.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Palm\\HotSync.exe"=
    "c:\\Program Files\\Microsoft Baseline Security Analyzer 2\\mbsa.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\My Book\\WD Backup\\uWDBackup.exe"=
    "c:\\Program Files\\My Book\\WD Backup\\uBBMonitor.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
    "c:\\Program Files\\America Online 9.0\\aol.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Adobe\\Acrobat.com\\Acrobat.com.exe"=
    "c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "80:UDP"= 80:UDP:167.206.251.15/255.255.255.255,167.206.251.16/255.255.255.255,167.206.251.80/255.255.255.255:Enabled:DNS

    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [12/12/2010 1:14 AM 56208]
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [9/28/2010 2:03 PM 15328]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/21/2009 7:30 PM 135336]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/10/2008 8:06 PM 363344]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 10:50 AM 203280]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/10/2008 8:06 PM 20952]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [4/9/2007 8:27 PM 23208]
    S3 grmn0400;grmn0400.Sys Garmin USB HS DCP driver (install);c:\windows\system32\drivers\grmn0400.sys [4/9/2007 8:27 PM 22184]
    S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [4/9/2007 8:27 PM 17448]
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [12/13/2009 6:28 PM 39048]
    S3 ma8500c;ma8500c;c:\windows\system32\drivers\ma8500c.sys [5/27/2008 1:48 PM 24784]
    S3 MA8500M;MA8500M;c:\windows\system32\drivers\MA8500M.sys [5/27/2008 1:48 PM 25300]
    S3 MA8500U;MA8500U;c:\windows\system32\drivers\MA8500U.sys [5/27/2008 1:48 PM 49109]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3D.tmp --> c:\windows\system32\3D.tmp [?]
    S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [12/29/2006 1:49 AM 247808]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
    S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [12/21/2010 7:04 AM 987704]
    S3 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [12/21/2010 7:04 AM 399416]
    S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
    S3 VisorUsb;Handspring USB;c:\windows\system32\DRIVERS\VisorUsb.sys --> c:\windows\system32\DRIVERS\VisorUsb.sys [?]
    S4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [9/28/2010 2:02 PM 220128]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - klmd25

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

    2011-01-06 c:\windows\Tasks\HPFRU Task 2003-06-24 19:40ewlett-Packard2003-06-24 19:40p officejet 7100 series2889F2163A36016833EE17BCE444564664912314172033397.job
    - c:\program files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe [2003-06-25 06:10]

    2011-01-06 c:\windows\Tasks\HPFRU Task 2003-06-24 19:40ewlett-Packard2003-06-24 19:40p officejet 7100 series2889F2163A36016833EE17BCE444564664912314222789422.job
    - c:\program files\Hewlett-Packard\AiO\Shared\bin\hpqfrucl.exe [2003-06-25 06:10]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mWindow Title = Windows Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = *.local
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: microsoft.com\*.update
    Trusted Zone: microsoft.com\*.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: windowsupdate.com\download
    Trusted Zone: musicmatch.com\online
    TCP: {5434DCB3-376D-4633-89EB-AE97A9EB089D} = 208.67.222.222,208.67.220.220
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: LinkExtend: {cf47767d-5f3a-4e32-9fce-5d79565c9702} - %profile%\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-HijackThis - c:\program files\Analyzeme\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-08 17:37
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\3D.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1482476501-1801674531-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,b5,4e,fb,0d,30,ff,44,89,ef,a9,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,b5,4e,fb,0d,30,ff,44,89,ef,a9,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,b5,4e,fb,0d,30,ff,44,89,ef,a9,\

    [HKEY_USERS\S-1-5-21-1482476501-1801674531-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    "Licence0"="04F0D21-79D8-7A25-D702-433F"
    .
    Completion time: 2011-01-08 17:41:38
    ComboFix-quarantined-files.txt 2011-01-08 22:41

    Pre-Run: 35,127,402,496 bytes free
    Post-Run: 35,105,079,296 bytes free

    - - End Of File - - 41C17BA1CA707224E3326A61245366B0

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:49:35 PM, on 1/8/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    c:\program files\avira\antivir desktop\avcenter.exe
    C:\Documents and Settings\Administrator\Desktop\Emergency Malware programs 3 19 07\analyzeme122910.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
    O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk.disabled (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Secunia PSI (BETA).lnk.disabled (User 'SYSTEM')
    O4 - .DEFAULT Startup: Logitech . Product Registration.lnk.disabled (User 'Default user')
    O4 - .DEFAULT Startup: Secunia PSI (BETA).lnk.disabled (User 'Default user')
    O4 - Startup: Logitech . Product Registration.lnk.disabled
    O4 - Startup: Secunia PSI (BETA).lnk.disabled
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk.disabled
    O4 - Global Startup: Secunia PSI Tray.lnk.disabled
    O4 - Global Startup: WD Backup Monitor.lnk.disabled
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://download.windowsupdate.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182743078562
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5434DCB3-376D-4633-89EB-AE97A9EB089D}: NameServer = 208.67.222.222,208.67.220.220
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
    O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 6628 bytes
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,003
    Did you have Ad-Aware and AVG installed at one time?

    Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs prior to running the tool.
    • Double click on MBRCheck.exe to run it. Please allow any prompts popped by Windows in order to run the tool.
      (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A command window will pop open and run. If any unknown MBR Code is found, you will have further options prompted, at this time please press N then press Enter.
    • Press Enter again to exit the program.
    • If nothing unusual is found, you will be shown the machine MBR status. Just press Enter to exit.
    • A text file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.
     
  8. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    Yes, I did have Lavasoft Adaware and AVG on my system a long time ago.

    I no longer use them and if there are remnants they can be removed. I probably have a lot of garbage on my machine from the past which I am trying to clean up. The worst may be remnants of installs/uninstalls in the registry.

    I try to surf safely not visiting questionable bad sites and I avoid downloading programs unless I really seem to need them. I download only from reputable sites or reputable computer advice sites per their links (if the download site still seems safe per WOT, Macafee siteadvisior, linkextend. It is still challenge keeping a computer malware free.

    Also, i looked at the Combofix log

    I did have Citrix netmeeting program once installed which might explain the "g2mdlhlpx.exe". If I didn't unintall this utility i can do so now as I no longer use it. (If I need it again it will be reinstalled)

    The install.exe is of more concern. I do not know what this is about.

    Thanks for your help. I will run this tool.
     
