TechSpot

Explorer.exe and Winlogon.exe trojan - 8 steps followed

By Will40
Oct 27, 2010
  1. Hello Guys,
    As with others I have the Bamital trojan. Norton picked up the explorer infection & MBAM picked up the winlogon....files attached...

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4950

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    27/10/2010 13:05:39
    mbam-log-2010-10-27 (13-05-39).txt

    Scan type: Quick scan
    Objects scanned: 139254
    Time elapsed: 7 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-27 15:21:01
    Windows 5.1.2600 Service Pack 3
    Running: jw5zbqq1.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8561B050 ZwAlertResumeThread
    SSDT 85620438 ZwAlertThread
    SSDT 855EB740 ZwAllocateVirtualMemory
    SSDT 85693050 ZwAssignProcessToJobObject
    SSDT 85E20BF0 ZwConnectPort
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF5D2D210]
    SSDT 855E0580 ZwCreateMutant
    SSDT 855DB0A0 ZwCreateSymbolicLinkObject
    SSDT 8665E700 ZwCreateThread
    SSDT 85618050 ZwDebugActiveProcess
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF5D2D490]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5D2D9F0]
    SSDT 855EB9D8 ZwDuplicateObject
    SSDT 855E9FC0 ZwFreeVirtualMemory
    SSDT 85695050 ZwImpersonateAnonymousToken
    SSDT 85CAC050 ZwImpersonateThread
    SSDT 85DD4C10 ZwLoadDriver
    SSDT 866199B8 ZwMapViewOfSection
    SSDT 85CAB050 ZwOpenEvent
    SSDT 855EBC78 ZwOpenProcess
    SSDT 85CB0050 ZwOpenProcessToken
    SSDT 85694050 ZwOpenSection
    SSDT 855EBB28 ZwOpenThread
    SSDT 855DB6F0 ZwProtectVirtualMemory
    SSDT 8561C1F0 ZwResumeThread
    SSDT 85CAE910 ZwSetContextThread
    SSDT 855E9B80 ZwSetInformationProcess
    SSDT 85CAA050 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5D2DC40]
    SSDT 85619050 ZwSuspendProcess
    SSDT 8561D1F0 ZwSuspendThread
    SSDT 8561F2F0 ZwTerminateProcess
    SSDT 85699050 ZwTerminateThread
    SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF2D7E6D0]
    SSDT 863BBC58 ZwUnmapViewOfSection
    SSDT 855EB3B0 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution + 3CA 804E4C24 4 Bytes JMP C3E2D1F3
    ? SYMDS.SYS The system cannot find the file specified. !
    ? SYMEFA.SYS The system cannot find the file specified. !
    ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
    .text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
    .text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B20001
    .text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
    .text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B48328
    .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
    .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009C0001
    .text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
    .text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
    .text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A60001
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AD0001
    .text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
    .text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
    .text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
    .text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

    AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


    DDS (Ver_10-10-21.02) - NTFSx86
    Run by Will at 15:22:37.68 on 27/10/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1023.429 [GMT 1:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\IObit\IObit Security 360\IS360srv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\UPHClean\uphclean.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
    C:\WINDOWS\system32\taskswitch.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
    C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.google.com/
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\family toolbar\mhxpcomi.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\family toolbar\tbcore3.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
    TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
    mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\docume~1\owner\startm~1\programs\startup\3connect.lnk - c:\program files\3 mobile broadband\3connect\Wilog.exe
    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-explorer: MaxRecentDocs = 18 (0x12)
    mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
    mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    mPolicies-system: DisableStatusMessages = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\family toolbar\mhxpcomi.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xta0fo0z.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
    FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}\components\mhxpcom2.dll
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
    FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
    FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-10-19 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-10-19 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-2 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-10-19 501888]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
    R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [2006-11-8 72480]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-10-19 116784]
    R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-8-27 312152]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2009-11-26 88176]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-10-19 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-19 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101015.005\IDSXpx86.sys [2010-10-13 341880]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101019.004\NAVENG.SYS [2010-10-19 86064]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101019.004\NAVEX15.SYS [2010-10-19 1371184]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-30 133104]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-9-29 100736]
    S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-7-14 14424]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]

    =============== Created Last 30 ================

    2010-10-26 11:45:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-10-26 11:39:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-10-25 11:26:34 509440 ----a-w- c:\windows\winlogon.exe
    2010-10-19 12:07:51 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
    2010-10-19 12:07:51 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
    2010-10-19 12:07:51 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
    2010-10-19 12:07:51 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
    2010-10-19 12:07:50 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
    2010-10-19 12:07:50 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
    2010-10-19 12:07:50 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
    2010-10-19 12:07:50 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
    2010-10-19 12:07:26 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005
    2010-10-18 22:51:33 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-10-18 22:51:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-10-18 22:51:33 -------- d-----w- c:\program files\Symantec
    2010-10-18 22:51:33 -------- d-----w- c:\program files\common files\Symantec Shared
    2010-10-18 22:50:49 -------- d-----w- c:\windows\system32\drivers\NIS
    2010-10-18 22:50:44 -------- d-----w- c:\program files\Norton Internet Security
    2010-10-18 22:50:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
    2010-10-18 21:51:17 -------- d-----w- c:\windows\Internet Logs
    2010-10-18 21:45:36 -------- d-----w- c:\program files\NortonInstaller
    2010-10-18 21:45:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
    2010-10-18 11:27:23 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-10-15 14:49:26 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
    2010-10-15 14:42:38 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
    2010-10-15 14:42:37 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
    2010-10-15 14:32:20 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 14:32:20 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-15 14:32:20 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 14:30:46 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-07 16:01:44 -------- d-----w- c:\program files\PopCap Games
    2010-10-06 10:24:27 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Adobe
    2010-10-05 11:57:15 -------- d-----w- c:\program files\iPod
    2010-10-05 11:57:11 -------- d-----w- c:\program files\iTunes
    2010-09-29 16:40:24 -------- d-----w- c:\program files\uTorrent
    2010-09-29 16:39:24 -------- d-----w- c:\docume~1\owner\applic~1\uTorrent
    2010-09-29 10:54:53 -------- d-----w- c:\docume~1\owner\applic~1\Birdstep Technology
    2010-09-29 10:53:58 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
    2010-09-29 10:53:58 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
    2010-09-29 10:53:58 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
    2010-09-29 10:53:58 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
    2010-09-29 10:53:47 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
    2010-09-29 10:53:47 -------- d-----w- c:\program files\Huawei Modems
    2010-09-29 10:53:44 10240 ----a-w- c:\windows\system32\drivers\mdvrmng.sys
    2010-09-29 10:52:11 -------- d-----w- c:\program files\3 Mobile Broadband
    2010-09-29 10:46:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Birdstep Technology

    ==================== Find3M ====================

    2010-10-19 22:56:21 509440 ----a-w- c:\windows\system32\winlogon.exe
    2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll

    ============= FINISH: 15:23:52.87 ===============

    Attach.txt is also zipped & attached.

    Thanks in advance & Appreciate all the help..
    Cheers
    Will40
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Welcome aboard [​IMG]

    Please, observe forum rules:
    Paste your Attach.txt log in your next reply.

    When done...

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Thanks Broni - Attach.txt below:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 16/11/2009 22:52:30
    System Uptime: 27/10/2010 12:46:44 (3 hours ago)

    Motherboard: Dell Computer Corp. | | 0F4491
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 149 GiB total, 84.101 GiB free.
    D: is CDROM (CDFS)
    E: is Removable
    F: is CDROM ()
    G: is CDROM ()
    I: is CDROM ()
    K: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Ethernet Controller
    Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01741028&REV_02\4&1C660DD6&0&40F0
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01741028&REV_02\4&1C660DD6&0&40F0
    Service:

    ==== System Restore Points ===================

    RP18: 30/09/2010 15:37:36 - Before Malware Removal in Server folder
    RP19: 01/10/2010 19:46:16 - System Checkpoint
    RP20: 04/10/2010 09:52:44 - Software Distribution Service 3.0
    RP21: 04/10/2010 18:48:01 - Revo Uninstaller's restore point - ZoneAlarm Extreme Security
    RP22: 07/10/2010 10:48:34 - System Checkpoint
    RP23: 08/10/2010 18:04:02 - System Checkpoint
    RP24: 09/10/2010 19:26:57 - System Checkpoint
    RP25: 13/10/2010 18:15:45 - System Checkpoint
    RP26: 14/10/2010 18:20:14 - System Checkpoint
    RP27: 15/10/2010 20:21:08 - Software Distribution Service 3.0
    RP28: 18/10/2010 12:26:47 - Software Distribution Service 3.0
    RP29: 18/10/2010 22:47:25 - Revo Uninstaller's restore point - ZoneAlarm Pro
    RP30: 20/10/2010 00:47:38 - System Checkpoint
    RP31: 20/10/2010 12:07:54 - Restore Operation
    RP32: 22/10/2010 17:18:55 - System Checkpoint
    RP33: 23/10/2010 21:02:14 - System Checkpoint
    RP34: 23/10/2010 23:44:39 - Restore Operation
    RP35: 23/10/2010 23:48:01 - Restore Operation
    RP36: 25/10/2010 00:22:48 - System Checkpoint
    RP37: 25/10/2010 15:43:38 - Restore Operation