  9. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001d

    Kernel Drivers (total 158):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF75A8000 ACPI.sys
    0xF7989000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xF7597000 pci.sys
    0xF75F7000 isapnp.sys
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF7607000 MountMgr.sys
    0xF74D8000 ftdisk.sys
    0xF798B000 dmload.sys
    0xF74B2000 dmio.sys
    0xF770F000 PartMgr.sys
    0xF7617000 VolSnap.sys
    0xF749A000 atapi.sys
    0xF7627000 disk.sys
    0xF7637000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF747A000 fltmgr.sys
    0xF7647000 PxHelp20.sys
    0xF7465000 drvmcdb.sys
    0xF744E000 KSecDD.sys
    0xF7B52000 Ntfs.sys
    0xF7421000 NDIS.sys
    0xF740D000 srescan.sys
    0xF7717000 pssnap.sys
    0xF787D000 Mup.sys
    0xF7657000 agp440.sys
    0xF771F000 hotcore3.sys
    0xF7677000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xBA52F000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
    0xBA51B000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xF775F000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xBA4F7000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF7767000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xF7687000 \SystemRoot\system32\DRIVERS\IntelC53.sys
    0xBA4D4000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA38C000 \SystemRoot\system32\DRIVERS\IntelC51.sys
    0xBA2F4000 \SystemRoot\system32\DRIVERS\IntelC52.sys
    0xF777F000 \SystemRoot\system32\DRIVERS\mohfilt.sys
    0xF778F000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA2D0000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xF779F000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xF7697000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF77AF000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF77B7000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF76A7000 \SystemRoot\System32\DRIVERS\serial.sys
    0xF792B000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xBA2BC000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF76B7000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF77BF000 \SystemRoot\system32\drivers\Afc.sys
    0xF7991000 \SystemRoot\system32\drivers\sscdbhk5.sys
    0xF76C7000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF76D7000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF77D7000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xBA1E6000 \SystemRoot\system32\drivers\smwdm.sys
    0xBA19A000 \SystemRoot\system32\drivers\portcls.sys
    0xF76E7000 \SystemRoot\system32\drivers\drmk.sys
    0xF7995000 \SystemRoot\system32\drivers\aeaudio.sys
    0xF7A6E000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF76F7000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF7947000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xBA183000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF7587000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF7577000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF7807000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xBA0D2000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF7567000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF7817000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF774F000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF7757000 \SystemRoot\system32\DRIVERS\wanatw4.sys
    0xF7999000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xBA0A2000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF7557000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF799F000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xBA044000 \SystemRoot\System32\DRIVERS\update.sys
    0xBA7E0000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF7787000 \SystemRoot\system32\DRIVERS\UimBus.sys
    0xB9FDF000 \SystemRoot\System32\Drivers\Uim_IM.sys
    0xB9FA3000 \SystemRoot\System32\Drivers\UimFIO.SYS
    0xF7547000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7537000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF79A9000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF7933000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xBA2B4000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xB8E2B000 \SystemRoot\system32\DRIVERS\klif.sys
    0xF79AD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7A5A000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79B1000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA28C000 \SystemRoot\system32\drivers\ssrtln.sys
    0xBA284000 \SystemRoot\System32\drivers\vga.sys
    0xF79B5000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79B9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA274000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF77C7000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA1CA000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xB8DA8000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xB8D4F000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xB8CFF000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xB8CCF000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xB8C64000 \SystemRoot\System32\vsdatant.sys
    0xF7517000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xB8C42000 \SystemRoot\System32\drivers\afd.sys
    0xF7507000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF77F7000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xB8C20000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xF781F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF7777000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xB8BF5000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xB9F93000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
    0xB8B85000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xBA7B8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7AC0000 \SystemRoot\System32\Drivers\BANTExt.sys
    0xB8ABF000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xB843A000 \SystemRoot\system32\DRIVERS\lvuvc.sys
    0xF79C7000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xBA798000 \SystemRoot\system32\drivers\usbaudio.sys
    0xB83F6000 \SystemRoot\system32\DRIVERS\lvrs.sys
    0xBA788000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB83B6000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79F1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF792F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB8DE3000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7A7C000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB7149000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xB71EA000 \??\C:\WINDOWS\system32\drivers\mbam.sys
    0xF74F7000 \SystemRoot\system32\drivers\drvnddm.sys
    0xF7AAF000 \SystemRoot\system32\dla\tfsndres.sys
    0xB7134000 \SystemRoot\system32\dla\tfsnifs.sys
    0xB71DA000 \SystemRoot\system32\dla\tfsnopio.sys
    0xF79A7000 \SystemRoot\system32\dla\tfsnpool.sys
    0xB8DD3000 \SystemRoot\system32\dla\tfsnboio.sys
    0xB8B75000 \SystemRoot\system32\dla\tfsncofs.sys
    0xF7A82000 \SystemRoot\system32\dla\tfsndrct.sys
    0xB711C000 \SystemRoot\system32\dla\tfsnudf.sys
    0xB7103000 \SystemRoot\system32\dla\tfsnudfa.sys
    0xB7176000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xB66A5000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB6460000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB65DD000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB63E5000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xB65B5000 \SystemRoot\system32\DRIVERS\MaVc2K.sys
    0xF79A5000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB61A5000 \SystemRoot\System32\DRIVERS\srv.sys
    0xB6165000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
    0xB8DDB000 \SystemRoot\system32\Drivers\LVPr2Mon.sys
    0xB5CFC000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
    0xB4923000 \SystemRoot\system32\DRIVERS\sr.sys
    0xF79D5000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
    0xB5B64000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
    0xF776F000 \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    0xB32EC000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 32):
    0 System Idle Process
    4 System
    644 C:\WINDOWS\system32\smss.exe
    700 csrss.exe
    724 C:\WINDOWS\system32\winlogon.exe
    768 C:\WINDOWS\system32\services.exe
    780 C:\WINDOWS\system32\lsass.exe
    976 C:\WINDOWS\system32\svchost.exe
    1052 svchost.exe
    1152 C:\WINDOWS\system32\svchost.exe
    1248 svchost.exe
    1392 svchost.exe
    1964 C:\WINDOWS\system32\spoolsv.exe
    2004 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    432 svchost.exe
    496 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    532 C:\Program Files\Java\jre6\bin\jqs.exe
    412 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    144 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    996 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    1120 C:\WINDOWS\system32\svchost.exe
    1264 C:\WINDOWS\wanmpsvc.exe
    2388 alg.exe
    2912 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2928 C:\WINDOWS\system32\dla\tfswctrl.exe
    2964 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3012 C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
    3068 C:\WINDOWS\system32\ctfmon.exe
    4036 C:\WINDOWS\explorer.exe
    2268 C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
    204 C:\Program Files\Internet Explorer\iexplore.exe
    1328 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3120814A, Rev: 3.AAJ

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,003
    Download OTS.exe to your Desktop.
    1. Close any open browsers.
    2. If your Real protection or Antivirus interferes with OTS, allow it to run.
    3. Double-click on OTS.exe to start the program.
    4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
    5. Now click the Run Scan button on the toolbar.
    6. Let it run unhindered until it finishes.
    7. When the scan is complete Notepad will open with the report file loaded in it.
    8. Save that notepad file.
    Use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  11. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    I made the changes in OTC for the advanced settings.


    Code:
    OTS logfile created on: 1/9/2011 4:20:59 PM - Run 1
    OTS by OldTimer - Version 3.1.41.0     Folder = C:\Documents and Settings\Administrator\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
     
    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
    5.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
    Paging file location(s): C:\pagefile.sys 0 0 [binary data]
     
    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 111.78 Gb Total Space | 32.24 Gb Free Space | 28.85% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded
     
    Computer Name: DELL
    Current User Name: Owner
    Logged in as Administrator.
     
    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
     
    [Processes - Safe List]
    ots.exe -> C:\Documents and Settings\Administrator\Desktop\OTS.exe -> [2011/01/09 16:17:13 | 000,642,560 | ---- | M] (OldTimer Tools)
    mbamservice.exe -> C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -> [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation)
    mbamgui.exe -> C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe -> [2010/12/20 18:08:56 | 000,443,728 | ---- | M] (Malwarebytes Corporation)
    avguard.exe -> C:\Program Files\Avira\AntiVir Desktop\avguard.exe -> [2010/12/12 12:30:19 | 000,267,944 | ---- | M] (Avira GmbH)
    sched.exe -> C:\Program Files\Avira\AntiVir Desktop\sched.exe -> [2010/08/02 16:10:00 | 000,135,336 | ---- | M] (Avira GmbH)
    avgnt.exe -> C:\Program Files\Avira\AntiVir Desktop\avgnt.exe -> [2010/08/02 16:09:55 | 000,281,768 | ---- | M] (Avira GmbH)
    opendnsupdater.exe -> C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe -> [2010/06/16 16:42:58 | 000,839,680 | ---- | M] ()
    lvprcsrv.exe -> C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -> [2010/05/07 17:47:32 | 000,162,648 | ---- | M] (Logitech Inc.)
    avshadow.exe -> C:\Program Files\Avira\AntiVir Desktop\avshadow.exe -> [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH)
    vsmon.exe -> C:\WINDOWS\system32\ZoneLabs\vsmon.exe -> [2009/02/15 22:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD)
    zlclient.exe -> C:\Program Files\ZoneAlarm\zlclient.exe -> [2009/02/15 22:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD)
    mcsacore.exe -> C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -> [2008/10/08 11:04:44 | 000,203,280 | ---- | M] ()
    explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
    wanmpsvc.exe -> C:\WINDOWS\wanmpsvc.exe -> [2003/01/10 17:13:04 | 000,065,536 | ---- | M] (America Online, Inc.)
     
    [Modules - Safe List]
    ots.exe -> C:\Documents and Settings\Administrator\Desktop\OTS.exe -> [2011/01/09 16:17:13 | 000,642,560 | ---- | M] (OldTimer Tools)
    comctl32.dll -> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll -> [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation)
     
    [Win32 Services - Safe List]
    (HidServ) Human Interface Device Access [On_Demand | Stopped] -> C:\WINDOWS\System32\hidserv.dll -> File not found
    (getPlusHelper) getPlus(R) Helper [Disabled | Stopped] -> C:\Program Files\NOS\bin\getPlus_Helper.dll -> File not found
    (Secunia PSI Agent) Secunia PSI Agent [On_Demand | Stopped] -> C:\Program Files\Secunia\PSI\PSIA.exe -> [2010/12/21 07:04:30 | 000,987,704 | ---- | M] (Secunia)
    (Secunia Update Agent) Secunia Update Agent [On_Demand | Stopped] -> C:\Program Files\Secunia\PSI\sua.exe -> [2010/12/21 07:04:30 | 000,399,416 | ---- | M] (Secunia)
    (MBAMService) MBAMService [Auto | Running] -> C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -> [2010/12/20 18:08:58 | 000,363,344 | ---- | M] (Malwarebytes Corporation)
    (AntiVirService) Avira AntiVir Guard [Auto | Running] -> C:\Program Files\Avira\AntiVir Desktop\avguard.exe -> [2010/12/12 12:30:19 | 000,267,944 | ---- | M] (Avira GmbH)
    (Apple Mobile Device) Apple Mobile Device [Disabled | Stopped] -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.)
    (ReflectService) Macrium Reflect Image Mounting Service [Disabled | Stopped] -> C:\Program Files\Macrium\Reflect\ReflectService.exe -> [2010/09/28 14:02:58 | 000,220,128 | ---- | M] ()
    (AntiVirSchedulerService) Avira AntiVir Scheduler [Auto | Running] -> C:\Program Files\Avira\AntiVir Desktop\sched.exe -> [2010/08/02 16:10:00 | 000,135,336 | ---- | M] (Avira GmbH)
    (LVPrcSrv) Process Monitor [Auto | Running] -> C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe -> [2010/05/07 17:47:32 | 000,162,648 | ---- | M] (Logitech Inc.)
    (vsmon) TrueVector Internet Monitor [Auto | Running] -> C:\WINDOWS\System32\ZoneLabs\vsmon.exe -> [2009/02/15 22:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD)
    (McAfee SiteAdvisor Service) McAfee SiteAdvisor Service [Auto | Running] -> C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -> [2008/10/08 11:04:44 | 000,203,280 | ---- | M] ()
    (CCALib8) Canon Camera Access Library 8 [On_Demand | Stopped] -> C:\Program Files\Canon\CAL\CALMAIN.exe -> [2007/01/31 13:55:42 | 000,096,370 | ---- | M] (Canon Inc.)
    (AOL ACS) AOL Connectivity Service [Disabled | Stopped] -> C:\Program Files\Common Files\AOL\ACS\acsd.exe -> [2003/08/19 12:27:52 | 001,376,360 | ---- | M] (America Online, Inc.)
    (ICDSPTSV) Sony SPTI Service for DVE [On_Demand | Stopped] -> C:\WINDOWS\system32\IcdSptSv.exe -> [2003/04/01 22:08:30 | 000,069,632 | ---- | M] (Sony Corporation)
    (WANMiniportService) WAN Miniport (ATW) Service [Auto | Running] -> C:\WINDOWS\wanmpsvc.exe -> [2003/01/10 17:13:04 | 000,065,536 | ---- | M] (America Online, Inc.)
     
    [Driver Services - Safe List]
    (VisorUsb) Handspring USB [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\VisorUsb.sys -> File not found
    (TMPassthruMP) TMPassthruMP [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\TMPassthru.sys -> File not found
    (MEMSWEEP2) MEMSWEEP2 [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\3D.tmp -> File not found
    (Lbd) Lbd [File_System | Boot | Stopped] -> C:\WINDOWS\System32\DRIVERS\Lbd.sys -> File not found
    (catchme) catchme [Kernel | On_Demand | Stopped] -> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -> File not found
    (avipbb) avipbb [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\avipbb.sys -> [2010/12/29 19:49:27 | 000,135,096 | ---- | M] (Avira GmbH)
    (MBAMProtector) MBAMProtector [File_System | On_Demand | Running] -> C:\WINDOWS\system32\drivers\mbam.sys -> [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation)
    (avgntflt) avgntflt [File_System | Auto | Running] -> C:\WINDOWS\system32\drivers\avgntflt.sys -> [2010/12/05 20:47:59 | 000,061,960 | ---- | M] (Avira GmbH)
    (pssnap) Paramount Software Snapshot Filter [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\pssnap.sys -> [2010/09/28 14:03:22 | 000,015,328 | ---- | M] (Macrium Software)
    (PSI) PSI [File_System | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\psi_mf.sys -> [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia)
    (Uim_IM) UIM Drive Backup Image Plugin [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\Uim_IM.sys -> [2010/08/25 14:45:28 | 000,395,464 | ---- | M] (Paragon)
    (hotcore3) hc3ServiceName [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\hotcore3.sys -> [2010/08/25 14:45:28 | 000,056,208 | ---- | M] (Paragon Software Group)
    (UimBus) Universal Image Mounter Controller [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\UimBus.sys -> [2010/08/25 14:45:28 | 000,037,080 | ---- | M] (Windows (R) 2000 DDK provider)
    (FilterService) UVCFilterService [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\lvuvcflt.sys -> [2010/07/27 03:15:20 | 000,023,904 | ---- | M] (Logitech Inc.)
    (LVUVC) Logitech Webcam 500(UVC) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\lvuvc.sys -> [2010/07/27 03:14:58 | 006,842,464 | ---- | M] (Logitech Inc.)
    (LVRS) Logitech RightSound Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\lvrs.sys -> [2010/07/27 03:12:50 | 000,282,336 | ---- | M] (Logitech Inc.)
    (ssmdrv) ssmdrv [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\ssmdrv.sys -> [2010/06/17 15:27:22 | 000,028,520 | ---- | M] (Avira GmbH)
    (avgio) avgio [Kernel | System | Running] -> C:\Program Files\Avira\AntiVir Desktop\avgio.sys -> [2010/06/17 15:27:12 | 000,011,608 | ---- | M] (Avira GmbH)
    (SASKUTIL) SASKUTIL [Kernel | System | Running] -> C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -> [2010/06/03 22:44:05 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    (LVPr2Mon) LVPr2Mon Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\LVPr2Mon.sys -> [2010/05/07 17:43:30 | 000,025,824 | ---- | M] ()
    (SASDIFSV) SASDIFSV [Kernel | System | Running] -> C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -> [2010/02/17 10:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    (SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -> [2010/02/17 10:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
    (vsdatant) vsdatant [Kernel | System | Running] -> C:\WINDOWS\system32\vsdatant.sys -> [2009/02/15 22:10:26 | 000,353,672 | ---- | M] (Check Point Software Technologies LTD)
    (tmcomm) tmcomm [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\tmcomm.sys -> [2009/01/16 22:53:59 | 000,102,664 | ---- | M] (Trend Micro Inc.)
    (KLIF) KLIF [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\klif.sys -> [2008/12/11 21:32:42 | 000,148,496 | ---- | M] (Kaspersky Lab)
    (srescan) srescan [Kernel | Boot | Running] -> C:\WINDOWS\system32\ZoneLabs\srescan.sys -> [2008/11/17 01:24:00 | 000,051,688 | ---- | M] (Check Point Software Technologies LTD)
    (usbaudio) USB Audio Driver (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\USBAUDIO.sys -> [2008/04/13 23:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation)
    (BANTExt) Belarc SMBios Access [Kernel | System | Running] -> C:\WINDOWS\System32\Drivers\BANTExt.sys -> [2008/03/06 10:51:14 | 000,003,840 | ---- | M] ()
    (MA8500U) MA8500U [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\MA8500U.sys -> [2007/10/29 14:32:00 | 000,049,109 | ---- | M] (Mobile Action Technology Inc.)
    (MaVctrl) MaVctrl [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\MaVc2K.sys -> [2007/01/16 10:44:46 | 000,011,986 | ---- | M] (Mobile Action Technology Inc.)
    (grmn0400) grmn0400.Sys Garmin USB HS DCP driver (install) [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\grmn0400.sys -> [2007/01/05 15:51:40 | 000,022,184 | ---- | M] (GARMIN Corp.)
    (grmn1200) grmn0200.Sys Garmin USB DCP driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\grmn1200.sys -> [2007/01/05 15:51:38 | 000,017,448 | ---- | M] (GARMIN Corp.)
    (grmn0200) grmn0200.Sys Garmin USB DCP driver (install) [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\grmn0200.sys -> [2007/01/05 15:51:36 | 000,023,208 | ---- | M] (GARMIN Corp.)
    (netr73) Linksys Compact Wireless-G USB Adapter Driver for Vista [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\netr73.sys -> [2006/12/29 01:49:00 | 000,247,808 | ---- | M] (Ralink Technology Inc.)
    (IntelC52) IntelC52 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\IntelC52.sys -> [2006/03/01 20:30:54 | 000,618,880 | ---- | M] (Intel Corporation)
    (RT73) Linksys Home Wireless-G USB Adapter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\rt73.sys -> [2005/11/24 06:51:38 | 000,245,248 | R--- | M] (Ralink Technology, Corp.)
    (MaRdPnp) MaRdPnp [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\mardp2k.sys -> [2005/08/17 22:44:50 | 000,049,867 | R--- | M] (Mobile Action Technology Inc.)
    (ma8500c) ma8500c [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ma8500c.sys -> [2005/06/16 17:11:58 | 000,024,784 | ---- | M] (Mobile Action Technology Inc.)
    (IntelC51) IntelC51 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\IntelC51.sys -> [2005/05/06 14:42:26 | 001,339,776 | ---- | M] (Intel Corporation)
    (IntelC53) IntelC53 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\IntelC53.sys -> [2005/05/06 14:40:50 | 000,047,360 | ---- | M] (Intel Corporation)
    (mohfilt) mohfilt [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\mohfilt.sys -> [2005/05/06 14:40:20 | 000,036,880 | ---- | M] (Intel Corporation)
    (Afc) PPdus ASPI Shell [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\afc.sys -> [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.)
    (MA8500M) MA8500M [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\MA8500M.sys -> [2004/09/16 16:11:02 | 000,025,300 | ---- | M] (Mobile Action Technology Inc.)
    (nv) nv [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\nv4_mini.sys -> [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation)
    (ATWPKT2) ATWPKT2 [Kernel | On_Demand | Stopped] -> C:\Program Files\Common Files\AOL\ACS\ATWPkt2.sys -> [2003/08/06 17:02:34 | 000,017,613 | ---- | M] (America Online)
    (tfsnudfa) tfsnudfa [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsnudfa.sys -> [2003/08/06 01:04:00 | 000,100,373 | ---- | M] (Sonic Solutions)
    (tfsnudf) tfsnudf [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsnudf.sys -> [2003/08/06 01:04:00 | 000,098,068 | ---- | M] (Sonic Solutions)
    (tfsnifs) tfsnifs [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsnifs.sys -> [2003/08/06 01:04:00 | 000,083,284 | ---- | M] (Sonic Solutions)
    (tfsncofs) tfsncofs [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsncofs.sys -> [2003/08/06 01:04:00 | 000,034,837 | ---- | M] (Sonic Solutions)
    (tfsnboio) tfsnboio [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsnboio.sys -> [2003/08/06 01:04:00 | 000,025,685 | ---- | M] (Sonic Solutions)
    (tfsnopio) tfsnopio [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsnopio.sys -> [2003/08/06 01:04:00 | 000,014,229 | ---- | M] (Sonic Solutions)
    (tfsnpool) tfsnpool [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsnpool.sys -> [2003/08/06 01:04:00 | 000,006,357 | ---- | M] (Sonic Solutions)
    (tfsndrct) tfsndrct [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsndrct.sys -> [2003/08/06 01:04:00 | 000,004,117 | ---- | M] (Sonic Solutions)
    (tfsndres) tfsndres [File_System | Auto | Running] -> C:\WINDOWS\system32\dla\tfsndres.sys -> [2003/08/06 01:04:00 | 000,002,233 | ---- | M] (Sonic Solutions)
    (drvmcdb) drvmcdb [Kernel | Boot | Running] -> C:\WINDOWS\system32\drivers\drvmcdb.sys -> [2003/07/31 03:21:00 | 000,084,576 | ---- | M] (Sonic Solutions)
    (sscdbhk5) sscdbhk5 [File_System | System | Running] -> C:\WINDOWS\system32\drivers\sscdbhk5.sys -> [2003/07/14 11:28:40 | 000,005,621 | ---- | M] (Sonic Solutions)
    (ssrtln) ssrtln [File_System | System | Running] -> C:\WINDOWS\system32\drivers\ssrtln.sys -> [2003/07/14 11:28:22 | 000,023,219 | ---- | M] (Sonic Solutions)
    (drvnddm) drvnddm [File_System | Auto | Running] -> C:\WINDOWS\system32\drivers\drvnddm.sys -> [2003/06/20 02:56:00 | 000,040,448 | ---- | M] (Sonic Solutions)
    (wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\wanatw4.sys -> [2003/01/10 17:13:04 | 000,033,588 | ---- | M] (America Online, Inc.)
    (ICDUSB2) Sony IC Recorder (P) [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\IcdUsb2.sys -> [2002/11/28 21:23:24 | 000,039,048 | ---- | M] (Sony Corporation)
    (PalmUSBD) PalmUSBD [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\PalmUSBD.sys -> [2002/05/22 11:42:42 | 000,015,326 | ---- | M] (Palm, Inc.)
    (OMCI) OMCI [Kernel | System | Running] -> C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -> [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation)
     