    ==== Installed Programs ======================

    "Nero SoundTrax Help
    µTorrent
    3Connect
    7-Zip 4.65
    ABBYY FineReader 5.0 Sprint
    AC3Filter (remove only)
    Adobe Download Manager
    Adobe Flash Player 10 Plugin
    Advertising Center
    Alt-Tab Task Switcher Powertoy for Windows XP
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Auslogics BoostSpeed
    Bonjour
    ConvertHelper 2.2
    Creative MediaSource
    Dell AIO Printer A940
    Direct Show Ogg Vorbis Filter (remove only)
    DiskCheckup V3.0
    DolbyFiles
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    Family Toolbar
    Family Tree Maker 2010
    FaxTools
    Foxit Reader
    FoxyTunes for Firefox
    Games by Petersonic 1.00
    Google Chrome
    Google Earth
    Google Update Helper
    GPL MPEG-1/2 DirectShow Decoder Filter
    HashCheck Shell Extension (x86-32)
    Huawei modem
    ImagXpress
    IObit Security 360
    iTunes
    Java(TM) 6 Update 16
    K-Lite Mega Codec Pack 5.2.0
    LizardTech DjVu Control
    Magic ISO Maker v5.4 (build 0239)
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware
    McAfee SiteAdvisor
    MediaMonkey 3.2
    Menu Templates - Starter Kit
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 1.1 Service Pack 1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 Service Pack 1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Windows Media Video 9 VCM
    Microsoft WSE 3.0
    Mobile Partner
    Movie Templates - Starter Kit
    Mozilla Firefox (3.6.10)
    Mozilla Thunderbird (3.1.4)
    MSVC80_x86_v2
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB973685)
    MyHeritage Family Tree Builder
    Nero 9
    Nero BurningROM
    Nero BurnRights
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero Disc Copy Gadget
    Nero Disc Copy Gadget Help
    Nero DiscSpeed
    Nero DriveSpeed
    Nero Express
    Nero InfoTool
    Nero Installer
    Nero PhotoSnap
    Nero PhotoSnap Help
    Nero Recode
    Nero Recode Help
    Nero Rescue Agent
    Nero RescueAgent Help
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero Vision
    Nero WaveEditor
    Nero WaveEditor Help
    NeroBurningROM
    NeroExpress
    neroxml
    Nokia Connectivity Cable Driver
    Nokia Ovi Player
    Nokia PC Suite
    Nokia_Multimedia_Common_Components_2_5
    Norton Internet Security
    O&O UnErase
    Open Command Prompt Shell Extension (x86-32)
    Opera 10.53
    PC Connectivity Solution
    PC Wizard 2009.1.9111
    PeerBlock 1.0.0 (r181)
    PeerGuardian 2.0
    Picasa 3
    Plants vs. Zombies
    PrimoPDF
    PrimoPDF Redistribution Package
    QuickTime
    QuickTime Alternative 3.0.0
    RadLight PVA DirectShow filter (remove only)
    Revo Uninstaller 1.89
    River Past Video Cleaner Pro
    Rome - Total War(TM)
    Rosetta Stone Version 3
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982802)
    Sound Blaster Audigy 2
    SoundTrax
    Spybot - Search & Destroy
    SpywareBlaster 4.4
    Steganos Safe Home 2007
    SUPERAntiSpyware Free Edition
    Unlocker 1.8.7
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2410711)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    User Profile Hive Cleanup Service
    VC 9.0 Runtime
    WD Diagnostics
    WebFldrs XP
    Windows Driver Package - Nokia Modem (03/15/2010 4.4)
    Windows Driver Package - Nokia Modem (03/15/2010 7.01.0.6)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Media Encoder 9 Series
    Windows Rights Management Client Backwards Compatibility SP2
    Windows Rights Management Client with Service Pack 2
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    27/10/2010 13:19:31, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    27/10/2010 12:45:42, error: Service Control Manager [7034] - The User Profile Hive Cleanup service terminated unexpectedly. It has done this 1 time(s).
    27/10/2010 12:45:42, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    27/10/2010 12:45:42, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    27/10/2010 12:45:42, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
    27/10/2010 12:45:42, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    27/10/2010 12:45:41, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    27/10/2010 12:45:41, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    25/10/2010 17:23:51, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
    25/10/2010 12:25:16, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

    ==== End Of File ===========================
     
  4. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    ComboFix.txt:

    ComboFix 10-10-25.02 - Will 28/10/2010 15:12:37.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1023.558 [GMT 1:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\winlogon.exe
    H:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
    .

    2010-10-26 11:45 . 2010-10-26 11:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-10-26 11:39 . 2010-10-26 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-10-18 22:51 . 2010-10-18 23:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-10-18 22:51 . 2010-10-18 22:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-10-18 22:51 . 2010-10-18 22:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-10-18 22:51 . 2010-10-18 22:51 -------- d-----w- c:\program files\Symantec
    2010-10-18 22:50 . 2010-10-19 19:36 -------- d-----w- c:\windows\system32\drivers\NIS
    2010-10-18 22:50 . 2010-10-18 22:50 -------- d-----w- c:\program files\Norton Internet Security
    2010-10-18 22:50 . 2010-10-18 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-10-18 21:51 . 2010-10-18 21:51 -------- d-----w- c:\windows\Internet Logs
    2010-10-18 21:45 . 2010-10-18 22:48 -------- d-----w- c:\program files\NortonInstaller
    2010-10-18 11:27 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-10-15 14:49 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
    2010-10-15 14:42 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
    2010-10-15 14:42 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
    2010-10-15 14:32 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 14:32 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-15 14:32 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 14:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-07 16:01 . 2010-10-07 16:01 -------- d-----w- c:\program files\PopCap Games
    2010-10-06 10:24 . 2010-10-06 10:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
    2010-10-05 11:57 . 2010-10-05 11:57 -------- d-----w- c:\program files\iPod
    2010-10-05 11:57 . 2010-10-05 11:58 -------- d-----w- c:\program files\iTunes
    2010-10-01 08:35 . 2010-10-01 10:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
    2010-09-29 16:40 . 2010-09-29 16:40 -------- d-----w- c:\program files\uTorrent
    2010-09-29 16:39 . 2010-10-27 15:37 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
    2010-09-29 10:54 . 2010-09-29 10:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Birdstep Technology
    2010-09-29 10:53 . 2009-09-10 12:55 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
    2010-09-29 10:53 . 2009-07-24 16:33 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
    2010-09-29 10:53 . 2009-06-22 18:00 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
    2010-09-29 10:53 . 2007-08-09 02:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
    2010-09-29 10:53 . 2010-09-29 10:53 -------- d-----w- c:\program files\Huawei Modems
    2010-09-29 10:53 . 2010-09-29 10:53 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
    2010-09-29 10:53 . 2009-11-17 13:01 10240 ----a-w- c:\windows\system32\drivers\mdvrmng.sys
    2010-09-29 10:52 . 2010-09-29 10:52 -------- d-----w- c:\program files\3 Mobile Broadband
    2010-09-29 10:46 . 2010-09-29 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 22:56 . 2009-10-19 08:27 509440 ----a-w- c:\windows\system32\winlogon.exe
    2010-09-18 11:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38 . 2009-10-19 08:27 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:01 . 2009-10-19 08:27 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:37 . 2009-10-19 08:27 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-10-19 08:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2008-04-14 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:43 . 2009-10-19 08:26 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .

    ------- Sigcheck -------

    [-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

    [-] 2010-10-19 . 9E8EF33E20F23BC116A1E5A2DDCD2BA8 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe

    [-] 2009-10-19 . D27B911DCD2F05103F51A9F0899B5C62 . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe


    c:\windows\System32\wscntfy.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
    2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
    2010-02-18 07:37 221184 ----a-w- c:\program files\Family Toolbar\mhxpcomi.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]

    [HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-20 135664]
    "PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
    "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-10-19 128512]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2010-9-29 38640]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 18 (0x12)
    "NoSMConfigurePrograms"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    "MemCheckBoxInRunDlg"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleanerPro.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [19/10/2010 13:07 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [19/10/2010 13:07 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [02/10/2010 00:00 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [19/10/2010 13:07 501888]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 08:56 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 67656]
    R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [08/11/2006 14:19 72480]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [19/10/2010 13:07 116784]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [26/11/2009 14:21 88176]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [19/10/2010 13:07 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/10/2010 23:55 102448]
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [29/09/2010 11:53 100736]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101015.005\IDSXpx86.sys [13/10/2010 20:59 341880]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 09:29 9472]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 13:32 133104]
    S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [27/08/2010 11:09 312152]
    S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [14/07/2010 00:14 14424]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 12872]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - PBFILTER
    *Deregistered* - uphcleanhlp

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

    2010-10-28 c:\windows\Tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job
    - c:\windows\system32\msfeedssync.exe [2009-10-19 10:16]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Family Toolbar\mhxpcomi.dll
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}\components\mhxpcom2.dll
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
    FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-28 15:20
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(556)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-10-28 15:24:36
    ComboFix-quarantined-files.txt 2010-10-28 14:24

    Pre-Run: 90,151,432,192 bytes free
    Post-Run: 90,107,834,368 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 882BD7E0623147E54CAEC550B2B60EBF

    Thanks for all your help so far Broni - very much appreciated. :D
    Cheers
    Will
     
  5. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    You're welcome :)

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\explorer.exe
    - c:\windows\system32\winlogon.exe
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  6. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Heuston - we have a problem....

    Broni - when booting up, the PC now asks for Windows SP3 disk (due to needing to restore some altered files). My XP Pro CD is SP2 as I downloaded SP3, but it won't accept my SP2 CD. So my PC just does nothing except show the logon splash screen. I've managed to get online by running my mobile broadband & my browser from the task manager....

    Where do we go from here....??!!

    I presume I'll need to download SP3 which is what I'm going to start doing in the interim....
     
  7. Broni

    Broni Malware Annihilator Posts: 52,915   +344

  8. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    System won't let me open the file once downloaded - says something about not having administrator privileges (which I do), so have downloaded it it via friends laptop and am trying it from there.

    Also, just for reference purposes, during the Slipstream process I need to get to the Run command via the Start button - which I don't have! I can only get any programs to run from Task Manager! And am unsure of which .exe file will open the Run command for me.....I think it may be in the System32 folder but not sure which one it is....
     
  9. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    I suggest, you create that CD on some other working computer.
     
  10. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Managed to get PC sorted with Slipstream!

    Results for Scan as follows -
    File name:
    winlogon.exe
    Submission date:
    2010-11-01 10:22:52 (UTC)
    Current status:
    queued queued analysing finished
    Result:
    0/ 43 (0.0%)

    Not sure if you need all the remaining info Broni, but pasting it anyway:

    Antivirus Version Last Update Result
    AhnLab-V3 2010.11.01.01 2010.11.01 -
    AntiVir 7.10.13.75 2010.10.31 -
    Antiy-AVL 2.0.3.7 2010.11.01 -
    Authentium 5.2.0.5 2010.11.01 -
    Avast 4.8.1351.0 2010.10.31 -
    Avast5 5.0.594.0 2010.10.31 -
    AVG 9.0.0.851 2010.10.31 -
    BitDefender 7.2 2010.11.01 -
    CAT-QuickHeal 11.00 2010.10.26 -
    ClamAV 0.96.2.0-git 2010.10.31 -
    Comodo 6577 2010.11.01 -
    DrWeb 5.0.2.03300 2010.11.01 -
    Emsisoft 5.0.0.50 2010.11.01 -
    eSafe 7.0.17.0 2010.10.31 -
    eTrust-Vet None 2010.10.29 -
    F-Prot 4.6.2.117 2010.10.31 -
    F-Secure 9.0.16160.0 2010.11.01 -
    Fortinet 4.2.249.0 2010.11.01 -
    GData 21 2010.11.01 -
    Ikarus T3.1.1.90.0 2010.11.01 -
    Jiangmin 13.0.900 2010.11.01 -
    K7AntiVirus 9.67.2865 2010.10.29 -
    Kaspersky 7.0.0.125 2010.11.01 -
    McAfee 5.400.0.1158 2010.11.01 -
    McAfee-GW-Edition 2010.1C 2010.10.31 -
    Microsoft 1.6301 2010.11.01 -
    NOD32 5581 2010.11.01 -
    Norman 6.06.10 2010.11.01 -
    nProtect 2010-11-01.01 2010.11.01 -
    Panda 10.0.2.7 2010.10.31 -
    PCTools 7.0.3.5 2010.11.01 -
    Prevx 3.0 2010.11.01 -
    Rising 22.71.06.04 2010.11.01 -
    Sophos 4.59.0 2010.11.01 -
    Sunbelt 7184 2010.11.01 -
    SUPERAntiSpyware 4.40.0.1006 2010.11.01 -
    Symantec 20101.2.0.161 2010.11.01 -
    TheHacker 6.7.0.1.074 2010.11.01 -
    TrendMicro 9.120.0.1004 2010.11.01 -
    TrendMicro-HouseCall 9.120.0.1004 2010.11.01 -
    VBA32 3.12.14.1 2010.10.29 -
    ViRobot 2010.10.4.4074 2010.11.01 -
    VirusBuster 12.70.14.0 2010.10.31 -

    Additional information
    Show all
    MD5 : 9e8ef33e20f23bc116a1e5a2ddcd2ba8
    SHA1 : 23b7cbbcc487fa9bdadff234c668cc638a8551e9
    SHA256: b4653c76afecd33764cdb881d5be69e90a2ecb897c76fb8ba32f81ca67957e38
     
  11. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    and Explorer.exe file:

    File name:
    explorer.exe
    Submission date:
    2010-11-01 14:36:40 (UTC)
    Current status:
    queued (#11) queued analysing finished
    Result:
    0/ 42 (0.0%)

    Antivirus Version Last Update Result
    AhnLab-V3 2010.11.01.01 2010.11.01 -
    AntiVir 7.10.13.76 2010.11.01 -
    Antiy-AVL 2.0.3.7 2010.11.01 -
    Authentium 5.2.0.5 2010.11.01 -
    Avast 4.8.1351.0 2010.11.01 -
    Avast5 5.0.594.0 2010.11.01 -
    AVG 9.0.0.851 2010.11.01 -
    BitDefender 7.2 2010.11.01 -
    CAT-QuickHeal 11.00 2010.10.26 -
    ClamAV 0.96.2.0-git 2010.11.01 -
    Comodo 6577 2010.11.01 -
    Emsisoft 5.0.0.50 2010.11.01 -
    eSafe 7.0.17.0 2010.10.31 -
    eTrust-Vet 36.1.7947 2010.11.01 -
    F-Prot 4.6.2.117 2010.11.01 -
    F-Secure 9.0.16160.0 2010.11.01 -
    Fortinet 4.2.249.0 2010.11.01 -
    GData 21 2010.11.01 -
    Ikarus T3.1.1.90.0 2010.11.01 -
    Jiangmin 13.0.900 2010.11.01 -
    K7AntiVirus 9.67.2865 2010.10.29 -
    Kaspersky 7.0.0.125 2010.11.01 -
    McAfee 5.400.0.1158 2010.11.01 -
    McAfee-GW-Edition 2010.1C 2010.11.01 -
    Microsoft 1.6301 2010.11.01 -
    NOD32 5581 2010.11.01 -
    Norman 6.06.10 2010.11.01 -
    nProtect 2010-11-01.01 2010.11.01 -
    Panda 10.0.2.7 2010.11.01 -
    PCTools 7.0.3.5 2010.11.01 -
    Prevx 3.0 2010.11.01 -
    Rising 22.71.06.04 2010.11.01 -
    Sophos 4.59.0 2010.11.01 -
    Sunbelt 7185 2010.11.01 -
    SUPERAntiSpyware 4.40.0.1006 2010.11.01 -
    Symantec 20101.2.0.161 2010.11.01 -
    TheHacker 6.7.0.1.074 2010.11.01 -
    TrendMicro 9.120.0.1004 2010.11.01 -
    TrendMicro-HouseCall 9.120.0.1004 2010.11.01 -
    VBA32 3.12.14.1 2010.11.01 -
    ViRobot 2010.10.4.4074 2010.11.01 -
    VirusBuster 12.70.15.0 2010.11.01 -
    Additional information
    Show all
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
    SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455
     
  12. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    PC back working - thanks for the help Broni! Scan results below - both received all clear and just included the additional info:

    Winlogon.exe:
    Additional information
    Show all
    MD5 : 9e8ef33e20f23bc116a1e5a2ddcd2ba8
    SHA1 : 23b7cbbcc487fa9bdadff234c668cc638a8551e9
    SHA256: b4653c76afecd33764cdb881d5be69e90a2ecb897c76fb8ba32f81ca67957e38

    Explorer.exe
    Additional information
    Show all
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
    SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455

    Cheers
    Will
     
  13. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Very good :)
    Please, post fresh Combofix log.
     
  14. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    Below Broni.....

    ComboFix 10-10-25.02 - Will 02/11/2010 1:30.2.2 - x86
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .
    - REDUCED FUNCTIONALITY MODE -
    .

    ((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
    .

    2010-11-01 06:46 . 2010-11-01 06:46 -------- d-----w- C:\XP-SP3
    2010-10-31 22:19 . 2010-11-01 07:46 -------- d-----w- C:\XP Boot Image
    2010-10-30 09:21 . 2010-10-31 23:17 -------- d-----w- C:\XP
    2010-10-29 12:12 . 2010-10-29 12:16 -------- d-----w- c:\windows\system32\CatRoot_bak
    2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\xircom
    2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\wbem\snmp
    2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\oobe
    2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\program files\microsoft frontpage
    2010-10-26 11:45 . 2010-10-26 11:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-10-26 11:39 . 2010-10-26 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-10-18 22:51 . 2010-10-18 23:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-10-18 22:51 . 2010-10-18 22:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-10-18 22:51 . 2010-10-18 22:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-10-18 22:51 . 2010-10-18 22:51 -------- d-----w- c:\program files\Symantec
    2010-10-18 22:50 . 2010-10-19 19:36 -------- d-----w- c:\windows\system32\drivers\NIS
    2010-10-18 22:50 . 2010-10-18 22:50 -------- d-----w- c:\program files\Norton Internet Security
    2010-10-18 22:50 . 2010-10-18 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-10-18 21:51 . 2010-10-18 21:51 -------- d-----w- c:\windows\Internet Logs
    2010-10-18 21:45 . 2010-10-18 22:48 -------- d-----w- c:\program files\NortonInstaller
    2010-10-18 11:27 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-10-15 14:49 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
    2010-10-15 14:42 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
    2010-10-15 14:42 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
    2010-10-15 14:32 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 14:32 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-15 14:32 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 14:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-07 16:01 . 2010-10-07 16:01 -------- d-----w- c:\program files\PopCap Games
    2010-10-06 10:24 . 2010-10-06 10:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
    2010-10-05 11:57 . 2010-10-05 11:57 -------- d-----w- c:\program files\iPod
    2010-10-05 11:57 . 2010-10-05 11:58 -------- d-----w- c:\program files\iTunes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 22:56 . 2009-10-19 08:27 509440 ----a-w- c:\windows\system32\winlogon.exe
    2010-09-29 10:53 . 2010-09-29 10:53 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
    2010-09-18 11:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38 . 2009-10-19 08:27 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:01 . 2009-10-19 08:27 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:37 . 2009-10-19 08:27 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-10-19 08:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2008-04-14 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:43 . 2009-10-19 08:26 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .

    ------- Sigcheck -------

    [-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

    [-] 2010-10-19 . 9E8EF33E20F23BC116A1E5A2DDCD2BA8 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe


    c:\windows\System32\wscntfy.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-10-28_14.21.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-01 07:53 . 2010-11-01 07:53 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
    + 2010-11-01 07:52 . 2010-11-01 07:52 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
    - 2008-04-14 12:00 . 2010-08-14 08:31 73062 c:\windows\system32\perfc009.dat
    + 2008-04-14 12:00 . 2010-11-01 07:54 73062 c:\windows\system32\perfc009.dat
    - 2008-04-14 12:00 . 2010-08-14 08:31 446068 c:\windows\system32\perfh009.dat
    + 2008-04-14 12:00 . 2010-11-01 07:54 446068 c:\windows\system32\perfh009.dat
    + 2009-10-19 08:25 . 2008-04-14 05:42 1033728 c:\windows\system32\dllcache\explorer.exe
    - 2009-10-19 08:25 . 2009-10-19 08:25 1033728 c:\windows\explorer.exe
    + 2009-10-19 08:25 . 2008-04-14 05:42 1033728 c:\windows\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
    2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
    2010-02-18 07:37 221184 ----a-w- c:\program files\Family Toolbar\mhxpcomi.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]

    [HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-20 135664]
    "PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
    "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-10-19 128512]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2010-9-29 38640]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 18 (0x12)
    "NoSMConfigurePrograms"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    "MemCheckBoxInRunDlg"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleanerPro.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [19/10/2010 12:07 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [19/10/2010 12:07 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [01/10/2010 23:00 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [19/10/2010 12:07 501888]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 07:56 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 67656]
    R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [08/11/2006 13:19 72480]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [19/10/2010 12:07 116784]
    R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [27/08/2010 10:09 312152]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [19/10/2010 12:07 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/10/2010 22:55 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys [19/10/2010 20:36 341880]
    R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [13/07/2010 23:14 14424]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 08:29 9472]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 12:32 133104]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [26/11/2009 13:21 88176]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [29/09/2010 10:53 100736]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 12872]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - PBFILTER
    *Deregistered* - uphcleanhlp

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

    2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

    2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

    2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

    2010-11-02 c:\windows\Tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job
    - c:\windows\system32\msfeedssync.exe [2009-10-19 10:16]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Family Toolbar\mhxpcomi.dll
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}\components\mhxpcom2.dll
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
    FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-02 01:33
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(520)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(568)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\program files\MediaMonkey\DeskPlayer.dll
    c:\windows\system32\xpsp3res.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\SUPERAntiSpyware\SASSEH.DLL

    - - - - - - - > 'explorer.exe'(2388)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\progra~1\SPYBOT~1\SDHelper.dll
    c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\xpsp3res.dll
    c:\program files\Common Files\Nero\SMC\NeroDigitalExt.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL
    .
    Completion time: 2010-11-02 01:36:32
    ComboFix-quarantined-files.txt 2010-11-02 01:36

    Pre-Run: 87,534,166,016 bytes free
    Post-Run: 87,518,609,408 bytes free

    - - End Of File - - C25D74286D49BE68F34417C443ED4193
     
  15. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    It looks much better...

    How is computer doing at the moment?

    We have 1 system file missing and a suspicious another one

    Do you have Windows XP CD?

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      wscntfy.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  16. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    It's grand - no problems that I can see. [stop laughing!]...Win CD is the new Bootable XP SP3 CD formed via Slipstream

    Downloading now....

    File results:
    SystemLook 04.09.10 by jpshortstuff
    Log created at 01:58 on 02/11/2010 by Will
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "wscntfy.exe"
    No files found.

    -= EOF =-
     
  17. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Cool :)
    On Windows CD, navigate to I386 folder.
    Find:
    wscntfy.ex_
    Copy it to your desktop and unzip it with any zipping program.
    It'll become:
    wscntfy.exe

    Paste unzipped file into c:\windows\System32 folder.

    Now...

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  18. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    ComboFix Reply:

    ComboFix 10-10-25.02 - Will 02/11/2010 2:23.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1023.391 [GMT 0:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    * Created a new restore point
    .
    - REDUCED FUNCTIONALITY MODE -
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    --------------- FCopy ---------------

    c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
    .
    ((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
    .

    2010-11-02 02:19 . 2008-04-14 05:42 13824 ----a-w- c:\windows\system32\wscntfy.exe
    2010-11-02 02:19 . 2008-04-14 05:42 13824 ----a-w- c:\windows\system32\dllcache\wscntfy.exe
    2010-11-01 06:46 . 2010-11-01 06:46 -------- d-----w- C:\XP-SP3
    2010-10-31 22:19 . 2010-11-01 07:46 -------- d-----w- C:\XP Boot Image
    2010-10-30 09:21 . 2010-10-31 23:17 -------- d-----w- C:\XP
    2010-10-29 12:12 . 2010-10-29 12:16 -------- d-----w- c:\windows\system32\CatRoot_bak
    2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\xircom
    2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\wbem\snmp
    2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\oobe
    2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\program files\microsoft frontpage
    2010-10-26 11:45 . 2010-10-26 11:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-10-26 11:39 . 2010-10-26 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-10-18 22:51 . 2010-10-18 23:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-10-18 22:51 . 2010-10-18 22:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-10-18 22:51 . 2010-10-18 22:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-10-18 22:51 . 2010-10-18 22:51 -------- d-----w- c:\program files\Symantec
    2010-10-18 22:50 . 2010-10-19 19:36 -------- d-----w- c:\windows\system32\drivers\NIS
    2010-10-18 22:50 . 2010-10-18 22:50 -------- d-----w- c:\program files\Norton Internet Security
    2010-10-18 22:50 . 2010-10-18 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-10-18 21:51 . 2010-10-18 21:51 -------- d-----w- c:\windows\Internet Logs
    2010-10-18 21:45 . 2010-10-18 22:48 -------- d-----w- c:\program files\NortonInstaller
    2010-10-18 11:27 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
    2010-10-15 14:49 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
    2010-10-15 14:42 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
    2010-10-15 14:42 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
    2010-10-15 14:32 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 14:32 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
    2010-10-15 14:32 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 14:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-07 16:01 . 2010-10-07 16:01 -------- d-----w- c:\program files\PopCap Games
    2010-10-06 10:24 . 2010-10-06 10:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
    2010-10-05 11:57 . 2010-10-05 11:57 -------- d-----w- c:\program files\iPod
    2010-10-05 11:57 . 2010-10-05 11:58 -------- d-----w- c:\program files\iTunes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 22:56 . 2009-10-19 08:27 509440 ----a-w- c:\windows\system32\winlogon.exe
    2010-09-29 10:53 . 2010-09-29 10:53 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
    2010-09-18 11:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:38 . 2009-10-19 08:27 1861888 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:01 . 2009-10-19 08:27 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:37 . 2009-10-19 08:27 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-10-19 08:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2008-04-14 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:43 . 2009-10-19 08:26 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .

    ------- Sigcheck -------

    [-] 2010-10-19 . 9E8EF33E20F23BC116A1E5A2DDCD2BA8 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-10-28_14.21.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-01 07:53 . 2010-11-01 07:53 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
    + 2010-11-01 07:52 . 2010-11-01 07:52 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
    - 2008-04-14 12:00 . 2010-08-14 08:31 73062 c:\windows\system32\perfc009.dat
    + 2008-04-14 12:00 . 2010-11-01 07:54 73062 c:\windows\system32\perfc009.dat
    - 2008-04-14 12:00 . 2010-08-14 08:31 446068 c:\windows\system32\perfh009.dat
    + 2008-04-14 12:00 . 2010-11-01 07:54 446068 c:\windows\system32\perfh009.dat
    + 2009-10-19 08:35 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
    - 2010-01-27 10:16 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
    + 2009-10-19 08:25 . 2008-04-14 05:42 1033728 c:\windows\system32\dllcache\explorer.exe
    - 2009-10-19 08:25 . 2009-10-19 08:25 1033728 c:\windows\explorer.exe
    + 2009-10-19 08:25 . 2008-04-14 05:42 1033728 c:\windows\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
    2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
    2010-02-18 07:37 221184 ----a-w- c:\program files\Family Toolbar\mhxpcomi.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]

    [HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
    [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
    [HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-20 135664]
    "PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
    "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-10-19 128512]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2010-9-29 38640]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableStatusMessages"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "MaxRecentDocs"= 18 (0x12)
    "NoSMConfigurePrograms"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    "MemCheckBoxInRunDlg"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleanerPro.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
    "c:\\Program Files\\Opera\\opera.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [19/10/2010 12:07 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [19/10/2010 12:07 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [01/10/2010 23:00 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [19/10/2010 12:07 501888]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 07:56 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 67656]
    R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [08/11/2006 13:19 72480]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [19/10/2010 12:07 116784]
    R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [27/08/2010 10:09 312152]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [19/10/2010 12:07 126392]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/10/2010 22:55 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys [19/10/2010 20:36 341880]
    R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [13/07/2010 23:14 14424]
    S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 08:29 9472]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 12:32 133104]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [26/11/2009 13:21 88176]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [29/09/2010 10:53 100736]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 12872]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - PBFILTER
    *Deregistered* - uphcleanhlp