    [Registry - Safe List]
    < Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
    HKEY_LOCAL_MACHINE\: Main\\"StartPage" -> http://www.optonline.net -> 
    < Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
    HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.google.com/ -> 
    HKEY_CURRENT_USER\: SearchURL\CNNSI\\"" -> search.sportsillustrated.cnn.com/pages/search.jsp?query=%s -> 
    HKEY_CURRENT_USER\: SearchURL\Dictionary\\"" -> dictionary.reference.com/search?q=%s -> 
    HKEY_CURRENT_USER\: SearchURL\Google\\"" -> google.com/search?q=%s -> 
    HKEY_CURRENT_USER\: SearchURL\GoogleGroups\\"" -> groups-beta.google.com/groups?q=%s -> 
    HKEY_CURRENT_USER\: SearchURL\GoogleImages\\"" -> images.google.com/images?hl=en&lr=&q=%s -> 
    HKEY_CURRENT_USER\: SearchURL\GoogleNews\\"" -> news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News -> 
    HKEY_CURRENT_USER\: SearchURL\KB\\"" -> support.microsoft.com/search/default.aspx?query=%s -> 
    HKEY_CURRENT_USER\: SearchURL\KBDLL\\"" -> support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55&alpha=%s&S=1 -> 
    HKEY_CURRENT_USER\: SearchURL\Movies\\"" -> fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s -> 
    HKEY_CURRENT_USER\: SearchURL\MSN\\"" -> search.msn.com/results.asp?q=%s -> 
    HKEY_CURRENT_USER\: SearchURL\Thesaurus\\"" -> thesaurus.reference.com/search?q=%s -> 
    HKEY_CURRENT_USER\: SearchURL\Weather\\"" -> weather.com/weather/local/%s -> 
    HKEY_CURRENT_USER\: SearchURL\Yahoo\\"" -> search.yahoo.com/search?p=%s -> 
    HKEY_CURRENT_USER\: "ProxyEnable" -> 0 -> 
    HKEY_CURRENT_USER\: "ProxyOverride" -> *.local -> 
    < FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Administrator\Application Data\Mozilla\FireFox\Profiles\lxg22szv.default\prefs.js -> 
    browser.startup.homepage -> "www.msn.com" ->
    < FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
    HKLM\software\mozilla\Firefox\Extensions ->  -> 
    HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45} -> C:\Program Files\McAfee\SiteAdvisor [C:\PROGRAM FILES\MCAFEE\SITEADVISOR] -> [2010/03/02 19:13:43 | 000,000,000 | ---D | M]
    HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions ->  -> 
    HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2011/01/03 23:10:57 | 000,000,000 | ---D | M]
    HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/12/31 10:33:13 | 000,000,000 | ---D | M]
    HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions ->  -> 
    HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components -> C:\Program Files\Mozilla Thunderbird\components [C:\PROGRAM FILES\MOZILLA THUNDERBIRD\COMPONENTS] -> [2010/12/31 10:21:45 | 000,000,000 | ---D | M]
    HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins -> C:\PROGRAM FILES\MOZILLA THUNDERBIRD\PLUGINS -> 
    < FireFox Extensions [User Folders] > -> 
      -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions -> [2010/08/19 22:35:01 | 000,000,000 | ---D | M]
    No name found   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6} -> [2010/08/19 22:35:01 | 000,000,000 | ---D | M]
      -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\extensions -> [2011/01/09 12:03:23 | 000,000,000 | ---D | M]
    NoScript   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} -> [2011/01/05 00:06:47 | 000,000,000 | ---D | M]
    WOT   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} -> [2010/09/09 20:43:45 | 000,000,000 | ---D | M]
    LinkExtend   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\extensions\{cf47767d-5f3a-4e32-9fce-5d79565c9702} -> [2010/11/28 00:08:56 | 000,000,000 | ---D | M]
    Adblock Plus   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} -> [2010/12/30 13:33:37 | 000,000,000 | ---D | M]
    "BetterPrivacy"   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3} -> [2010/09/20 23:01:06 | 000,000,000 | ---D | M]
    Adobe DLM (powered by getPlus(R))   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} -> [2010/06/26 19:37:20 | 000,000,000 | ---D | M]
      -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xcqg4yz.profile052308\extensions\[email protected] -> [2010/09/22 20:06:11 | 000,000,000 | ---D | M]
      -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxg22szv.default\extensions -> [2008/05/23 23:31:11 | 000,000,000 | ---D | M]
    NoScript   -> C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxg22szv.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} -> [2008/05/11 09:06:26 | 000,000,000 | ---D | M]
    < FireFox Extensions [Program Folders] > -> 
      -> C:\Program Files\Mozilla Firefox\extensions -> [2011/01/09 16:14:28 | 000,000,000 | ---D | M]
    Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} -> [2010/11/08 23:42:33 | 000,000,000 | ---D | M]
    Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} -> [2010/12/29 19:55:48 | 000,000,000 | ---D | M]
    < HOSTS File > ([2011/01/08 17:37:01 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts -> 
    Reset Hosts
    127.0.0.1       localhost
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
    {53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 15:31:02 | 001,879,896 | ---- | M] (Safer Networking Limited)
    {5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> C:\WINDOWS\system32\dla\tfswshx.dll [DriveLetterAccess] -> [2003/08/06 01:04:00 | 000,106,548 | ---- | M] (Sonic Solutions)
    {B164E929-A1B6-4A06-B104-2CD0E90A88FF} [HKLM] -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [McAfee SiteAdvisor BHO] -> [2008/09/30 12:05:24 | 000,145,424 | ---- | M] ()
    < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
    "{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}" [HKLM] -> c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll [McAfee SiteAdvisor Toolbar] -> [2008/09/30 12:05:24 | 000,145,424 | ---- | M] ()
    "{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}" [HKLM] -> C:\Program Files\ComcastToolbar\comcasttoolbar.dll [Comcast Toolbar] -> [2006/11/07 14:21:58 | 001,821,184 | ---- | M] (Comcast Cable Communications.                )
    < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
    "avgnt" -> C:\Program Files\Avira\AntiVir Desktop\avgnt.exe ["C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min] -> [2010/08/02 16:09:55 | 000,281,768 | ---- | M] (Avira GmbH)
    "Malwarebytes' Anti-Malware" -> C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe ["C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray] -> [2010/12/20 18:08:56 | 000,443,728 | ---- | M] (Malwarebytes Corporation)
    "ZoneAlarm Client" -> C:\Program Files\ZoneAlarm\zlclient.exe ["C:\Program Files\ZoneAlarm\zlclient.exe"] -> [2009/02/15 22:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD)
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
    "OpenDNS Updater" -> C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ["C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart] -> [2010/06/16 16:42:58 | 000,839,680 | ---- | M] ()
    < Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup -> 
     -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Logitech . Product Registration.lnk.disabled -> [2010/08/31 19:51:26 | 000,000,749 | ---- | M] ()
     -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Secunia PSI (BETA).lnk.disabled -> [2007/10/07 00:56:07 | 000,000,743 | ---- | M] ()
    < All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
     -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet 7100 series) - 2.lnk.disabled -> [2008/09/30 10:44:13 | 000,001,228 | ---- | M] ()
     -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk.disabled -> [2010/12/31 10:07:06 | 000,000,753 | ---- | M] ()