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

    2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

    2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

    2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

    2010-11-02 c:\windows\Tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job
    - c:\windows\system32\msfeedssync.exe [2009-10-19 10:16]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Family Toolbar\mhxpcomi.dll
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}\components\mhxpcom2.dll
    FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
    FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
    FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-02 02:26
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(520)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(432)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\program files\MediaMonkey\DeskPlayer.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\xpsp3res.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-11-02 02:28:56
    ComboFix-quarantined-files.txt 2010-11-02 02:28
    ComboFix2.txt 2010-11-02 01:36

    Pre-Run: 87,497,977,856 bytes free
    Post-Run: 87,477,530,624 bytes free

    - - End Of File - - EDEF9AE988D2CFAF26691FF5168DF1C7


    Just as a matter of interest Broni- what makes it look better...
    Cheers
    Will
     
  19. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Looks good :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  20. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    PART 1:

    OTL logfile created on: 02/11/2010 02:42:16 - Run 1
    OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\Owner\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

    1,023.00 Mb Total Physical Memory | 360.00 Mb Available Physical Memory | 35.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.00 Gb Total Space | 81.49 Gb Free Space | 54.69% Space Free | Partition Type: NTFS
    Drive D: | 25.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive F: | 644.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: ANONYMOUS | User Name: Will | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/11/01 10:32:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
    PRC - [2010/09/20 12:56:40 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
    PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    PRC - [2010/07/07 09:13:50 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
    PRC - [2010/06/11 17:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
    PRC - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    PRC - [2010/02/26 00:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
    PRC - [2009/11/17 13:23:58 | 003,965,680 | ---- | M] (Birdstep Technology) -- C:\Program Files\3 Mobile Broadband\3Connect\WilogApp.exe
    PRC - [2009/11/17 13:13:48 | 000,667,648 | ---- | M] (Birdstep Technology) -- C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
    PRC - [2009/09/28 01:02:44 | 001,524,824 | ---- | M] (PeerBlock, LLC) -- C:\Program Files\PeerBlock\peerblock.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/11/01 10:32:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
    MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    MOD - [2010/07/14 12:30:14 | 000,018,688 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
    MOD - [2008/04/14 12:00:00 | 000,689,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\xpsp3res.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\wscsvc.dll -- (wscsvc)
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2010/07/07 09:13:50 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
    SRV - [2010/06/11 17:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
    SRV - [2010/05/25 11:38:06 | 000,613,888 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
    SRV - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
    SRV - [2010/04/26 12:00:54 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2010/03/29 07:53:22 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2010/02/26 00:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe -- (NIS)
    SRV - [2008/09/29 11:09:20 | 000,935,208 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/10/19 22:55:21 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101031.002\NAVEX15.SYS -- (NAVEX15)
    DRV - [2010/10/19 22:55:21 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101031.002\NAVENG.SYS -- (NAVENG)
    DRV - [2010/10/19 22:55:20 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2010/10/19 22:55:20 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2010/10/19 20:36:22 | 000,341,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys -- (IDSxpx86)
    DRV - [2010/10/18 22:51:33 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2010/10/01 23:00:02 | 000,692,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys -- (BHDrvx86)
    DRV - [2010/05/27 08:39:13 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/05/06 04:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1108000.005\SYMTDI.SYS -- (SYMTDI)
    DRV - [2010/04/29 05:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\Ironx86.SYS -- (SymIRON)
    DRV - [2010/04/22 03:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMEFA.SYS -- (SymEFA)
    DRV - [2010/04/22 02:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1108000.005\SRTSP.SYS -- (SRTSP)
    DRV - [2010/04/22 02:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
    DRV - [2010/02/26 13:32:58 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
    DRV - [2010/02/26 13:32:46 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
    DRV - [2010/02/26 13:32:44 | 000,022,528 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
    DRV - [2010/02/26 13:32:44 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
    DRV - [2010/02/26 00:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\ccHPx86.sys -- (ccHP)
    DRV - [2010/02/25 13:15:59 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - [2010/02/25 13:15:59 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
    DRV - [2010/02/11 11:36:50 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
    DRV - [2009/11/17 13:01:18 | 000,010,240 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdvrmng.sys -- (mdvrmng)
    DRV - [2009/10/19 08:29:36 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\dumpdrv.sys -- (DumpDrv)
    DRV - [2009/09/28 01:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
    DRV - [2009/09/10 12:55:52 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2009/08/30 00:17:18 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMDS.SYS -- (SymDS)
    DRV - [2009/07/24 16:33:24 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbdev.sys -- (hwusbdev)
    DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
    DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
    DRV - [2008/04/13 20:04:32 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2006/11/08 13:19:24 | 000,072,480 | ---- | M] (Softwareentwicklung Remus - ArchiCrypt ) [Driver] [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sleen14.sys -- (SLEE_14_DRIVER)
    DRV - [2003/03/27 16:58:56 | 000,287,920 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
    DRV - [2003/03/26 21:33:58 | 000,498,688 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
    DRV - [2003/03/26 21:32:32 | 000,189,504 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
    DRV - [2003/03/26 21:32:02 | 000,141,536 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hap16v2k.sys -- (hap16v2k)
    DRV - [2003/03/26 21:31:40 | 000,823,616 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
    DRV - [2003/03/06 15:10:34 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pfmodnt.sys -- (PfModNT)
    DRV - [2003/02/20 22:24:46 | 000,116,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
    DRV - [2003/02/20 22:24:34 | 000,135,248 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
    DRV - [2003/02/20 22:24:18 | 000,006,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
    DRV - [2003/02/20 22:22:38 | 000,135,040 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Secure Search"
    FF - prefs.js..browser.search.selectedEngine: "Secure Search"
    FF - prefs.js..browser.startup.homepage: "http://www.independent.ie/business/"
    FF - prefs.js..extensions.enabledItems: {582195F5-92E7-40a0-A127-DB71295901D7}:0.6
    FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100503
    FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.4
    FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.48.3
    FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
    FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.2
    FF - prefs.js..extensions.enabledItems: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB}:1.0.5
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.732
    FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.2
    FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
    FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
    FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

    FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2010/06/21 15:24:24 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/09/30 15:06:50 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker
    FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2010/10/19 12:07:21 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/10/19 10:02:09 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/05 11:53:07 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/05 11:53:07 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/10/05 11:53:07 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/10/05 11:53:07 | 000,000,000 | ---D | M]

    [2009/12/14 15:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
    [2009/12/14 15:53:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
    [2010/11/01 21:00:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions
    [2010/10/05 11:30:12 | 000,000,000 | ---D | M] (FoxyTunes) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
    [2010/02/01 15:41:27 | 000,000,000 | ---D | M] (Gmail Manager) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{582195F5-92E7-40a0-A127-DB71295901D7}
    [2010/05/17 12:00:47 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    [2010/07/16 13:12:09 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
    [2010/08/23 13:03:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    [2010/07/16 13:12:12 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
    [2010/05/17 12:12:26 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
    [2010/09/23 12:41:50 | 000,000,000 | ---D | M] (Family Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}
    [2009/11/17 01:11:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2009/07/31 12:06:48 | 001,654,784 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
    [2010/03/05 15:26:52 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
    [2010/08/13 23:38:40 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

    O1 HOSTS File: ([2010/10/28 14:20:40 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (MHTBPos00 Class) - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Family Toolbar\tbcore3.dll ()
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
    O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ipsbho.dll (Symantec Corporation)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O2 - BHO: (CMySite Class) - {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - C:\Program Files\Family Toolbar\mhxpcomi.dll ()
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
    O3 - HKLM\..\Toolbar: (Family Toolbar) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Family Toolbar\tbcore3.dll ()
    O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll File not found
    O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe ()
    O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
    O4 - HKCU..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
    O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\3Connect.lnk = C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe (Birdstep Technology)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MaxRecentDocs = 18
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
    O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
    O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\mhtb {669A2A3A-F19C-452D-800D-1240299756C1} - C:\Program Files\Family Toolbar\mhxpcomi.dll ()
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
    O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/11/16 22:52:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2009/11/18 14:18:22 | 000,143,360 | R--- | M] (Huawei Technologies Co., Ltd.) - D:\AutoRun.exe -- [ CDFS ]
    O32 - AutoRun File - [2009/03/20 17:20:32 | 000,027,750 | R--- | M] () - D:\AutoRun.ico -- [ CDFS ]
    O32 - AutoRun File - [2009/11/17 14:01:12 | 000,000,047 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
    O32 - AutoRun File - [2004/08/12 13:36:22 | 000,000,110 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
    Drivers32: msacm.divxa32 - C:\WINDOWS\System32\divxa32.acm (Kristal StudioDFileDescription)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.l3fhg - C:\WINDOWS\System32\mp3fhg.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
    Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
    Drivers32: VIDC.HFYU - C:\WINDOWS\System32\huffyuv.dll (Disappearing Inc.)
    Drivers32: vidc.i263 - C:\WINDOWS\System32\I263_32.drv (Intel Corporation)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.VP60 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
    Drivers32: VIDC.VP61 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
    Drivers32: VIDC.VP62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
    Drivers32: VIDC.VP70 - C:\WINDOWS\System32\vp7vfw.dll (On2.com)
    Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
    Drivers32: VIDC.X264 - C:\WINDOWS\System32\x264vfw.dll ()
    Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
    Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (17183584330711040)