     -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk.disabled -> [2007/02/21 09:33:44 | 000,001,631 | ---- | M] ()
    < Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
    < Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
    < CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    \\"NoCDBurning" ->  [0] -> File not found
    \\"HonorAutoRunSetting" ->  [1] -> File not found
    \\"NoDriveAutoRun" ->  [67108863] -> File not found
    \\"NoDriveTypeAutoRun" ->  [323] -> File not found
    \\"NoDrives" ->  [0] -> File not found
    < CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
    < CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    \\"NoDriveTypeAutoRun" ->  [323] -> File not found
    \\"NoDriveAutoRun" ->  [67108863] -> File not found
    \\"NoDrives" ->  [0] -> File not found
    < CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
    < Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
    {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 001,879,896 | ---- | M] (Safer Networking Limited)
    < Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ -> 
    CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
    CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] ->  [Reg Error: Key error.] -> File not found
    CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] ->  [Reg Error: Key error.] -> File not found
    < Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
    < Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
    "" -> http://
    < Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7582 domain(s) found. -> 
    online_musicmatch.com [https] -> Trusted sites -> 
    < Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
    < Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 33558 domain(s) found. -> 
    internet .[about] -> Trusted sites -> 
    mcafee.com .[https] -> Trusted sites -> 
    *.update_microsoft.com [http] -> Trusted sites -> 
    *.update_microsoft.com [https] -> Trusted sites -> 
    *.windowsupdate_microsoft.com [http] -> Trusted sites -> 
    update_microsoft.com [http] -> Trusted sites -> 
    windowsupdate_microsoft.com [http] -> Trusted sites -> 
    download_windowsupdate.com [http] -> Trusted sites -> 
    < Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. -> 
    < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
    {01A88BB1-1174-41EC-ACCB-963509EAE56B} [HKLM] -> http://support.dell.com/systemprofiler/SysPro.CAB [SysProWmi Class] -> 
    {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} [HKLM] -> http://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab [SentinelVE3D Class] -> 
    {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [HKLM] -> http://download.bitdefender.com/resources/scan8/oscan8.cab [BDSCANONLINE Control] -> 
    {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182743078562 [MUWebControl Class] -> 
    {8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab [Java Plug-in 1.6.0_23] -> 
    {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab [Java Plug-in 1.6.0_23] -> 
    {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab [Java Plug-in 1.6.0_23] -> 
    < Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
    DhcpNameServer -> 75.75.75.75 75.75.76.76 -> 
    < Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
    {5434DCB3-376D-4633-89EB-AE97A9EB089D}\\DhcpNameServer -> 75.75.75.75 75.75.76.76   (Intel(R) PRO/100 VE Network Connection) -> 
    {5434DCB3-376D-4633-89EB-AE97A9EB089D}\\NameServer -> 208.67.222.222,208.67.220.220   (Intel(R) PRO/100 VE Network Connection) -> 
    IE Styles -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
    "MaxScriptStatements" -> Reg Error: Invalid data type.
    "Use My Stylesheet" -> Reg Error: Invalid data type.
    < Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
    *Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
    Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
    *MultiFile Done* -> -> 
    < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" [HKLM] -> C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [] -> [2008/05/13 09:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com)
    < Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
    < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
    "C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe" -> C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe [C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe:*:Enabled:Acrobat.com] -> [2009/06/27 18:05:57 | 000,095,744 | ---- | M] ()
    "C:\Program Files\America Online 9.0\aol.exe" -> C:\Program Files\America Online 9.0\aol.exe [C:\Program Files\America Online 9.0\aol.exe:*:Enabled:America Online 9.0] -> [2003/08/09 17:36:02 | 000,045,139 | ---- | M] (America Online, Inc.)
    "C:\Program Files\Grisoft\AVG7\avgamsvr.exe" -> C:\Program Files\Grisoft\AVG7\avgamsvr.exe [C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe] -> [2007/07/05 09:55:36 | 000,353,280 | ---- | M] (GRISOFT, s.r.o.)
    "C:\Program Files\Grisoft\AVG7\avgemc.exe" -> C:\Program Files\Grisoft\AVG7\avgemc.exe [C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe] -> [2007/07/05 09:55:37 | 000,352,768 | ---- | M] (GRISOFT, s.r.o.)
    "C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2010/12/13 17:16:14 | 009,777,448 | ---- | M] (Apple Inc.)
    "C:\Program Files\Logitech\Logitech Vid\Vid.exe" -> C:\Program Files\Logitech\Logitech Vid\Vid.exe [C:\Program Files\Logitech\Logitech Vid\Vid.exe:*:Enabled:Logitech Vid] -> [2009/07/16 15:35:42 | 005,458,704 | ---- | M] (Logitech Inc.)
    "C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsa.exe" -> C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsa.exe [C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsa.exe:*:Enabled:Microsoft Baseline Security Analyzer 2.0.1] -> [2006/11/06 16:54:10 | 000,051,200 | ---- | M] (Microsoft Corporation)
    "C:\Program Files\Mozilla Firefox\firefox.exe" -> C:\Program Files\Mozilla Firefox\firefox.exe [C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox] -> [2010/12/12 21:49:36 | 000,912,344 | ---- | M] (Mozilla Corporation)
    "C:\Program Files\My Book\WD Backup\uBBMonitor.exe" -> C:\Program Files\My Book\WD Backup\uBBMonitor.exe [C:\Program Files\My Book\WD Backup\uBBMonitor.exe:*:Enabled:WD Backup Monitor] -> [2006/01/22 18:30:16 | 000,098,304 | ---- | M] (ArcSoft, Inc.)
    "C:\Program Files\My Book\WD Backup\uWDBackup.exe" -> C:\Program Files\My Book\WD Backup\uWDBackup.exe [C:\Program Files\My Book\WD Backup\uWDBackup.exe:*:Enabled:WD Backup] -> [2006/01/22 19:51:06 | 000,466,944 | ---- | M] (ArcSoft, Inc.)
    "C:\Program Files\Palm\HotSync.exe" -> C:\Program Files\Palm\HotSync.exe [C:\Program Files\Palm\HotSync.exe:*:Enabled:HotSync Manager] -> [2002/05/22 11:42:36 | 000,299,008 | ---- | M] (Palm, Inc.)
    "C:\WINDOWS\system32\ZoneLabs\vsmon.exe" -> C:\WINDOWS\System32\ZoneLabs\vsmon.exe [C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service] -> [2009/02/15 22:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD)
    < SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
    < CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
    "AutoRun" -> 1 -> 
    "DisplayName" -> CD-ROM Driver -> 
    "ImagePath" ->  [System32\DRIVERS\cdrom.sys] -> File not found
    < Drives with AutoRun files > ->  -> 
    C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2007/02/19 22:06:40 | 000,000,000 | -HS- | M] ()
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
    < Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
    comfile [open] -> "%1" %* -> 
    exefile [open] -> "%1" %* -> 
    < File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
    .com [@ = ComFile] -> "%1" %* -> 
    .exe [@ = exefile] -> "%1" %* -> 
     
    [Registry - Additional Scans - Safe List]
    < Disabled MSConfig State [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state -> 
    "bootini" -> 0 -> 
    "services" -> 0 -> 
    "startup" -> 0 -> 
    "system.ini" -> 0 -> 
    "win.ini" -> 0 -> 
    < EventViewer Logs - Last 10 Errors > -> Event Information -> Description
    Application [ Error ] 1/4/2011 12:00:17 PM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/4/2011 9:55:52 PM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/5/2011 12:09:18 PM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/5/2011 9:21:00 PM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/6/2011 12:26:27 PM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/7/2011 9:20:08 AM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/7/2011 9:21:21 PM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/8/2011 11:06:56 AM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/8/2011 3:54:26 PM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    Application [ Error ] 1/9/2011 5:10:02 PM Computer Name = DELL | Source = crypt32 | ID = 131080 -> Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.  
    System [ Error ] 1/8/2011 2:00:17 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:17 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:23 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:23 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:29 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:29 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:35 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:35 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:41 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    System [ Error ] 1/8/2011 2:00:41 PM Computer Name = DELL | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments ""  in order to run the server:  {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
     
    [Files/Folders - Created Within 30 Days]
     OTS.exe -> C:\Documents and Settings\Administrator\Desktop\OTS.exe -> [2011/01/09 16:17:12 | 000,642,560 | ---- | C] (OldTimer Tools)
     Tech Guy Support 1-8-2011 -> C:\Documents and Settings\Administrator\Desktop\Tech Guy Support 1-8-2011 -> [2011/01/08 20:44:06 | 000,000,000 | ---D | C]
     RECYCLER -> C:\RECYCLER -> [2011/01/08 17:52:56 | 000,000,000 | -HSD | C]
     SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2011/01/08 17:27:31 | 000,212,480 | ---- | C] (SteelWerX)
     SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2011/01/08 17:27:31 | 000,161,792 | ---- | C] (SteelWerX)
     SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2011/01/08 17:27:31 | 000,136,704 | ---- | C] (SteelWerX)
     NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2011/01/08 17:27:31 | 000,031,232 | ---- | C] (NirSoft)
     Qoobox -> C:\Qoobox -> [2011/01/08 17:26:52 | 000,000,000 | ---D | C]
     iTunes -> C:\Documents and Settings\All Users\Start Menu\Programs\iTunes -> [2010/12/31 10:25:01 | 000,000,000 | ---D | C]
     iPod -> C:\Program Files\iPod -> [2010/12/31 10:23:58 | 000,000,000 | ---D | C]
     iTunes -> C:\Program Files\iTunes -> [2010/12/31 10:23:54 | 000,000,000 | ---D | C]
     Bonjour -> C:\Program Files\Bonjour -> [2010/12/31 10:19:32 | 000,000,000 | ---D | C]
     Secunia PSI -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Secunia PSI -> [2010/12/31 10:07:19 | 000,000,000 | ---D | C]
     Malware Removal-Tech Support Guy forum 12-30-10 -> C:\Documents and Settings\Administrator\Desktop\Malware Removal-Tech Support Guy forum 12-30-10 -> [2010/12/30 12:39:04 | 000,000,000 | ---D | C]
     Sun -> C:\Documents and Settings\All Users\Application Data\Sun -> [2010/12/29 19:56:28 | 000,000,000 | ---D | C]
     javaws.exe -> C:\WINDOWS\System32\javaws.exe -> [2010/12/29 19:55:44 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.)
     javaw.exe -> C:\WINDOWS\System32\javaw.exe -> [2010/12/29 19:55:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.)
     java.exe -> C:\WINDOWS\System32\java.exe -> [2010/12/29 19:55:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.)
     ndproxy.sys -> C:\WINDOWS\System32\dllcache\ndproxy.sys -> [2010/12/14 21:47:25 | 000,040,960 | ---- | C] (Microsoft Corporation)
     wab.exe -> C:\WINDOWS\System32\dllcache\wab.exe -> [2010/12/14 21:46:45 | 000,045,568 | ---- | C] (Microsoft Corporation)
     archive_db -> C:\archive_db -> [2010/12/12 01:47:01 | 000,000,000 | ---D | C]
     New Folder 1 -> C:\New Folder 1 -> [2010/12/12 01:30:35 | 000,000,000 | ---D | C]
     launcher -> C:\Documents and Settings\All Users\Application Data\launcher -> [2010/12/12 01:15:26 | 000,000,000 | ---D | C]
     hotcore3.sys -> C:\WINDOWS\System32\drivers\hotcore3.sys -> [2010/12/12 01:14:39 | 000,056,208 | ---- | C] (Paragon Software Group)
     Paragon Backup & Recovery™ 2010 Free Advanced -> C:\Documents and Settings\Administrator\Start Menu\Programs\Paragon Backup & Recovery™ 2010 Free Advanced -> [2010/12/12 01:14:36 | 000,000,000 | ---D | C]
     Paragon Software -> C:\Program Files\Paragon Software -> [2010/12/12 01:13:35 | 000,000,000 | ---D | C]
     Macrium -> C:\Documents and Settings\All Users\Application Data\Macrium -> [2010/12/12 00:29:32 | 000,000,000 | ---D | C]
     Macrium -> C:\Documents and Settings\Administrator\Start Menu\Programs\Macrium -> [2010/12/12 00:27:14 | 000,000,000 | ---D | C]
     Macrium -> C:\Program Files\Macrium -> [2010/12/12 00:27:12 | 000,000,000 | ---D | C]
     Macrium Drive Imaging -> C:\Documents and Settings\Administrator\Desktop\Macrium Drive Imaging -> [2010/12/11 22:35:16 | 000,000,000 | ---D | C]
     
    [Files/Folders - Modified Within 30 Days]
     fidbox.dat -> C:\WINDOWS\System32\drivers\fidbox.dat -> [2011/01/09 16:28:47 | 1858,269,216 | -HS- | M] ()
     OTS.exe -> C:\Documents and Settings\Administrator\Desktop\OTS.exe -> [2011/01/09 16:17:13 | 000,642,560 | ---- | M] (OldTimer Tools)
     vsconfig.xml -> C:\WINDOWS\System32\vsconfig.xml -> [2011/01/09 16:09:30 | 000,351,220 | -H-- | M] ()
     wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2011/01/09 16:09:21 | 000,002,206 | ---- | M] ()
     bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2011/01/09 16:08:36 | 000,002,048 | --S- | M] ()
     lvuvc.hs -> C:\WINDOWS\System32\drivers\lvuvc.hs -> [2011/01/09 16:08:26 | 000,000,000 | ---- | M] ()
     logiflt.iad -> C:\WINDOWS\System32\drivers\logiflt.iad -> [2011/01/09 16:08:24 | 000,000,000 | ---- | M] ()
     fidbox.idx -> C:\WINDOWS\System32\drivers\fidbox.idx -> [2011/01/09 12:14:52 | 021,776,132 | -HS- | M] ()
     H.S. Correspondence.doc -> C:\Documents and Settings\Administrator\My Documents\H.S. Correspondence.doc -> [2011/01/08 23:46:25 | 000,019,456 | ---- | M] ()
     zllictbl.dat -> C:\WINDOWS\System32\zllictbl.dat -> [2011/01/08 21:48:51 | 000,004,212 | -H-- | M] ()
     MBRCheck.exe -> C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe -> [2011/01/08 20:21:43 | 000,080,384 | ---- | M] ()
     hosts -> C:\WINDOWS\System32\drivers\etc\hosts -> [2011/01/08 17:37:01 | 000,000,027 | ---- | M] ()
     puppy.exe -> C:\Documents and Settings\Administrator\Desktop\puppy.exe -> [2011/01/08 17:19:10 | 004,150,305 | R--- | M] ()
     Rogue Pallidium infection.doc -> C:\Documents and Settings\Administrator\My Documents\Rogue Pallidium infection.doc -> [2011/01/08 13:45:03 | 000,033,792 | ---- | M] ()
     Nano Abstract.doc -> C:\Documents and Settings\Administrator\My Documents\Nano Abstract.doc -> [2011/01/06 15:35:26 | 000,022,528 | ---- | M] ()
     HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1222789422.job -> C:\WINDOWS\tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1222789422.job -> [2011/01/06 11:45:00 | 000,000,392 | ---- | M] ()
     Acton Networkers.doc -> C:\Documents and Settings\Administrator\Desktop\Acton Networkers.doc -> [2011/01/06 11:41:34 | 000,022,528 | ---- | M] ()
     HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1172033397.job -> C:\WINDOWS\tasks\HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1172033397.job -> [2011/01/05 23:55:01 | 000,000,408 | ---- | M] ()
     DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2011/01/05 21:20:38 | 000,049,152 | ---- | M] ()
     AppleSoftwareUpdate.job -> C:\WINDOWS\tasks\AppleSoftwareUpdate.job -> [2011/01/03 22:42:03 | 000,000,284 | ---- | M] ()
     In Harm's Way- Developmental Toxicants by PSR.pdf -> C:\Documents and Settings\Administrator\Desktop\In Harm's Way- Developmental Toxicants by PSR.pdf -> [2011/01/02 00:14:57 | 002,771,889 | ---- | M] ()
     Secunia PSI Tray.lnk.disabled -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk.disabled -> [2010/12/31 10:07:06 | 000,000,753 | ---- | M] ()
     2010-12-30 Malware.doc -> C:\Documents and Settings\Administrator\My Documents\2010-12-30 Malware.doc -> [2010/12/30 19:46:09 | 000,084,480 | ---- | M] ()
     Backup of 2010-12-30 Malware.wbk -> C:\Documents and Settings\Administrator\My Documents\Backup of 2010-12-30 Malware.wbk -> [2010/12/30 19:45:56 | 000,083,456 | ---- | M] ()
     Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk -> [2010/12/29 19:50:54 | 000,000,802 | ---- | M] ()
     avipbb.sys -> C:\WINDOWS\System32\drivers\avipbb.sys -> [2010/12/29 19:49:27 | 000,135,096 | ---- | M] (Avira GmbH)
     Sonia cache cleaning.doc -> C:\Documents and Settings\Administrator\My Documents\Sonia cache cleaning.doc -> [2010/12/21 00:56:28 | 000,019,968 | ---- | M] ()
     mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation)
     mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/12/20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation)
     Genealogy Research Plan for Hess.doc -> C:\Documents and Settings\Administrator\My Documents\Genealogy Research Plan for Hess.doc -> [2010/12/19 19:33:03 | 003,229,696 | ---- | M] ()
     Backup of Genealogy Research Plan for Hess.wbk -> C:\Documents and Settings\Administrator\My Documents\Backup of Genealogy Research Plan for Hess.wbk -> [2010/12/19 19:32:04 | 003,229,696 | ---- | M] ()
     FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2010/12/15 10:35:20 | 000,130,888 | ---- | M] ()
     imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2010/12/14 22:58:24 | 000,001,393 | ---- | M] ()
     Spybot - Search & Destroy.lnk -> C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk -> [2010/12/12 23:38:03 | 000,000,963 | ---- | M] ()
     hosts.20110108-132159.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20110108-132159.backup -> [2010/12/12 23:00:44 | 000,426,196 | R--- | M] ()
     Paragon Backup & Recovery™ 2010 Free Advanced.lnk -> C:\Documents and Settings\Administrator\Desktop\Paragon Backup & Recovery™ 2010 Free Advanced.lnk -> [2010/12/12 01:14:37 | 000,002,291 | ---- | M] ()
     Macrium Reflect.lnk -> C:\Documents and Settings\Administrator\Desktop\Macrium Reflect.lnk -> [2010/12/12 00:27:14 | 000,002,070 | ---- | M] ()
     Paragon Drive Imaging manual_BR2010FreeAd.pdf -> C:\Documents and Settings\Administrator\Desktop\Paragon Drive Imaging manual_BR2010FreeAd.pdf -> [2010/12/11 22:22:15 | 005,780,633 | ---- | M] ()
     Disk Imaging -Gizmo blog p.4.doc -> C:\Documents and Settings\Administrator\Desktop\Disk Imaging -Gizmo blog p.4.doc -> [2010/12/11 22:09:55 | 000,075,264 | ---- | M] ()
     1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 
     