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/11/01 10:31:00 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
    [2010/11/01 06:46:05 | 000,000,000 | ---D | C] -- C:\XP-SP3
    [2010/10/31 22:19:07 | 000,000,000 | ---D | C] -- C:\XP Boot Image
    [2010/10/30 09:22:08 | 000,000,000 | ---D | C] -- C:\XPSP3 File
    [2010/10/30 09:21:45 | 000,000,000 | ---D | C] -- C:\XP
    [2010/10/29 12:12:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
    [2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
    [2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
    [2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\outlook express
    [2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
    [2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\netmeeting
    [2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
    [2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\movie maker
    [2010/10/29 09:48:18 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
    [2010/10/29 09:48:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
    [2010/10/28 14:09:41 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/10/28 13:35:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/10/28 13:35:39 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/10/28 13:35:39 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/10/28 13:35:39 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/10/28 13:35:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/10/28 13:34:56 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/10/27 12:13:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Malware Log Files
    [2010/10/26 11:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010/10/19 12:07:51 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symtdi.sys
    [2010/10/19 12:07:51 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symtdiv.sys
    [2010/10/19 12:07:51 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symds.sys
    [2010/10/19 12:07:51 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symefa.sys
    [2010/10/19 12:07:50 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\cchpx86.sys
    [2010/10/19 12:07:50 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\srtsp.sys
    [2010/10/19 12:07:50 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\ironx86.sys
    [2010/10/19 12:07:50 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\srtspx.sys
    [2010/10/19 12:07:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS\1108000.005
    [2010/10/18 22:51:33 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
    [2010/10/18 22:51:33 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
    [2010/10/18 22:51:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
    [2010/10/18 22:51:33 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
    [2010/10/18 22:50:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS
    [2010/10/18 22:50:44 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
    [2010/10/18 22:50:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
    [2010/10/18 21:51:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
    [2010/10/18 21:45:36 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
    [2010/10/18 21:45:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
    [2010/10/07 16:01:44 | 000,000,000 | ---D | C] -- C:\Program Files\PopCap Games
    [2010/10/06 10:24:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe
    [2010/10/05 11:57:15 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
    [2010/10/05 11:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
    [2009/11/16 23:15:31 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

    ========== Files - Modified Within 30 Days ==========

    [2010/11/02 02:33:02 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job
    [2010/11/02 02:08:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2010/11/02 02:03:03 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003UA.job
    [2010/11/02 01:53:02 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
    [2010/11/02 01:08:01 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2010/11/01 11:03:00 | 000,000,924 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003Core.job
    [2010/11/01 10:32:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
    [2010/11/01 07:54:26 | 000,446,068 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/11/01 07:54:26 | 000,073,062 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/11/01 07:52:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/11/01 07:52:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/11/01 07:52:17 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
    [2010/11/01 07:51:27 | 000,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000000-00001102-00000004-10031102}.rfx
    [2010/11/01 07:51:27 | 000,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000000-00001102-00000004-10031102}.rfx
    [2010/11/01 07:51:27 | 000,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000000-00001102-00000004-10031102}.rfx
    [2010/11/01 07:51:27 | 000,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000000-00001102-00000004-10031102}.rfx
    [2010/11/01 07:51:27 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
    [2010/11/01 07:51:27 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
    [2010/11/01 07:51:27 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000000-00001102-00000004-10031102}.dat
    [2010/11/01 07:51:27 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000000-00001102-00000004-10031102}.dat
    [2010/11/01 07:23:18 | 001,170,678 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\Cat.DB
    [2010/10/28 14:20:40 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/10/28 14:09:47 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010/10/27 12:11:37 | 000,000,489 | ---- | M] () -- C:\WINDOWS\DELLSTAT.INI
    [2010/10/26 11:45:00 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/10/26 10:21:55 | 003,886,730 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    [2010/10/25 22:16:10 | 000,079,872 | ---- | M] () -- C:\WINDOWS\MBR.exe
    [2010/10/21 16:50:40 | 005,223,811 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\A major city view on smart ICT applications for electric mobility..pdf
    [2010/10/19 19:36:38 | 000,001,964 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
    [2010/10/18 22:51:33 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
    [2010/10/18 22:51:33 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
    [2010/10/18 22:51:33 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
    [2010/10/18 22:51:33 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
    [2010/10/18 10:10:01 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
    [2010/10/16 08:28:09 | 000,333,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/10/07 16:01:47 | 000,000,966 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Plants vs. Zombies.lnk
    [2010/10/07 12:43:35 | 000,001,285 | ---- | M] () -- C:\WINDOWS\MyHeritage.INI
    [2010/10/07 10:10:10 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\IObit Security 360.lnk
    [2010/10/07 01:43:40 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
    [2010/10/06 14:58:47 | 000,075,164 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/10/06 13:15:45 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
    [2010/10/06 13:13:39 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

    ========== Files Created - No Company Name ==========
     
  21. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    OTL FILE - PART 2

    ========== Files Created - No Company Name ==========

    [2010/11/02 02:18:13 | 000,006,662 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\WSCNTFY.EX_
    [2010/11/02 01:52:59 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
    [2010/10/31 19:56:16 | 005,223,811 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\A major city view on smart ICT applications for electric mobility..pdf
    [2010/10/29 12:32:35 | 1072,746,496 | -HS- | C] () -- C:\hiberfil.sys
    [2010/10/29 10:06:47 | 000,011,651 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn9.cat
    [2010/10/29 10:06:46 | 000,024,209 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn7.cat
    [2010/10/29 10:06:45 | 000,013,753 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
    [2010/10/29 10:06:45 | 000,009,581 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
    [2010/10/29 10:06:44 | 000,031,281 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
    [2010/10/29 10:06:42 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
    [2010/10/29 10:06:39 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
    [2010/10/28 14:09:46 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/10/28 14:09:43 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2010/10/28 13:35:39 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/10/28 13:35:39 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/10/28 13:35:39 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/10/28 13:35:39 | 000,079,872 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/10/28 13:35:39 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/10/26 11:45:00 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/10/25 12:57:11 | 003,886,730 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    [2010/10/19 19:35:54 | 001,170,678 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\Cat.DB
    [2010/10/19 12:07:51 | 000,007,873 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symefa.cat
    [2010/10/19 12:07:51 | 000,007,787 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symnetv.cat
    [2010/10/19 12:07:51 | 000,007,425 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symds.cat
    [2010/10/19 12:07:51 | 000,007,368 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symnet.cat
    [2010/10/19 12:07:51 | 000,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symefa.inf
    [2010/10/19 12:07:51 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symds.inf
    [2010/10/19 12:07:51 | 000,001,473 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symnetv.inf
    [2010/10/19 12:07:51 | 000,001,445 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symnet.inf
    [2010/10/19 12:07:50 | 000,007,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\srtspx.cat
    [2010/10/19 12:07:50 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\srtsp.cat
    [2010/10/19 12:07:50 | 000,007,438 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\iron.cat
    [2010/10/19 12:07:50 | 000,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\cchpx86.cat
    [2010/10/19 12:07:50 | 000,001,754 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\cchpx86.inf
    [2010/10/19 12:07:50 | 000,001,388 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\srtspx.inf
    [2010/10/19 12:07:50 | 000,001,382 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\srtsp.inf
    [2010/10/19 12:07:50 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\iron.inf
    [2010/10/19 12:07:26 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\isolate.ini
    [2010/10/18 22:51:33 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
    [2010/10/18 22:51:33 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
    [2010/10/18 22:51:22 | 000,001,964 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
    [2010/10/07 16:01:47 | 000,000,966 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Plants vs. Zombies.lnk
    [2010/10/07 10:10:10 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\IObit Security 360.lnk
    [2010/10/06 13:15:45 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
    [2010/10/05 11:58:11 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
    [2010/09/29 10:53:44 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\mdvrmng.sys
    [2010/09/15 13:31:48 | 000,001,285 | ---- | C] () -- C:\WINDOWS\MyHeritage.INI
    [2010/09/15 13:28:11 | 000,454,656 | ---- | C] () -- C:\WINDOWS\System32\PaintX.dll
    [2010/06/23 17:43:02 | 000,189,176 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/04/02 15:34:04 | 000,368,640 | ---- | C] () -- C:\WINDOWS\System32\mss32.dll
    [2010/03/27 11:59:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\downloads.m3u
    [2010/03/25 16:52:11 | 000,000,175 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\default.rss
    [2010/03/11 10:56:18 | 000,000,248 | ---- | C] () -- C:\WINDOWS\RomeTW.ini
    [2010/02/16 14:03:30 | 000,000,324 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
    [2009/12/15 13:17:30 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2009/12/11 15:47:40 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
    [2009/11/30 12:31:29 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
    [2009/11/20 11:26:46 | 000,046,080 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/11/17 14:32:50 | 000,327,168 | ---- | C] () -- C:\WINDOWS\System32\cutil32.dll
    [2009/11/16 23:25:42 | 000,000,489 | ---- | C] () -- C:\WINDOWS\DELLSTAT.INI
    [2009/11/16 23:25:27 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbavs.dll
    [2009/11/16 23:25:09 | 000,000,177 | ---- | C] () -- C:\WINDOWS\System32\dlbacoin.ini
    [2009/11/16 23:16:30 | 000,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
    [2009/11/16 23:15:48 | 000,066,807 | ---- | C] () -- C:\WINDOWS\System32\Aud2_Del.ini
    [2009/11/16 23:15:48 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
    [2009/11/16 23:15:38 | 000,005,515 | ---- | C] () -- C:\WINDOWS\System32\ENSDEF.INI
    [2009/11/16 23:15:38 | 000,000,180 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
    [2009/11/16 23:14:25 | 000,000,136 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
    [2009/11/16 23:07:17 | 000,000,076 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\FASTWiz.log
    [2009/11/16 23:01:01 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
    [2009/11/16 23:01:01 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
    [2009/11/16 23:00:59 | 002,378,752 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
    [2009/11/16 23:00:59 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2009/11/16 23:00:59 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2009/11/16 23:00:58 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
    [2009/11/16 23:00:57 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2009/11/16 16:41:13 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009/10/19 08:34:58 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\msvcrt10.dll
    [2009/05/25 14:27:26 | 000,466,944 | ---- | C] () -- C:\WINDOWS\RemoveDevice.dll
    [2006/08/31 17:46:13 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
    [2003/09/16 15:52:28 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
    [2003/09/16 15:43:31 | 000,884,736 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
    [2003/09/16 15:41:43 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

    ========== LOP Check ==========

    [2010/09/29 10:54:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Birdstep Technology
    [2009/11/16 23:25:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
    [2010/09/06 18:31:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hagel Technologies
    [2010/10/26 11:39:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010/06/21 15:06:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
    [2010/01/27 10:07:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
    [2009/11/19 16:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky SDK
    [2010/09/15 14:21:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MyHeritage
    [2010/06/23 17:19:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaMusic
    [2010/06/24 10:15:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
    [2009/11/16 23:44:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\River Past G5
    [2010/04/26 12:41:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
    [2010/10/15 08:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/11/17 14:50:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Vodafone
    [2010/04/08 16:09:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2009/11/17 17:21:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2010/10/05 22:11:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Auslogics
    [2010/09/29 10:54:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Birdstep Technology
    [2010/04/02 17:51:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CheckPoint
    [2009/11/16 23:39:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Downloaded Installations
    [2009/11/16 23:00:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Foxit
    [2010/08/23 09:26:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Foxit Software
    [2010/04/05 18:12:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\funkitron
    [2010/08/27 10:09:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\IObit
    [2010/09/06 11:31:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MP3toiPodAudioBookConverter
    [2010/09/15 13:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MyHeritage
    [2010/06/23 17:40:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nokia
    [2010/05/18 18:28:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Opera
    [2010/06/13 18:00:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Orbit
    [2010/06/21 17:02:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\PC Suite
    [2009/11/16 23:41:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\River Past G5
    [2010/04/16 12:49:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Styler
    [2010/09/15 13:28:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\The Complete Genealogy Reporter - FTB
    [2009/12/14 15:52:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Thunderbird
    [2010/10/29 23:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
    [2010/04/16 10:32:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ViStart
    [2009/11/17 14:51:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Vodafone
    [2010/01/05 14:59:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\VSRevoGroup
    [2010/11/02 02:33:02 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010/01/26 16:32:28 | 000,000,000 | ---- | M] () -- C:\AILog.txt
    [2009/11/16 22:52:09 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2009/11/16 22:45:22 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010/10/28 14:09:47 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 22:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2010/11/02 02:28:57 | 000,019,582 | ---- | M] () -- C:\ComboFix.txt
    [2009/11/16 22:52:09 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2010/11/01 07:52:17 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
    [2009/11/17 15:38:14 | 000,000,251 | ---- | M] () -- C:\INSTALL.LOG
    [2009/11/16 22:52:09 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/05/05 09:40:54 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
    [2009/11/16 22:52:09 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008/04/14 12:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/04/14 12:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/11/01 07:52:16 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2006/04/18 19:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 18:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 19:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 18:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/11/16 22:51:36 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2003/02/05 15:06:16 | 000,077,824 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\DLBAPP5C.DLL
    [2009/08/14 14:19:28 | 000,091,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2006/10/27 01:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
    [2009/08/14 14:19:28 | 000,589,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    [2002/05/14 22:50:34 | 000,011,264 | ---- | M] (BVRP Software) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\wfxprint2000.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2009/11/16 16:37:21 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2009/11/16 16:37:21 | 001,073,152 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2009/11/16 16:37:21 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2009/11/16 22:52:17 | 000,000,227 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/11/16 22:54:10 | 000,000,060 | -HS- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2009/11/16 22:54:10 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/10/26 10:21:55 | 003,886,730 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    [2010/11/01 10:32:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
    [2010/11/02 01:53:02 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
    [2008/04/14 05:42:42 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\wscntfy.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >
    [2010/10/29 17:53:17 | 011,014,317 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\WindowsXP-KB936929-SP3-x86-ENU.exe

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2009/11/16 22:54:10 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Owner\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >
    Huawei ModemsUninstall.exe
    Video Cleaner Pro Uninstaller.exe

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/11/02 02:33:01 | 000,032,768 | -HS- | M] () -- C:\Documents and Settings\Owner\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2009/10/19 08:27:20 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
    "NoAutoRebootWithLoggedOnUsers" = 1
    "RebootRelaunchTimeoutEnabled" = 1
    "RebootRelaunchTimeout" = 1440

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\msfeedssync.exe:SummaryInformation

    < End of report >
     
  22. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    EXTRAS FILE

    [OTL Extras logfile created on: 02/11/2010 02:42:16 - Run 1
    OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\Owner\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

    1,023.00 Mb Total Physical Memory | 360.00 Mb Available Physical Memory | 35.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.00 Gb Total Space | 81.49 Gb Free Space | 54.69% Space Free | Partition Type: NTFS
    Drive D: | 25.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive F: | 644.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: ANONYMOUS | User Name: Will | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
    Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
    Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services -- (Rosetta Stone Ltd. )
    "C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone Version 3 Application -- (Rosetta Stone Ltd. )

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\River Past\Video Cleaner Pro\VideoCleanerPro.exe" = C:\Program Files\River Past\Video Cleaner Pro\VideoCleanerPro.exe:*:Enabled:River Past Video Cleaner Pro -- (River Past Corporation)
    "C:\Program Files\Nero\Nero 9\Nero ShowTime\ShowTime.exe" = C:\Program Files\Nero\Nero 9\Nero ShowTime\ShowTime.exe:*:Enabled:Nero ShowTime -- (Nero AG)
    "C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\support\bin\win\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Ltd Services -- (Rosetta Stone Ltd. )
    "C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone Version 3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone Version 3 Application -- (Rosetta Stone Ltd. )
    "C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
    "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
    "C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0.0 (r181)
    "{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
    "{0711500B-9912-4D60-9A49-C577B4503D42}" = Nero Recode Help
    "{07FF7593-9DEA-40B5-9F87-F557E65BBF60}" = Nero Recode
    "{0a610134-d10c-4a32-b806-1a3f338b6c66}" = Nero 9
    "{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
    "{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = LizardTech DjVu Control
    "{1122AAC4-AAAA-43BF-B2D4-3C8C12378952}" = Nero InfoTool
    "{11A84FCA-C3C7-4AFD-A797-111DB8569DBC}" = Nero BurningROM
    "{12345674-DE9A-677A-CCEE-666356D89777}" = Nero BurnRights
    "{148E08FF-D7C4-46ED-8D4D-601C67FE0AFD}" = Rosetta Stone Version 3
    "{18756A46-652E-4ED4-A029-C4940D59F09B}" = Nokia PC Suite
    "{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
    "{1B040683-C390-4711-ABC7-DA8D85E470E7}" = NeroBurningROM
    "{1B9B5B3B-28E7-4E59-A80D-D670AA984514}" = Nokia Connectivity Cable Driver
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1F85CAAA-B786-4E5B-AADD-638856992EF3}" = Opera 10.53
    "{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16
    "{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
    "{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
    "{2D3455A8-3B15-41A8-99F8-0D4215746463}" = Nero StartSmart
    "{3097B151-1F61-4211-A4CC-D70127B226AE}" = SoundTrax
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
    "{3F30CC51-0788-487B-AA83-7214A239C0C0}" = Nero Disc Copy Gadget Help
    "{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
    "{4468EF97-A253-4699-9E1C-88CAE2C6832D}" = ABBYY FineReader 5.0 Sprint
    "{4D42353B-533F-4306-AD0B-7FEF292ADE04}" = Nero CoverDesigner Help
    "{4E8C27C2-D727-4C00-A90E-C3F6376EEE70}" = Nero ControlCenter
    "{50D25574-2C48-4AEC-8FFC-32AEAD2EAEFF}" = Nokia Ovi Player
    "{534804B0-3563-434B-962A-BAF132B85F1F}" = O&O UnErase
    "{548F99E0-14CC-4D53-A7D6-4A62A5F2C748}" = Nero PhotoSnap
    "{56BE5CC9-95E6-4128-ABEA-968414CA9C80}" = DolbyFiles
    "{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
    "{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
    "{5AE12194-3EAA-40DF-B2BF-FE1D6B78BBF4}" = Nero Vision
    "{5C2E8A0F-80E2-4C68-8CC0-D8D16E7196BF}" = Nero RescueAgent Help
    "{5C42EAB8-54F9-423A-948C-1CBEF25F8DB4}" = Nero PhotoSnap Help
    "{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
    "{70B31335-50EE-4834-8431-27412CDE62BD}" = Nokia_Multimedia_Common_Components_2_5
    "{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1" = Auslogics BoostSpeed
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{75321954-2589-11DC-DDCC-E98356D81493}" = Nero DriveSpeed
    "{753973C4-B961-43BF-B2D4-3C8C92F7216E}" = Nero DriveSpeed
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{78523651-D8B1-11DC-CCEE-741589645873}" = Nero DiscSpeed
    "{870815CA-6B60-47B6-88DD-A67F42D2F03E}" = GPL MPEG-1/2 DirectShow Decoder Filter
    "{885744A4-1A01-44B0-858A-0AE6738CBCF7}" = PrimoPDF Redistribution Package
    "{89EAD745-088B-4160-B964-42C4D4D273AD}" = Family Tree Maker 2010
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8C654BD0-1949-43DE-84F2-EC2A1ABB0CB4}" = Nero ShowTime
    "{8C91D53E-0C23-4A79-A480-68A443D80100}" = PC Connectivity Solution
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
    "{943CC0C0-2253-4FE0-9493-DD386F7857FD}" = Nero Express
    "{948FFAAE-C57F-447B-9B07-3721E950BFDC}" = Nero ShowTime
    "{961D53EA-40DC-4156-AD74-25684CE05F81}" = Nero Installer
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9A875B56-A35C-46BA-A3AA-DF8D03EE9F2F}" = Nero ControlCenter
    "{9F3523F8-DAD7-AE52-6DA7-45CDDDF33726}" = Advertising Center
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War(TM)
    "{A7050037-F0EA-4BAB-BCD5-FC05507D6147}" = Alt-Tab Task Switcher Powertoy for Windows XP
    "{A73BEC3C-40A0-480E-87EF-EFCD33629088}" = NeroExpress
    "{A8399F58-234A-48C6-BA55-30C15738BF3C}" = Nero CoverDesigner
    "{A899DA1F-D626-401C-8651-F2921E3B4CB3}" = 3Connect
    "{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AAA12554-2589-11DC-92EF-E98356D81493}" = Nero InfoTool
    "{AABBCC54-D8B1-11DC-92EF-E98356D81493}" = Nero DiscSpeed
    "{B2C12C8D-65DC-40BD-B309-5ADB0C6C8D8F}" = Nero WaveEditor
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B96C2601-52F5-4D5D-816A-63469EA311EF}" = "Nero SoundTrax Help
    "{BCD82AB5-670D-4242-90FA-1F97103C16CD}" = Movie Templates - Starter Kit
    "{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
    "{C99C89A3-119A-45E6-B26E-DD5643CAA0C5}" = Menu Templates - Starter Kit
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 Service Pack 1
    "{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
    "{CD1826A5-CFCC-4C6E-9F9D-E181876162EA}" = Nero Rescue Agent
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 Service Pack 1
    "{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
    "{D7C206B6-1A63-4389-A8B1-8F607D0BFF1F}" = Nero StartSmart Help
    "{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
    "{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
    "{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
    "{E4A8DD87-A746-4443-BF25-CAF99CED6767}" = Nero Disc Copy Gadget
    "{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
    "{E82BF103-904F-49C0-B77F-6EC110B71E87}" = Sound Blaster Audigy 2
    "{E86156E5-9859-440D-8876-26CED1349802}" = Nero WaveEditor Help
    "{EA9FFE54-D8B1-11DC-92EF-E98356D81493}" = Nero BurnRights
    "{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
    "{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}" = Microsoft WSE 3.0
    "{EE246B64-54FC-42A6-8384-B61546B0C7F8}" = Steganos Safe Home 2007
    "{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
    "{F53F6769-AC46-49E3-ABE3-2C8AFD39D0DD}" = Nero Vision
    "{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
    "{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}" = User Profile Hive Cleanup Service
    "0B753AE04CCFC1E067940973C1BEDEEE62CADDC9" = Windows Driver Package - Nokia Modem (03/15/2010 4.4)
    "504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    "6CD143D10D52B656CB6E8E90D7932A476DA16F6A" = Windows Driver Package - Nokia Modem (03/15/2010 7.01.0.6)
    "7-Zip" = 7-Zip 4.65
    "AC3Filter" = AC3Filter (remove only)
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "CmdOpen Shell Extension" = Open Command Prompt Shell Extension (x86-32)
    "Dell AIO Printer A940" = Dell AIO Printer A940
    "DiskCheckup_is1" = DiskCheckup V3.0
    "DVD Decrypter" = DVD Decrypter (Remove Only)
    "DVD Shrink_is1" = DVD Shrink 3.2
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "Family Toolbar" = Family Toolbar
    "Family Tree Builder" = MyHeritage Family Tree Builder
    "Family Tree Maker 2010" = Family Tree Maker 2010
    "Foxit Reader" = Foxit Reader
    "FoxyTunesForFirefox" = FoxyTunes for Firefox
    "Games by Petersonic 1.00" = Games by Petersonic 1.00
    "HashCheck Shell Extension" = HashCheck Shell Extension (x86-32)
    "Huawei Modems" = Huawei modem
    "InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}" = Rome - Total War(TM)
    "IObit Security 360_is1" = IObit Security 360
    "KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.2.0
    "Magic ISO Maker v5.4 (build 0239)" = Magic ISO Maker v5.4 (build 0239)
    "MagicDisc 2.7.106" = MagicDisc 2.7.106
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "MediaMonkey_is1" = MediaMonkey 3.2
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft Silverlight" = Microsoft Silverlight
    "Mobile Partner" = Mobile Partner
    "Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
    "Mozilla Thunderbird (3.1.4)" = Mozilla Thunderbird (3.1.4)
    "NIS" = Norton Internet Security
    "Nokia PC Suite" = Nokia PC Suite
    "OggDS" = Direct Show Ogg Vorbis Filter (remove only)
    "PC Wizard 2009_is1" = PC Wizard 2009.1.9111
    "PeerGuardian_is1" = PeerGuardian 2.0
    "Picasa 3" = Picasa 3
    "Plants vs. Zombies" = Plants vs. Zombies
    "PrimoPDF3.0" = PrimoPDF
    "QuicktimeAlt_is1" = QuickTime Alternative 3.0.0
    "RadLight PVA DirectShow filter" = RadLight PVA DirectShow filter (remove only)
    "Revo Uninstaller" = Revo Uninstaller 1.89
    "SpywareBlaster_is1" = SpywareBlaster 4.4
    "Unlocker" = Unlocker 1.8.7
    "uTorrent" = µTorrent
    "Video Cleaner Pro" = River Past Video Cleaner Pro
    "Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    "Windows Media Encoder 9" = Windows Media Encoder 9 Series
    "WinRAR archiver" = WinRAR archiver
    "WMV9_VCM" = Microsoft Windows Media Video 9 VCM

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 29/10/2010 06:02:53 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00b48ea4.

    Error - 29/10/2010 06:24:07 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00b48ea4.

    Error - 29/10/2010 06:35:51 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00b48ea4.

    Error - 29/10/2010 06:42:54 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00b48ea4.

    Error - 29/10/2010 06:57:35 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00b48ea4.

    Error - 29/10/2010 07:52:06 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00b48ea4.

    Error - 29/10/2010 08:25:03 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00b48ea4.

    Error - 29/10/2010 08:32:42 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00b48ea4.

    Error - 29/10/2010 12:11:12 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module unknown, version 0.0.0.0, fault address 0x00d78ea4.

    Error - 30/10/2010 04:38:43 | Computer Name = ANONYMOUS | Source = Application Error | ID = 1000
    Description = Faulting application explorer.exe, version 6.0.2900.5634, faulting
    module , version 0.0.0.0, fault address 0x00000000.

    [ System Events ]
    Error - 29/10/2010 08:31:14 | Computer Name = ANONYMOUS | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 29/10/2010 08:33:41 | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7000
    Description = The wscsvc service failed to start due to the following error: %%1083

    Error - 29/10/2010 12:11:37 | Computer Name = ANONYMOUS | Source = DCOM | ID = 10010
    Description = The server {995C996E-D918-4A8C-A302-45719A6F4EA7} did not register
    with DCOM within the required timeout.

    Error - 29/10/2010 12:11:55 | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7000
    Description = The wscsvc service failed to start due to the following error: %%1083

    Error - 30/10/2010 04:39:15 | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7000
    Description = The wscsvc service failed to start due to the following error: %%1083

    Error - 30/10/2010 13:18:56 | Computer Name = ANONYMOUS | Source = Windows Update Agent | ID = 16
    Description = Unable to Connect: Windows is unable to connect to the automatic updates
    service and therefore cannot download and install updates according to the set
    schedule. Windows will continue to try to establish a connection.

    Error - 01/11/2010 03:53:47 | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7000
    Description = The wscsvc service failed to start due to the following error: %%1083

    Error - 01/11/2010 21:29:10 | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7034
    Description = The McAfee SiteAdvisor Service service terminated unexpectedly. It
    has done this 1 time(s).

    Error - 01/11/2010 22:21:47 | Computer Name = ANONYMOUS | Source = Service Control Manager | ID = 7034
    Description = The McAfee SiteAdvisor Service service terminated unexpectedly. It
    has done this 2 time(s).

    Error - 01/11/2010 22:26:00 | Computer Name = ANONYMOUS | Source = atapi | ID = 262153
    Description = The device, \Device\Ide\IdePort1, did not respond within the timeout
    period.


    < End of report >
     
  23. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
      @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\msfeedssync.exe:SummaryInformation
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  24. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    OK Broni - Reports as follows...

    Java - Updated

    OTL File:
    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 .
    Unable to delete ADS C:\WINDOWS\System32\msfeedssync.exe:SummaryInformation .
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Custom Settings

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Owner
    ->Temp folder emptied: 18959 bytes
    ->Temporary Internet Files folder emptied: 5350919 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 8850101 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Opera cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 32768 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 14.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Custom Settings

    User: Default User

    User: LocalService

    User: NetworkService

    User: Owner
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.17.2 log created on 11022010_105819

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_758.dat not found!

    Registry entries deleted on Reboot...

    =============================================================

    Security Check Report:

    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    Norton Internet Security
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    River Past Video Cleaner Pro
    Java(TM) 6 Update 22
    Out of date Java installed!
    Adobe Flash Player 10.1.82.76
    Mozilla Firefox (3.6.10) Firefox Out of Date!
    Mozilla Thunderbird (3.1.4)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
     
  25. Will40

    Will40 TS Rookie Topic Starter Posts: 55

    ESET Scan results:

    C:\Documents and Settings\Owner\Application Data\Auslogics\Rescue\One Button Checkup\100913074720515.rsc multiple threats

    I presume I should just uninstall this app Broni?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...