    [Files - No Company Name]
     H.S. Correspondence.doc -> C:\Documents and Settings\Administrator\My Documents\H.S. Correspondence.doc -> [2011/01/08 22:39:01 | 000,019,456 | ---- | C] ()
     MBRCheck.exe -> C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe -> [2011/01/08 20:21:42 | 000,080,384 | ---- | C] ()
     PEV.exe -> C:\WINDOWS\PEV.exe -> [2011/01/08 17:27:31 | 000,256,512 | ---- | C] ()
     sed.exe -> C:\WINDOWS\sed.exe -> [2011/01/08 17:27:31 | 000,098,816 | ---- | C] ()
     MBR.exe -> C:\WINDOWS\MBR.exe -> [2011/01/08 17:27:31 | 000,089,088 | ---- | C] ()
     grep.exe -> C:\WINDOWS\grep.exe -> [2011/01/08 17:27:31 | 000,080,412 | ---- | C] ()
     zip.exe -> C:\WINDOWS\zip.exe -> [2011/01/08 17:27:31 | 000,068,096 | ---- | C] ()
     puppy.exe -> C:\Documents and Settings\Administrator\Desktop\puppy.exe -> [2011/01/08 17:19:09 | 004,150,305 | R--- | C] ()
     Rogue Pallidium infection.doc -> C:\Documents and Settings\Administrator\My Documents\Rogue Pallidium infection.doc -> [2011/01/08 13:28:13 | 000,033,792 | ---- | C] ()
     Nano Abstract.doc -> C:\Documents and Settings\Administrator\My Documents\Nano Abstract.doc -> [2011/01/06 14:56:07 | 000,022,528 | ---- | C] ()
     Acton Networkers.doc -> C:\Documents and Settings\Administrator\Desktop\Acton Networkers.doc -> [2011/01/06 11:33:33 | 000,022,528 | ---- | C] ()
     In Harm's Way- Developmental Toxicants by PSR.pdf -> C:\Documents and Settings\Administrator\Desktop\In Harm's Way- Developmental Toxicants by PSR.pdf -> [2011/01/02 00:14:57 | 002,771,889 | ---- | C] ()
     Secunia PSI Tray.lnk.disabled -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk.disabled -> [2010/12/31 10:07:06 | 000,000,753 | ---- | C] ()
     2010-12-30 Malware.doc -> C:\Documents and Settings\Administrator\My Documents\2010-12-30 Malware.doc -> [2010/12/30 19:30:35 | 000,084,480 | ---- | C] ()
     Backup of 2010-12-30 Malware.wbk -> C:\Documents and Settings\Administrator\My Documents\Backup of 2010-12-30 Malware.wbk -> [2010/12/30 19:30:35 | 000,083,456 | ---- | C] ()
     Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk -> [2010/12/29 19:50:54 | 000,000,802 | ---- | C] ()
     Sonia cache cleaning.doc -> C:\Documents and Settings\Administrator\My Documents\Sonia cache cleaning.doc -> [2010/12/21 00:56:28 | 000,019,968 | ---- | C] ()
     Genealogy Research Plan for Hess.doc -> C:\Documents and Settings\Administrator\My Documents\Genealogy Research Plan for Hess.doc -> [2010/12/18 22:52:42 | 003,229,696 | ---- | C] ()
     Backup of Genealogy Research Plan for Hess.wbk -> C:\Documents and Settings\Administrator\My Documents\Backup of Genealogy Research Plan for Hess.wbk -> [2010/12/18 22:52:42 | 003,229,696 | ---- | C] ()
     Paragon Backup & Recovery™ 2010 Free Advanced.lnk -> C:\Documents and Settings\Administrator\Desktop\Paragon Backup & Recovery™ 2010 Free Advanced.lnk -> [2010/12/12 01:14:37 | 000,002,291 | ---- | C] ()
     Macrium Reflect.lnk -> C:\Documents and Settings\Administrator\Desktop\Macrium Reflect.lnk -> [2010/12/12 00:27:14 | 000,002,070 | ---- | C] ()
     Paragon Drive Imaging manual_BR2010FreeAd.pdf -> C:\Documents and Settings\Administrator\Desktop\Paragon Drive Imaging manual_BR2010FreeAd.pdf -> [2010/12/11 22:22:15 | 005,780,633 | ---- | C] ()
     Disk Imaging -Gizmo blog p.4.doc -> C:\Documents and Settings\Administrator\Desktop\Disk Imaging -Gizmo blog p.4.doc -> [2010/12/11 22:09:21 | 000,075,264 | ---- | C] ()
     KPD.INI -> C:\WINDOWS\KPD.INI -> [2010/08/31 23:43:42 | 000,000,064 | ---- | C] ()
     LogiDPP.dll -> C:\WINDOWS\System32\LogiDPP.dll -> [2010/07/27 03:03:20 | 010,829,656 | ---- | C] ()
     DevManagerCore.dll -> C:\WINDOWS\System32\DevManagerCore.dll -> [2010/07/27 03:03:18 | 000,290,648 | ---- | C] ()
     iKeyLFT2.dll -> C:\WINDOWS\System32\drivers\iKeyLFT2.dll -> [2010/05/07 17:46:36 | 000,014,168 | ---- | C] ()
     LVPr2Mon.sys -> C:\WINDOWS\System32\drivers\LVPr2Mon.sys -> [2010/05/07 17:43:30 | 000,025,824 | ---- | C] ()
     JUNO.INI -> C:\WINDOWS\JUNO.INI -> [2010/01/09 17:54:16 | 000,000,309 | ---- | C] ()
     lvcoinst.ini -> C:\WINDOWS\System32\lvcoinst.ini -> [2009/12/29 22:26:42 | 000,090,411 | ---- | C] ()
     DVEdit.INI -> C:\WINDOWS\DVEdit.INI -> [2009/12/13 18:59:53 | 000,000,000 | ---- | C] ()
     trc.dll -> C:\WINDOWS\System32\trc.dll -> [2009/12/13 18:28:26 | 000,122,880 | ---- | C] ()
     dsp_trc.dll -> C:\WINDOWS\System32\dsp_trc.dll -> [2009/12/13 18:28:16 | 000,081,920 | ---- | C] ()
     IcdSptSvps.dll -> C:\WINDOWS\System32\IcdSptSvps.dll -> [2009/12/13 18:28:16 | 000,024,576 | ---- | C] ()
     ztvunace26.dll -> C:\WINDOWS\System32\ztvunace26.dll -> [2009/09/26 08:24:20 | 000,077,312 | ---- | C] ()
     BANTExt.sys -> C:\WINDOWS\System32\drivers\BANTExt.sys -> [2009/06/30 21:10:28 | 000,003,840 | ---- | C] ()
     libeay32_0.9.6l.dll -> C:\WINDOWS\System32\libeay32_0.9.6l.dll -> [2008/07/10 10:47:39 | 000,796,584 | ---- | C] ()
     HP_48BitScanUpdatePatch.ini -> C:\WINDOWS\HP_48BitScanUpdatePatch.ini -> [2008/06/30 17:19:36 | 000,000,214 | ---- | C] ()
     PanelExe.INI -> C:\WINDOWS\PanelExe.INI -> [2008/05/27 14:06:39 | 000,000,000 | ---- | C] ()
     EngineExe.INI -> C:\WINDOWS\EngineExe.INI -> [2008/05/27 14:06:38 | 000,000,000 | ---- | C] ()
     AlbumExe.INI -> C:\WINDOWS\AlbumExe.INI -> [2008/05/27 14:01:41 | 000,000,000 | ---- | C] ()
     FileMgrExe.INI -> C:\WINDOWS\FileMgrExe.INI -> [2008/05/27 14:00:15 | 000,000,000 | ---- | C] ()
     PhoneBkExe.INI -> C:\WINDOWS\PhoneBkExe.INI -> [2008/05/27 13:57:25 | 000,000,216 | ---- | C] ()
     streamhlp.dll -> C:\WINDOWS\System32\streamhlp.dll -> [2008/02/10 10:57:22 | 000,059,392 | R--- | C] ()
     addr_file.html -> C:\Documents and Settings\All Users\Application Data\addr_file.html -> [2007/12/17 20:57:26 | 000,000,305 | ---- | C] ()
     bdoscandellang.ini -> C:\WINDOWS\bdoscandellang.ini -> [2007/10/25 10:26:48 | 000,000,453 | ---- | C] ()
     DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2007/06/28 22:22:00 | 000,049,152 | ---- | C] ()
     HipEnforceFrontend.settings -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\HipEnforceFrontend.settings -> [2007/03/19 03:18:54 | 000,000,730 | ---- | C] ()
     HipEnforceFrontend.settings -> C:\Documents and Settings\Administrator\Local Settings\Application Data\HipEnforceFrontend.settings -> [2007/03/18 22:52:55 | 000,000,718 | ---- | C] ()
     Sandboxie.ini -> C:\WINDOWS\Sandboxie.ini -> [2007/03/18 18:53:48 | 000,003,156 | ---- | C] ()
     QTSBandwidthCache -> C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache -> [2007/03/12 20:04:20 | 000,001,755 | ---- | C] ()
     sr2spec.ini -> C:\WINDOWS\System32\sr2spec.ini -> [2007/03/01 18:19:54 | 000,000,210 | ---- | C] ()
     MPLAYER.INI -> C:\WINDOWS\MPLAYER.INI -> [2007/02/26 21:05:56 | 000,000,082 | ---- | C] ()
     visorusb.dll -> C:\WINDOWS\System32\visorusb.dll -> [2007/02/26 17:38:38 | 000,007,812 | ---- | C] ()
     WORDPAD.INI -> C:\WINDOWS\WORDPAD.INI -> [2007/02/22 20:20:00 | 000,000,754 | ---- | C] ()
     ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2007/02/21 10:42:32 | 000,000,611 | ---- | C] ()
     e100bmsg.dll -> C:\WINDOWS\System32\e100bmsg.dll -> [2007/02/21 04:02:19 | 000,012,288 | ---- | C] ()
     wininit.ini -> C:\WINDOWS\wininit.ini -> [2007/02/20 23:58:36 | 000,001,502 | ---- | C] ()
     DevMgr.ini -> C:\WINDOWS\DevMgr.ini -> [2007/02/20 23:50:01 | 000,004,398 | ---- | C] ()
     Hposcv07.INI -> C:\WINDOWS\Hposcv07.INI -> [2007/02/20 23:49:37 | 000,000,020 | ---- | C] ()
     ODBCINST.INI -> C:\WINDOWS\ODBCINST.INI -> [2007/02/18 23:35:31 | 000,004,346 | ---- | C] ()
     px.ini -> C:\WINDOWS\System32\px.ini -> [2003/11/20 16:39:58 | 000,000,000 | ---- | C] ()
     win2000.dll -> C:\WINDOWS\System32\win2000.dll -> [2003/06/25 01:38:06 | 000,159,744 | ---- | C] ()
     XLREC.DLL -> C:\WINDOWS\System32\XLREC.DLL -> [1997/07/11 00:00:00 | 000,031,232 | ---- | C] ()
     RECNCL.DLL -> C:\WINDOWS\System32\RECNCL.DLL -> [1997/07/11 00:00:00 | 000,025,600 | ---- | C] ()
     ODBCSTF.DLL -> C:\WINDOWS\System32\ODBCSTF.DLL -> [1997/07/11 00:00:00 | 000,022,016 | ---- | C] ()
     DOCOBJ.DLL -> C:\WINDOWS\System32\DOCOBJ.DLL -> [1997/07/11 00:00:00 | 000,022,016 | ---- | C] ()
     HLINKPRX.DLL -> C:\WINDOWS\System32\HLINKPRX.DLL -> [1997/07/11 00:00:00 | 000,012,288 | ---- | C] ()
     
    [Alternate Data Streams]
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
    @Alternate Data Stream - 136 bytes -> C:\Documents and Settings\Administrator\My Documents\MyProject8371.avery:SummaryInformation
    @Alternate Data Stream - 148 bytes -> C:\Documents and Settings\Administrator\Desktop\hbedv.key:SummaryInformation
    @Alternate Data Stream - 172 bytes -> C:\psfile.exe:SummaryInformation
    < End of report >
    
     
  12. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    I re-read the post. I pasted it instead by mistake so here is the attached version.
     

    Attached Files:

    • OTS.Txt
      File size:
      121.2 KB
      Views:
      0
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,003
    Start OTS. Copy/Paste the information in the code box below into the pane where it says "Paste fix here" and then click the "Run Fix" button.

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.
    Code:
    [Kill All Processes]
    [Unregister Dlls]
    [Driver Services - Safe List]
    NY -> (TMPassthruMP) TMPassthruMP [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\DRIVERS\TMPassthru.sys
    NY -> (MEMSWEEP2) MEMSWEEP2 [Kernel | On_Demand | Stopped] -> C:\WINDOWS\System32\3D.tmp
    NY -> (Lbd) Lbd [File_System | Boot | Stopped] -> C:\WINDOWS\System32\DRIVERS\Lbd.sys
    [Registry - Safe List]
    < Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
    YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
    YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Key error.]
    YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
    < Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    YY -> "C:\Program Files\Grisoft\AVG7\avgamsvr.exe" -> C:\Program Files\Grisoft\AVG7\avgamsvr.exe [C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe]
    YY -> "C:\Program Files\Grisoft\AVG7\avgemc.exe" -> C:\Program Files\Grisoft\AVG7\avgemc.exe [C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe]
    [Files/Folders - Modified Within 30 Days]
    NY ->  1 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
    [Alternate Data Streams]
    NY -> @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
    NY -> @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
    [Empty Temp Folders]
    [Start Explorer]
    [Reboot]
     
  14. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    I disconnected my computer from the internet then disabled my firewall and antivirus programs before running the fix. The fix and reboot went well. Firewall and AV restarted.

    I've posted my OTC log and HijackThis log below.

    Besides deleting my AVG and certain entries associated with it what did you do? What have you found from my logs etc.?


    I have looked through my C:programs folder and I've found a number of folders/programs that probably can be deleted. I assume that most can be done via Add/Remove programs. Somehow not all folders may have been removed after uninstalling some programs.

    Among the program folders that I can probably get rid of are
    :
    BCL Technologies (What is this?-I might need it)
    CompPlusApplications (What is this?-I might need it)
    Grisoft
    Lavasoft
    Norton Security Scan
    Panda Security
    ThreatExpert Memory Scanner

    There may be remnants from these programs in my registry too.
    Please advise how to handle this.

    Also, I've noticed that my HijackThis log file is preceded by an internet explorer icon instead of a notepad icon. How do I change the icon for this file? I used the HijackThis from TrendMicro.

    Thanks for your assistance.

    All Processes Killed
    [Driver Services - Safe List]
    Service TMPassthruMP stopped successfully!
    Service TMPassthruMP deleted successfully!
    File C:\WINDOWS\System32\DRIVERS\TMPassthru.sys not found.
    Service MEMSWEEP2 stopped successfully!
    Service MEMSWEEP2 deleted successfully!
    File C:\WINDOWS\System32\3D.tmp not found.
    Service Lbd stopped successfully!
    Service Lbd deleted successfully!
    File C:\WINDOWS\System32\DRIVERS\Lbd.sys not found.
    [Registry - Safe List]
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB5F1910-F110-11d2-BB9E-00C04F795683}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgamsvr.exe deleted successfully.
    C:\Program Files\Grisoft\AVG7\avgamsvr.exe moved successfully.
    Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Grisoft\AVG7\avgemc.exe deleted successfully.
    C:\Program Files\Grisoft\AVG7\avgemc.exe moved successfully.
    [Files/Folders - Modified Within 30 Days]
    [Alternate Data Streams]
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 deleted successfully.
    [Empty Temp Folders]


    User: Administrator
    ->Temp folder emptied: 99862 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 64599853 bytes
    ->Flash cache emptied: 5205 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 3577 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 62.00 mb

    < End of fix log >
    OTS by OldTimer - Version 3.1.41.0 fix logfile created on 01112011_224323

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
    ==================

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:52:05 PM, on 1/11/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\ZoneAlarm\zlclient.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
    C:\Documents and Settings\Administrator\Desktop\Emergency Malware programs 3 19 07\analyzeme122910.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
    O4 - S-1-5-18 Startup: Logitech . Product Registration.lnk.disabled (User 'SYSTEM')
    O4 - S-1-5-18 Startup: Secunia PSI (BETA).lnk.disabled (User 'SYSTEM')
    O4 - .DEFAULT Startup: Logitech . Product Registration.lnk.disabled (User 'Default user')
    O4 - .DEFAULT Startup: Secunia PSI (BETA).lnk.disabled (User 'Default user')
    O4 - Startup: Logitech . Product Registration.lnk.disabled
    O4 - Startup: Secunia PSI (BETA).lnk.disabled
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk.disabled
    O4 - Global Startup: Secunia PSI Tray.lnk.disabled
    O4 - Global Startup: WD Backup Monitor.lnk.disabled
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: http://download.windowsupdate.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182743078562
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5434DCB3-376D-4633-89EB-AE97A9EB089D}: NameServer = 208.67.222.222,208.67.220.220
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
    O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 6942 bytes
     
  15. rk233

    rk233 Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    84
    I was just recently doing a search on google and my Malwarebytes program blocked an (outgoing) connection attempt to (78.46.104.42)

    How can I find out what program/process generated this outgoing (malware) request? What is this site?

    I went to WHOIS and it seems it came from Germany. Could this be from a pdf file read online?

    I go to WOT green circle sites when I search on google to reduce my risk of going to a bad site.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/971704

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice