also @ TechSpot: Blizzard talks Diablo 3 facts, nerfing and buffs for legendary items

TechSpot

TechSpot News Products Downloads Forums

Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] Explorer.exe and Winlogon.exe trojan - 8 steps followed

Discussion in 'Virus and Malware Removal' started by Will40, Oct 27, 2010.

Thread Status:: Not open for further replies.

Page 1 of 2

Will40 Newcomer, in training
Hello Guys,
As with others I have the Bamital trojan. Norton picked up the explorer infection & MBAM picked up the winlogon....files attached...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4950

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/10/2010 13:05:39
mbam-log-2010-10-27 (13-05-39).txt

Scan type: Quick scan
Objects scanned: 139254
Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-27 15:21:01
Windows 5.1.2600 Service Pack 3
Running: jw5zbqq1.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys

---- System - GMER 1.0.15 ----

SSDT 8561B050 ZwAlertResumeThread
SSDT 85620438 ZwAlertThread
SSDT 855EB740 ZwAllocateVirtualMemory
SSDT 85693050 ZwAssignProcessToJobObject
SSDT 85E20BF0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF5D2D210]
SSDT 855E0580 ZwCreateMutant
SSDT 855DB0A0 ZwCreateSymbolicLinkObject
SSDT 8665E700 ZwCreateThread
SSDT 85618050 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF5D2D490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5D2D9F0]
SSDT 855EB9D8 ZwDuplicateObject
SSDT 855E9FC0 ZwFreeVirtualMemory
SSDT 85695050 ZwImpersonateAnonymousToken
SSDT 85CAC050 ZwImpersonateThread
SSDT 85DD4C10 ZwLoadDriver
SSDT 866199B8 ZwMapViewOfSection
SSDT 85CAB050 ZwOpenEvent
SSDT 855EBC78 ZwOpenProcess
SSDT 85CB0050 ZwOpenProcessToken
SSDT 85694050 ZwOpenSection
SSDT 855EBB28 ZwOpenThread
SSDT 855DB6F0 ZwProtectVirtualMemory
SSDT 8561C1F0 ZwResumeThread
SSDT 85CAE910 ZwSetContextThread
SSDT 855E9B80 ZwSetInformationProcess
SSDT 85CAA050 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5D2DC40]
SSDT 85619050 ZwSuspendProcess
SSDT 8561D1F0 ZwSuspendThread
SSDT 8561F2F0 ZwTerminateProcess
SSDT 85699050 ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF2D7E6D0]
SSDT 863BBC58 ZwUnmapViewOfSection
SSDT 855EB3B0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 3CA 804E4C24 4 Bytes JMP C3E2D1F3
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B30001
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Documents and Settings\Owner\Desktop\jw5zbqq1.exe[1020] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B20001
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1536] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B48328
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1536] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009C0001
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\taskswitch.exe[2128] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A60001
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe[2144] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AD0001
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[2160] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessWithLogonW 77E16005 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16009 2 Bytes [05, 5F]
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateServiceA 77E37219 6 Bytes JMP 5F190F5A
.text C:\Program Files\Dell AIO Printer A940\dlbabmon.exe[2176] ADVAPI32.dll!CreateServiceW 77E373B1 6 Bytes JMP 5F1C0F5A

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

DDS (Ver_10-10-21.02) - NTFSx86
Run by Will at 15:22:37.68 on 27/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1023.429 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\family toolbar\mhxpcomi.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\family toolbar\tbcore3.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\3connect.lnk - c:\program files\3 mobile broadband\3connect\Wilog.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: MaxRecentDocs = 18 (0x12)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\family toolbar\mhxpcomi.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xta0fo0z.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}\components\mhxpcom2.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\xta0fo0z.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-10-19 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-10-19 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-2 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-10-19 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [2006-11-8 72480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-10-19 116784]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-8-27 312152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2009-11-26 88176]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-10-19 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-19 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101015.005\IDSXpx86.sys [2010-10-13 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101019.004\NAVENG.SYS [2010-10-19 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101019.004\NAVEX15.SYS [2010-10-19 1371184]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [2009-10-19 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-30 133104]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-9-29 100736]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-7-14 14424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]

=============== Created Last 30 ================

2010-10-26 11:45:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-26 11:39:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-10-25 11:26:34 509440 ----a-w- c:\windows\winlogon.exe
2010-10-19 12:07:51 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
2010-10-19 12:07:51 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
2010-10-19 12:07:51 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
2010-10-19 12:07:51 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
2010-10-19 12:07:50 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
2010-10-19 12:07:50 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
2010-10-19 12:07:50 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
2010-10-19 12:07:50 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
2010-10-19 12:07:26 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005
2010-10-18 22:51:33 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-18 22:51:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-18 22:51:33 -------- d-----w- c:\program files\Symantec
2010-10-18 22:51:33 -------- d-----w- c:\program files\common files\Symantec Shared
2010-10-18 22:50:49 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-18 22:50:44 -------- d-----w- c:\program files\Norton Internet Security
2010-10-18 22:50:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-10-18 21:51:17 -------- d-----w- c:\windows\Internet Logs
2010-10-18 21:45:36 -------- d-----w- c:\program files\NortonInstaller
2010-10-18 21:45:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-10-18 11:27:23 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-15 14:49:26 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 14:42:38 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 14:42:37 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 14:32:20 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 14:32:20 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 14:32:20 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 14:30:46 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-07 16:01:44 -------- d-----w- c:\program files\PopCap Games
2010-10-06 10:24:27 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Adobe
2010-10-05 11:57:15 -------- d-----w- c:\program files\iPod
2010-10-05 11:57:11 -------- d-----w- c:\program files\iTunes
2010-09-29 16:40:24 -------- d-----w- c:\program files\uTorrent
2010-09-29 16:39:24 -------- d-----w- c:\docume~1\owner\applic~1\uTorrent
2010-09-29 10:54:53 -------- d-----w- c:\docume~1\owner\applic~1\Birdstep Technology
2010-09-29 10:53:58 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-09-29 10:53:58 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-09-29 10:53:58 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-09-29 10:53:58 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-09-29 10:53:47 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-09-29 10:53:47 -------- d-----w- c:\program files\Huawei Modems
2010-09-29 10:53:44 10240 ----a-w- c:\windows\system32\drivers\mdvrmng.sys
2010-09-29 10:52:11 -------- d-----w- c:\program files\3 Mobile Broadband
2010-09-29 10:46:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Birdstep Technology

==================== Find3M ====================

2010-10-19 22:56:21 509440 ----a-w- c:\windows\system32\winlogon.exe
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38:48 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05:07 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43:28 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 15:23:52.87 ===============

Attach.txt is also zipped & attached.

Thanks in advance & Appreciate all the help..
Cheers
Will40
Attached Files:
- Attach.zip
  
  File size:
  
  3.5 KB
  
  Views:
  
  0
Will40, Oct 27, 2010

#1
Broni Malware Annihilator
Welcome aboard

Please, observe forum rules:

Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Paste your Attach.txt log in your next reply.

When done...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Oct 27, 2010

#2
Will40 Newcomer, in training

Thanks Broni - Attach.txt below:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-21.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 16/11/2009 22:52:30
System Uptime: 27/10/2010 12:46:44 (3 hours ago)

Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 84.101 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is CDROM ()
G: is CDROM ()
I: is CDROM ()
K: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&1C660DD6&0&08F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01741028&REV_02\4&1C660DD6&0&40F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01741028&REV_02\4&1C660DD6&0&40F0
Service:

==== System Restore Points ===================

RP18: 30/09/2010 15:37:36 - Before Malware Removal in Server folder
RP19: 01/10/2010 19:46:16 - System Checkpoint
RP20: 04/10/2010 09:52:44 - Software Distribution Service 3.0
RP21: 04/10/2010 18:48:01 - Revo Uninstaller's restore point - ZoneAlarm Extreme Security
RP22: 07/10/2010 10:48:34 - System Checkpoint
RP23: 08/10/2010 18:04:02 - System Checkpoint
RP24: 09/10/2010 19:26:57 - System Checkpoint
RP25: 13/10/2010 18:15:45 - System Checkpoint
RP26: 14/10/2010 18:20:14 - System Checkpoint
RP27: 15/10/2010 20:21:08 - Software Distribution Service 3.0
RP28: 18/10/2010 12:26:47 - Software Distribution Service 3.0
RP29: 18/10/2010 22:47:25 - Revo Uninstaller's restore point - ZoneAlarm Pro
RP30: 20/10/2010 00:47:38 - System Checkpoint
RP31: 20/10/2010 12:07:54 - Restore Operation
RP32: 22/10/2010 17:18:55 - System Checkpoint
RP33: 23/10/2010 21:02:14 - System Checkpoint
RP34: 23/10/2010 23:44:39 - Restore Operation
RP35: 23/10/2010 23:48:01 - Restore Operation
RP36: 25/10/2010 00:22:48 - System Checkpoint
RP37: 25/10/2010 15:43:38 - Restore Operation

==== Installed Programs ======================

"Nero SoundTrax Help
µTorrent
3Connect
7-Zip 4.65
ABBYY FineReader 5.0 Sprint
AC3Filter (remove only)
Adobe Download Manager
Adobe Flash Player 10 Plugin
Advertising Center
Alt-Tab Task Switcher Powertoy for Windows XP
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics BoostSpeed
Bonjour
ConvertHelper 2.2
Creative MediaSource
Dell AIO Printer A940
Direct Show Ogg Vorbis Filter (remove only)
DiskCheckup V3.0
DolbyFiles
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Family Toolbar
Family Tree Maker 2010
FaxTools
Foxit Reader
FoxyTunes for Firefox
Games by Petersonic 1.00
Google Chrome
Google Earth
Google Update Helper
GPL MPEG-1/2 DirectShow Decoder Filter
HashCheck Shell Extension (x86-32)
Huawei modem
ImagXpress
IObit Security 360
iTunes
Java(TM) 6 Update 16
K-Lite Mega Codec Pack 5.2.0
LizardTech DjVu Control
Magic ISO Maker v5.4 (build 0239)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
McAfee SiteAdvisor
MediaMonkey 3.2
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Primary Interoperability Assemblies 2005
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows Media Video 9 VCM
Microsoft WSE 3.0
Mobile Partner
Movie Templates - Starter Kit
Mozilla Firefox (3.6.10)
Mozilla Thunderbird (3.1.4)
MSVC80_x86_v2
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
MyHeritage Family Tree Builder
Nero 9
Nero BurningROM
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express
Nero InfoTool
Nero Installer
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
neroxml
Nokia Connectivity Cable Driver
Nokia Ovi Player
Nokia PC Suite
Nokia_Multimedia_Common_Components_2_5
Norton Internet Security
O&O UnErase
Open Command Prompt Shell Extension (x86-32)
Opera 10.53
PC Connectivity Solution
PC Wizard 2009.1.9111
PeerBlock 1.0.0 (r181)
PeerGuardian 2.0
Picasa 3
Plants vs. Zombies
PrimoPDF
PrimoPDF Redistribution Package
QuickTime
QuickTime Alternative 3.0.0
RadLight PVA DirectShow filter (remove only)
Revo Uninstaller 1.89
River Past Video Cleaner Pro
Rome - Total War(TM)
Rosetta Stone Version 3
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982802)
Sound Blaster Audigy 2
SoundTrax
Spybot - Search & Destroy
SpywareBlaster 4.4
Steganos Safe Home 2007
SUPERAntiSpyware Free Edition
Unlocker 1.8.7
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2410711)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
User Profile Hive Cleanup Service
VC 9.0 Runtime
WD Diagnostics
WebFldrs XP
Windows Driver Package - Nokia Modem (03/15/2010 4.4)
Windows Driver Package - Nokia Modem (03/15/2010 7.01.0.6)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Media Encoder 9 Series
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WinRAR archiver

==== Event Viewer Messages From Past Week ========

27/10/2010 13:19:31, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
27/10/2010 12:45:42, error: Service Control Manager [7034] - The User Profile Hive Cleanup service terminated unexpectedly. It has done this 1 time(s).
27/10/2010 12:45:42, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
27/10/2010 12:45:42, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
27/10/2010 12:45:42, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
27/10/2010 12:45:42, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
27/10/2010 12:45:41, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
27/10/2010 12:45:41, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
25/10/2010 17:23:51, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
25/10/2010 12:25:16, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Will40, Oct 28, 2010

#3
Will40 Newcomer, in training

ComboFix.txt:

ComboFix 10-10-25.02 - Will 28/10/2010 15:12:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1023.558 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\winlogon.exe
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-26 11:45 . 2010-10-26 11:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-26 11:39 . 2010-10-26 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-18 22:51 . 2010-10-18 23:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-18 22:51 . 2010-10-18 22:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-18 22:51 . 2010-10-18 22:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-18 22:51 . 2010-10-18 22:51 -------- d-----w- c:\program files\Symantec
2010-10-18 22:50 . 2010-10-19 19:36 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-18 22:50 . 2010-10-18 22:50 -------- d-----w- c:\program files\Norton Internet Security
2010-10-18 22:50 . 2010-10-18 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-10-18 21:51 . 2010-10-18 21:51 -------- d-----w- c:\windows\Internet Logs
2010-10-18 21:45 . 2010-10-18 22:48 -------- d-----w- c:\program files\NortonInstaller
2010-10-18 11:27 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-15 14:49 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 14:42 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 14:42 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 14:32 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 14:32 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 14:32 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 14:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-07 16:01 . 2010-10-07 16:01 -------- d-----w- c:\program files\PopCap Games
2010-10-06 10:24 . 2010-10-06 10:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2010-10-05 11:57 . 2010-10-05 11:57 -------- d-----w- c:\program files\iPod
2010-10-05 11:57 . 2010-10-05 11:58 -------- d-----w- c:\program files\iTunes
2010-10-01 08:35 . 2010-10-01 10:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-09-29 16:40 . 2010-09-29 16:40 -------- d-----w- c:\program files\uTorrent
2010-09-29 16:39 . 2010-10-27 15:37 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-09-29 10:54 . 2010-09-29 10:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Birdstep Technology
2010-09-29 10:53 . 2009-09-10 12:55 102528 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2010-09-29 10:53 . 2009-07-24 16:33 100736 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
2010-09-29 10:53 . 2009-06-22 18:00 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2010-09-29 10:53 . 2007-08-09 02:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2010-09-29 10:53 . 2010-09-29 10:53 -------- d-----w- c:\program files\Huawei Modems
2010-09-29 10:53 . 2010-09-29 10:53 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-09-29 10:53 . 2009-11-17 13:01 10240 ----a-w- c:\windows\system32\drivers\mdvrmng.sys
2010-09-29 10:52 . 2010-09-29 10:52 -------- d-----w- c:\program files\3 Mobile Broadband
2010-09-29 10:46 . 2010-09-29 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 22:56 . 2009-10-19 08:27 509440 ----a-w- c:\windows\system32\winlogon.exe
2010-09-18 11:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2009-10-19 08:27 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01 . 2009-10-19 08:27 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:37 . 2009-10-19 08:27 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-19 08:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43 . 2009-10-19 08:26 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2010-10-19 . 9E8EF33E20F23BC116A1E5A2DDCD2BA8 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe

[-] 2009-10-19 . D27B911DCD2F05103F51A9F0899B5C62 . 1033728 . . [6.00.2900.5634] . . c:\windows\explorer.exe

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
2010-02-18 07:37 221184 ----a-w- c:\program files\Family Toolbar\mhxpcomi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-20 135664]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2010-9-29 38640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleanerPro.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [19/10/2010 13:07 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [19/10/2010 13:07 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [02/10/2010 00:00 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [19/10/2010 13:07 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 08:56 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 67656]
R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [08/11/2006 14:19 72480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [19/10/2010 13:07 116784]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [26/11/2009 14:21 88176]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [19/10/2010 13:07 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/10/2010 23:55 102448]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [29/09/2010 11:53 100736]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101015.005\IDSXpx86.sys [13/10/2010 20:59 341880]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 09:29 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 13:32 133104]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [27/08/2010 11:09 312152]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [14/07/2010 00:14 14424]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

2010-10-28 c:\windows\Tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 10:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Family Toolbar\mhxpcomi.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}\components\mhxpcom2.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 15:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-10-28 15:24:36
ComboFix-quarantined-files.txt 2010-10-28 14:24

Pre-Run: 90,151,432,192 bytes free
Post-Run: 90,107,834,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 882BD7E0623147E54CAEC550B2B60EBF

Thanks for all your help so far Broni - very much appreciated.
Cheers
Will

Will40, Oct 28, 2010

#4
Broni Malware Annihilator

You're welcome

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- c:\windows\explorer.exe
- c:\windows\system32\winlogon.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

Broni, Oct 28, 2010

#5
Will40 Newcomer, in training

Heuston - we have a problem....

Broni - when booting up, the PC now asks for Windows SP3 disk (due to needing to restore some altered files). My XP Pro CD is SP2 as I downloaded SP3, but it won't accept my SP2 CD. So my PC just does nothing except show the logon splash screen. I've managed to get online by running my mobile broadband & my browser from the task manager....

Where do we go from here....??!!

I presume I'll need to download SP3 which is what I'm going to start doing in the interim....

Will40, Oct 29, 2010

#6
Broni Malware Annihilator

Here is how to slipstream SP3 into your current CD: http://www.theeldergeek.com/slipstreamed_xpsp3_cd.htm

Let me know, if it's doable for you. If not, we'll some other ways.

Broni, Oct 29, 2010

#7
Will40 Newcomer, in training

System won't let me open the file once downloaded - says something about not having administrator privileges (which I do), so have downloaded it it via friends laptop and am trying it from there.

Also, just for reference purposes, during the Slipstream process I need to get to the Run command via the Start button - which I don't have! I can only get any programs to run from Task Manager! And am unsure of which .exe file will open the Run command for me.....I think it may be in the System32 folder but not sure which one it is....

Will40, Oct 31, 2010

#8
Broni Malware Annihilator

I suggest, you create that CD on some other working computer.

Broni, Oct 31, 2010

#9
Will40 Newcomer, in training

Managed to get PC sorted with Slipstream!

Results for Scan as follows -
File name:
winlogon.exe
Submission date:
2010-11-01 10:22:52 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 43 (0.0%)

Not sure if you need all the remaining info Broni, but pasting it anyway:

Antivirus Version Last Update Result
AhnLab-V3 2010.11.01.01 2010.11.01 -
AntiVir 7.10.13.75 2010.10.31 -
Antiy-AVL 2.0.3.7 2010.11.01 -
Authentium 5.2.0.5 2010.11.01 -
Avast 4.8.1351.0 2010.10.31 -
Avast5 5.0.594.0 2010.10.31 -
AVG 9.0.0.851 2010.10.31 -
BitDefender 7.2 2010.11.01 -
CAT-QuickHeal 11.00 2010.10.26 -
ClamAV 0.96.2.0-git 2010.10.31 -
Comodo 6577 2010.11.01 -
DrWeb 5.0.2.03300 2010.11.01 -
Emsisoft 5.0.0.50 2010.11.01 -
eSafe 7.0.17.0 2010.10.31 -
eTrust-Vet None 2010.10.29 -
F-Prot 4.6.2.117 2010.10.31 -
F-Secure 9.0.16160.0 2010.11.01 -
Fortinet 4.2.249.0 2010.11.01 -
GData 21 2010.11.01 -
Ikarus T3.1.1.90.0 2010.11.01 -
Jiangmin 13.0.900 2010.11.01 -
K7AntiVirus 9.67.2865 2010.10.29 -
Kaspersky 7.0.0.125 2010.11.01 -
McAfee 5.400.0.1158 2010.11.01 -
McAfee-GW-Edition 2010.1C 2010.10.31 -
Microsoft 1.6301 2010.11.01 -
NOD32 5581 2010.11.01 -
Norman 6.06.10 2010.11.01 -
nProtect 2010-11-01.01 2010.11.01 -
Panda 10.0.2.7 2010.10.31 -
PCTools 7.0.3.5 2010.11.01 -
Prevx 3.0 2010.11.01 -
Rising 22.71.06.04 2010.11.01 -
Sophos 4.59.0 2010.11.01 -
Sunbelt 7184 2010.11.01 -
SUPERAntiSpyware 4.40.0.1006 2010.11.01 -
Symantec 20101.2.0.161 2010.11.01 -
TheHacker 6.7.0.1.074 2010.11.01 -
TrendMicro 9.120.0.1004 2010.11.01 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.01 -
VBA32 3.12.14.1 2010.10.29 -
ViRobot 2010.10.4.4074 2010.11.01 -
VirusBuster 12.70.14.0 2010.10.31 -

Additional information
Show all
MD5 : 9e8ef33e20f23bc116a1e5a2ddcd2ba8
SHA1 : 23b7cbbcc487fa9bdadff234c668cc638a8551e9
SHA256: b4653c76afecd33764cdb881d5be69e90a2ecb897c76fb8ba32f81ca67957e38

Will40, Nov 1, 2010

#10
Will40 Newcomer, in training

and Explorer.exe file:

File name:
explorer.exe
Submission date:
2010-11-01 14:36:40 (UTC)
Current status:
queued (#11) queued analysing finished
Result:
0/ 42 (0.0%)

Antivirus Version Last Update Result
AhnLab-V3 2010.11.01.01 2010.11.01 -
AntiVir 7.10.13.76 2010.11.01 -
Antiy-AVL 2.0.3.7 2010.11.01 -
Authentium 5.2.0.5 2010.11.01 -
Avast 4.8.1351.0 2010.11.01 -
Avast5 5.0.594.0 2010.11.01 -
AVG 9.0.0.851 2010.11.01 -
BitDefender 7.2 2010.11.01 -
CAT-QuickHeal 11.00 2010.10.26 -
ClamAV 0.96.2.0-git 2010.11.01 -
Comodo 6577 2010.11.01 -
Emsisoft 5.0.0.50 2010.11.01 -
eSafe 7.0.17.0 2010.10.31 -
eTrust-Vet 36.1.7947 2010.11.01 -
F-Prot 4.6.2.117 2010.11.01 -
F-Secure 9.0.16160.0 2010.11.01 -
Fortinet 4.2.249.0 2010.11.01 -
GData 21 2010.11.01 -
Ikarus T3.1.1.90.0 2010.11.01 -
Jiangmin 13.0.900 2010.11.01 -
K7AntiVirus 9.67.2865 2010.10.29 -
Kaspersky 7.0.0.125 2010.11.01 -
McAfee 5.400.0.1158 2010.11.01 -
McAfee-GW-Edition 2010.1C 2010.11.01 -
Microsoft 1.6301 2010.11.01 -
NOD32 5581 2010.11.01 -
Norman 6.06.10 2010.11.01 -
nProtect 2010-11-01.01 2010.11.01 -
Panda 10.0.2.7 2010.11.01 -
PCTools 7.0.3.5 2010.11.01 -
Prevx 3.0 2010.11.01 -
Rising 22.71.06.04 2010.11.01 -
Sophos 4.59.0 2010.11.01 -
Sunbelt 7185 2010.11.01 -
SUPERAntiSpyware 4.40.0.1006 2010.11.01 -
Symantec 20101.2.0.161 2010.11.01 -
TheHacker 6.7.0.1.074 2010.11.01 -
TrendMicro 9.120.0.1004 2010.11.01 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.01 -
VBA32 3.12.14.1 2010.11.01 -
ViRobot 2010.10.4.4074 2010.11.01 -
VirusBuster 12.70.15.0 2010.11.01 -
Additional information
Show all
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455

Will40, Nov 1, 2010

#11
Will40 Newcomer, in training

PC back working - thanks for the help Broni! Scan results below - both received all clear and just included the additional info:

Winlogon.exe:
Additional information
Show all
MD5 : 9e8ef33e20f23bc116a1e5a2ddcd2ba8
SHA1 : 23b7cbbcc487fa9bdadff234c668cc638a8551e9
SHA256: b4653c76afecd33764cdb881d5be69e90a2ecb897c76fb8ba32f81ca67957e38

Explorer.exe
Additional information
Show all
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455

Cheers
Will

Will40, Nov 1, 2010

#12
Broni Malware Annihilator

Very good
Please, post fresh Combofix log.

Broni, Nov 1, 2010

#13
Will40 Newcomer, in training

Below Broni.....

ComboFix 10-10-25.02 - Will 02/11/2010 1:30.2.2 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
.

2010-11-01 06:46 . 2010-11-01 06:46 -------- d-----w- C:\XP-SP3
2010-10-31 22:19 . 2010-11-01 07:46 -------- d-----w- C:\XP Boot Image
2010-10-30 09:21 . 2010-10-31 23:17 -------- d-----w- C:\XP
2010-10-29 12:12 . 2010-10-29 12:16 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\xircom
2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\wbem\snmp
2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\oobe
2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\program files\microsoft frontpage
2010-10-26 11:45 . 2010-10-26 11:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-26 11:39 . 2010-10-26 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-18 22:51 . 2010-10-18 23:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-18 22:51 . 2010-10-18 22:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-18 22:51 . 2010-10-18 22:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-18 22:51 . 2010-10-18 22:51 -------- d-----w- c:\program files\Symantec
2010-10-18 22:50 . 2010-10-19 19:36 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-18 22:50 . 2010-10-18 22:50 -------- d-----w- c:\program files\Norton Internet Security
2010-10-18 22:50 . 2010-10-18 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-10-18 21:51 . 2010-10-18 21:51 -------- d-----w- c:\windows\Internet Logs
2010-10-18 21:45 . 2010-10-18 22:48 -------- d-----w- c:\program files\NortonInstaller
2010-10-18 11:27 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-15 14:49 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 14:42 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 14:42 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 14:32 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 14:32 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 14:32 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 14:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-07 16:01 . 2010-10-07 16:01 -------- d-----w- c:\program files\PopCap Games
2010-10-06 10:24 . 2010-10-06 10:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2010-10-05 11:57 . 2010-10-05 11:57 -------- d-----w- c:\program files\iPod
2010-10-05 11:57 . 2010-10-05 11:58 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 22:56 . 2009-10-19 08:27 509440 ----a-w- c:\windows\system32\winlogon.exe
2010-09-29 10:53 . 2010-09-29 10:53 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-09-18 11:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2009-10-19 08:27 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01 . 2009-10-19 08:27 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:37 . 2009-10-19 08:27 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-19 08:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43 . 2009-10-19 08:26 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2010-10-19 . 9E8EF33E20F23BC116A1E5A2DDCD2BA8 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-10-28_14.21.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-01 07:53 . 2010-11-01 07:53 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2010-11-01 07:52 . 2010-11-01 07:52 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
- 2008-04-14 12:00 . 2010-08-14 08:31 73062 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-11-01 07:54 73062 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2010-08-14 08:31 446068 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2010-11-01 07:54 446068 c:\windows\system32\perfh009.dat
+ 2009-10-19 08:25 . 2008-04-14 05:42 1033728 c:\windows\system32\dllcache\explorer.exe
- 2009-10-19 08:25 . 2009-10-19 08:25 1033728 c:\windows\explorer.exe
+ 2009-10-19 08:25 . 2008-04-14 05:42 1033728 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
2010-02-18 07:37 221184 ----a-w- c:\program files\Family Toolbar\mhxpcomi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-20 135664]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2010-9-29 38640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleanerPro.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [19/10/2010 12:07 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [19/10/2010 12:07 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [01/10/2010 23:00 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [19/10/2010 12:07 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 07:56 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 67656]
R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [08/11/2006 13:19 72480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [19/10/2010 12:07 116784]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [27/08/2010 10:09 312152]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [19/10/2010 12:07 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/10/2010 22:55 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys [19/10/2010 20:36 341880]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [13/07/2010 23:14 14424]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 08:29 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 12:32 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [26/11/2009 13:21 88176]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [29/09/2010 10:53 100736]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

2010-11-02 c:\windows\Tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 10:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Family Toolbar\mhxpcomi.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}\components\mhxpcom2.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-02 01:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(568)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\MediaMonkey\DeskPlayer.dll
c:\windows\system32\xpsp3res.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL

- - - - - - - > 'explorer.exe'(2388)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\xpsp3res.dll
c:\program files\Common Files\Nero\SMC\NeroDigitalExt.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL
.
Completion time: 2010-11-02 01:36:32
ComboFix-quarantined-files.txt 2010-11-02 01:36

Pre-Run: 87,534,166,016 bytes free
Post-Run: 87,518,609,408 bytes free

- - End Of File - - C25D74286D49BE68F34417C443ED4193

Will40, Nov 1, 2010

#14
Broni Malware Annihilator
It looks much better...

How is computer doing at the moment?

We have 1 system file missing and a suspicious another one

Do you have Windows XP CD?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

Double-click SystemLook.exe to run it.

Vista users:: Right click on SystemLook.exe, click Run As Administrator

Copy the content of the following box into the main textfield:

Code:

:filefind wscntfy.exe

Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
Broni, Nov 1, 2010

#15
Will40 Newcomer, in training

It's grand - no problems that I can see. [stop laughing!]...Win CD is the new Bootable XP SP3 CD formed via Slipstream

Downloading now....

File results:
SystemLook 04.09.10 by jpshortstuff
Log created at 01:58 on 02/11/2010 by Will
Administrator - Elevation successful

========== filefind ==========

Searching for "wscntfy.exe"
No files found.

-= EOF =-

Will40, Nov 1, 2010

#16
Broni Malware Annihilator
Cool
On Windows CD, navigate to I386 folder.
Find:
wscntfy.ex_
Copy it to your desktop and unzip it with any zipping program.
It'll become:
wscntfy.exe

Paste unzipped file into c:\windows\System32 folder.

Now...

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

FCopy:: c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
Broni, Nov 1, 2010

#17
Will40 Newcomer, in training

ComboFix Reply:

ComboFix 10-10-25.02 - Will 02/11/2010 2:23.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.1023.391 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
.

2010-11-02 02:19 . 2008-04-14 05:42 13824 ----a-w- c:\windows\system32\wscntfy.exe
2010-11-02 02:19 . 2008-04-14 05:42 13824 ----a-w- c:\windows\system32\dllcache\wscntfy.exe
2010-11-01 06:46 . 2010-11-01 06:46 -------- d-----w- C:\XP-SP3
2010-10-31 22:19 . 2010-11-01 07:46 -------- d-----w- C:\XP Boot Image
2010-10-30 09:21 . 2010-10-31 23:17 -------- d-----w- C:\XP
2010-10-29 12:12 . 2010-10-29 12:16 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\xircom
2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\wbem\snmp
2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\windows\system32\oobe
2010-10-29 09:48 . 2010-10-29 09:48 -------- d-----w- c:\program files\microsoft frontpage
2010-10-26 11:45 . 2010-10-26 11:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-26 11:39 . 2010-10-26 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-10-18 22:51 . 2010-10-18 23:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-10-18 22:51 . 2010-10-18 22:51 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-18 22:51 . 2010-10-18 22:51 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-18 22:51 . 2010-10-18 22:51 -------- d-----w- c:\program files\Symantec
2010-10-18 22:50 . 2010-10-19 19:36 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-18 22:50 . 2010-10-18 22:50 -------- d-----w- c:\program files\Norton Internet Security
2010-10-18 22:50 . 2010-10-18 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-10-18 21:51 . 2010-10-18 21:51 -------- d-----w- c:\windows\Internet Logs
2010-10-18 21:45 . 2010-10-18 22:48 -------- d-----w- c:\program files\NortonInstaller
2010-10-18 11:27 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-15 14:49 . 2010-08-27 06:05 99840 ------w- c:\windows\system32\dllcache\srvsvc.dll
2010-10-15 14:42 . 2010-07-12 13:02 218112 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-10-15 14:42 . 2010-07-16 12:04 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2010-10-15 14:32 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 14:32 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 14:32 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 14:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-07 16:01 . 2010-10-07 16:01 -------- d-----w- c:\program files\PopCap Games
2010-10-06 10:24 . 2010-10-06 10:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2010-10-05 11:57 . 2010-10-05 11:57 -------- d-----w- c:\program files\iPod
2010-10-05 11:57 . 2010-10-05 11:58 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 22:56 . 2009-10-19 08:27 509440 ----a-w- c:\windows\system32\winlogon.exe
2010-09-29 10:53 . 2010-09-29 10:53 71262 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2010-09-18 11:23 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2008-04-14 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:48 . 2009-10-19 08:25 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:38 . 2009-10-19 08:27 1861888 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:01 . 2009-10-19 08:27 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 06:05 . 2008-04-14 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:37 . 2009-10-19 08:27 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-10-19 08:32 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-04-14 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:43 . 2009-10-19 08:26 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2010-10-19 . 9E8EF33E20F23BC116A1E5A2DDCD2BA8 . 509440 . . [5.1.2600.5788] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-10-28_14.21.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-01 07:53 . 2010-11-01 07:53 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2010-11-01 07:52 . 2010-11-01 07:52 16384 c:\windows\Temp\Perflib_Perfdata_708.dat
- 2008-04-14 12:00 . 2010-08-14 08:31 73062 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-11-01 07:54 73062 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2010-08-14 08:31 446068 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2010-11-01 07:54 446068 c:\windows\system32\perfh009.dat
+ 2009-10-19 08:35 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
- 2010-01-27 10:16 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\tcpip.sys
+ 2009-10-19 08:25 . 2008-04-14 05:42 1033728 c:\windows\system32\dllcache\explorer.exe
- 2009-10-19 08:25 . 2009-10-19 08:25 1033728 c:\windows\explorer.exe
+ 2009-10-19 08:25 . 2008-04-14 05:42 1033728 c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0C37B053-FD68-456a-82E1-D788EE342E6F}]
2009-05-07 21:46 2642432 ----a-w- c:\program files\Family Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D62EC836-BF1E-4CAC-81BE-FB9179835D8E}]
2010-02-18 07:37 221184 ----a-w- c:\program files\Family Toolbar\mhxpcomi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}"= "c:\program files\Family Toolbar\tbcore3.dll" [2009-05-07 2642432]

[HKEY_CLASSES_ROOT\clsid\{fd2fd708-1f6f-4b68-b141-c5778f0c19bb}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\MHToolbar.MHToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-20 135664]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-06-25 294998]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2010-9-29 38640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleanerPro.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [19/10/2010 12:07 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [19/10/2010 12:07 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [01/10/2010 23:00 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [19/10/2010 12:07 501888]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 07:56 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 67656]
R1 SLEE_14_DRIVER;Steganos Live Encryption Engine 14 [Driver];c:\windows\system32\drivers\sleen14.sys [08/11/2006 13:19 72480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [19/10/2010 12:07 116784]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [27/08/2010 10:09 312152]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [19/10/2010 12:07 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/10/2010 22:55 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys [19/10/2010 20:36 341880]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [13/07/2010 23:14 14424]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 08:29 9472]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/11/2009 12:32 133104]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [26/11/2009 13:21 88176]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [29/09/2010 10:53 100736]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 12872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 12:31]

2010-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-20 11:22]

2010-11-02 c:\windows\Tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job
- c:\windows\system32\msfeedssync.exe [2009-10-19 10:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} - c:\program files\Family Toolbar\mhxpcomi.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.independent.ie/business/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}\components\mhxpcom2.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\Opera\program\plugins\npdjvu.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-02 02:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,a7,8f,36,64,87,b0,4b,8d,17,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(432)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\MediaMonkey\DeskPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\xpsp3res.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-11-02 02:28:56
ComboFix-quarantined-files.txt 2010-11-02 02:28
ComboFix2.txt 2010-11-02 01:36

Pre-Run: 87,497,977,856 bytes free
Post-Run: 87,477,530,624 bytes free

- - End Of File - - EDEF9AE988D2CFAF26691FF5168DF1C7

Just as a matter of interest Broni- what makes it look better...
Cheers
Will

Will40, Nov 1, 2010

#18
Broni Malware Annihilator
Looks good

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Broni, Nov 1, 2010

#19
Will40 Newcomer, in training

PART 1:

OTL logfile created on: 02/11/2010 02:42:16 - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 360.00 Mb Available Physical Memory | 35.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 81.49 Gb Free Space | 54.69% Space Free | Partition Type: NTFS
Drive D: | 25.12 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 644.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: ANONYMOUS | User Name: Will | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/01 10:32:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/09/20 12:56:40 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/07/07 09:13:50 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2010/06/11 17:14:22 | 000,312,152 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/02/26 00:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
PRC - [2009/11/17 13:23:58 | 003,965,680 | ---- | M] (Birdstep Technology) -- C:\Program Files\3 Mobile Broadband\3Connect\WilogApp.exe
PRC - [2009/11/17 13:13:48 | 000,667,648 | ---- | M] (Birdstep Technology) -- C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
PRC - [2009/09/28 01:02:44 | 001,524,824 | ---- | M] (PeerBlock, LLC) -- C:\Program Files\PeerBlock\peerblock.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/11/01 10:32:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/07/14 12:30:14 | 000,018,688 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/14 12:00:00 | 000,689,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\xpsp3res.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\wscsvc.dll -- (wscsvc)
SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/08/13 11:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/07/07 09:13:50 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
SRV - [2010/06/11 17:14:22 | 000,312,152 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2010/05/25 11:38:06 | 000,613,888 | ---- | M] (Nokia) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/04/26 12:00:54 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/03/29 07:53:22 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2010/02/26 00:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe -- (NIS)
SRV - [2008/09/29 11:09:20 | 000,935,208 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/10/19 22:55:21 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101031.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/19 22:55:21 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101031.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/10/19 22:55:20 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/10/19 22:55:20 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/10/19 20:36:22 | 000,341,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/10/18 22:51:33 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/10/01 23:00:02 | 000,692,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/05/27 08:39:13 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/05/06 04:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1108000.005\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/04/29 05:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/22 03:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/22 02:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1108000.005\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/22 02:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/26 13:32:58 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2010/02/26 13:32:46 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2010/02/26 13:32:44 | 000,022,528 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2010/02/26 13:32:44 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2010/02/26 00:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\ccHPx86.sys -- (ccHP)
DRV - [2010/02/25 13:15:59 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2010/02/25 13:15:59 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/11 11:36:50 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/11/17 13:01:18 | 000,010,240 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdvrmng.sys -- (mdvrmng)
DRV - [2009/10/19 08:29:36 | 000,009,472 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\dumpdrv.sys -- (DumpDrv)
DRV - [2009/09/28 01:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2009/09/10 12:55:52 | 000,102,528 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2009/08/30 00:17:18 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMDS.SYS -- (SymDS)
DRV - [2009/07/24 16:33:24 | 000,100,736 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbdev.sys -- (hwusbdev)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/04/13 20:04:32 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/11/08 13:19:24 | 000,072,480 | ---- | M] (Softwareentwicklung Remus - ArchiCrypt ) [Driver] [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sleen14.sys -- (SLEE_14_DRIVER)
DRV - [2003/03/27 16:58:56 | 000,287,920 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2003/03/26 21:33:58 | 000,498,688 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2003/03/26 21:32:32 | 000,189,504 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/03/26 21:32:02 | 000,141,536 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hap16v2k.sys -- (hap16v2k)
DRV - [2003/03/26 21:31:40 | 000,823,616 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2003/03/06 15:10:34 | 000,015,840 | ---- | M] (Creative Technology Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pfmodnt.sys -- (PfModNT)
DRV - [2003/02/20 22:24:46 | 000,116,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2003/02/20 22:24:34 | 000,135,248 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/02/20 22:24:18 | 000,006,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2003/02/20 22:22:38 | 000,135,040 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.independent.ie/business/"
FF - prefs.js..extensions.enabledItems: {582195F5-92E7-40a0-A127-DB71295901D7}:0.6
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100503
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.4
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.48.3
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.63
FF - prefs.js..extensions.enabledItems: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB}:0.9.2
FF - prefs.js..extensions.enabledItems: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB}:1.0.5
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.732
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.2
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2010/06/21 15:24:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/09/30 15:06:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2010/10/19 12:07:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/10/19 10:02:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/05 11:53:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/05 11:53:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/10/05 11:53:07 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/10/05 11:53:07 | 000,000,000 | ---D | M]

[2009/12/14 15:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/12/14 15:53:02 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/11/01 21:00:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions
[2010/10/05 11:30:12 | 000,000,000 | ---D | M] (FoxyTunes) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2010/02/01 15:41:27 | 000,000,000 | ---D | M] (Gmail Manager) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{582195F5-92E7-40a0-A127-DB71295901D7}
[2010/05/17 12:00:47 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2010/07/16 13:12:09 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/08/23 13:03:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/07/16 13:12:12 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/05/17 12:12:26 | 000,000,000 | ---D | M] (Download Manager Tweak) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
[2010/09/23 12:41:50 | 000,000,000 | ---D | M] (Family Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\xta0fo0z.default\extensions\{FD2FD708-1F6F-4B68-B141-C5778F0C19BB}
[2009/11/17 01:11:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/07/31 12:06:48 | 001,654,784 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
[2010/03/05 15:26:52 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2010/08/13 23:38:40 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2010/10/28 14:20:40 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (MHTBPos00 Class) - {0C37B053-FD68-456a-82E1-D788EE342E6F} - C:\Program Files\Family Toolbar\tbcore3.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ipsbho.dll (Symantec Corporation)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (CMySite Class) - {D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - C:\Program Files\Family Toolbar\mhxpcomi.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Family Toolbar) - {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - C:\Program Files\Family Toolbar\tbcore3.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll File not found
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe ()
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\3Connect.lnk = C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe (Birdstep Technology)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MaxRecentDocs = 18
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMConfigurePrograms = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: MemCheckBoxInRunDlg = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\mhtb {669A2A3A-F19C-452D-800D-1240299756C1} - C:\Program Files\Family Toolbar\mhxpcomi.dll ()
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/16 22:52:09 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/11/18 14:18:22 | 000,143,360 | R--- | M] (Huawei Technologies Co., Ltd.) - D:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2009/03/20 17:20:32 | 000,027,750 | R--- | M] () - D:\AutoRun.ico -- [ CDFS ]
O32 - AutoRun File - [2009/11/17 14:01:12 | 000,000,047 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2004/08/12 13:36:22 | 000,000,110 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.divxa32 - C:\WINDOWS\System32\divxa32.acm (Kristal StudioDFileDescription)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3fhg - C:\WINDOWS\System32\mp3fhg.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co.jp/authors/VA012897/)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DIVX - C:\WINDOWS\System32\divx.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: VIDC.HFYU - C:\WINDOWS\System32\huffyuv.dll (Disappearing Inc.)
Drivers32: vidc.i263 - C:\WINDOWS\System32\I263_32.drv (Intel Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.VP60 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP61 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP70 - C:\WINDOWS\System32\vp7vfw.dll (On2.com)
Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)
Drivers32: VIDC.X264 - C:\WINDOWS\System32\x264vfw.dll ()
Drivers32: VIDC.XVID - C:\WINDOWS\System32\xvidvfw.dll ()
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 30 Days ==========

[2010/11/01 10:31:00 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/11/01 06:46:05 | 000,000,000 | ---D | C] -- C:\XP-SP3
[2010/10/31 22:19:07 | 000,000,000 | ---D | C] -- C:\XP Boot Image
[2010/10/30 09:22:08 | 000,000,000 | ---D | C] -- C:\XPSP3 File
[2010/10/30 09:21:45 | 000,000,000 | ---D | C] -- C:\XP
[2010/10/29 12:12:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\outlook express
[2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\netmeeting
[2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\msn gaming zone
[2010/10/29 09:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\movie maker
[2010/10/29 09:48:18 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2010/10/29 09:48:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
[2010/10/28 14:09:41 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/10/28 13:35:39 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/10/28 13:35:39 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/10/28 13:35:39 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/10/28 13:35:39 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/10/28 13:35:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/28 13:34:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/27 12:13:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Malware Log Files
[2010/10/26 11:39:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/10/19 12:07:51 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symtdi.sys
[2010/10/19 12:07:51 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symtdiv.sys
[2010/10/19 12:07:51 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symds.sys
[2010/10/19 12:07:51 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\symefa.sys
[2010/10/19 12:07:50 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\cchpx86.sys
[2010/10/19 12:07:50 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\srtsp.sys
[2010/10/19 12:07:50 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\ironx86.sys
[2010/10/19 12:07:50 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1108000.005\srtspx.sys
[2010/10/19 12:07:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS\1108000.005
[2010/10/18 22:51:33 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/10/18 22:51:33 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/10/18 22:51:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/10/18 22:51:33 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/10/18 22:50:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS
[2010/10/18 22:50:44 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2010/10/18 22:50:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2010/10/18 21:51:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/10/18 21:45:36 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/10/18 21:45:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2010/10/07 16:01:44 | 000,000,000 | ---D | C] -- C:\Program Files\PopCap Games
[2010/10/06 10:24:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe
[2010/10/05 11:57:15 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/10/05 11:57:11 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/11/16 23:15:31 | 000,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

========== Files - Modified Within 30 Days ==========

[2010/11/02 02:33:02 | 000,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{E654F2DD-1D76-433F-9151-37B2E1CF8ADE}.job
[2010/11/02 02:08:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/02 02:03:03 | 000,000,976 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003UA.job
[2010/11/02 01:53:02 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2010/11/02 01:08:01 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/01 11:03:00 | 000,000,924 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-651377827-842925246-1003Core.job
[2010/11/01 10:32:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/11/01 07:54:26 | 000,446,068 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/11/01 07:54:26 | 000,073,062 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/11/01 07:52:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/01 07:52:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/01 07:52:17 | 1072,746,496 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/01 07:51:27 | 000,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000000-00001102-00000004-10031102}.rfx
[2010/11/01 07:51:27 | 000,030,036 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000000-00001102-00000004-10031102}.rfx
[2010/11/01 07:51:27 | 000,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000000-00001102-00000004-10031102}.rfx
[2010/11/01 07:51:27 | 000,029,760 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000000-00001102-00000004-10031102}.rfx
[2010/11/01 07:51:27 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2010/11/01 07:51:27 | 000,001,080 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2010/11/01 07:51:27 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000000-00001102-00000004-10031102}.dat
[2010/11/01 07:51:27 | 000,000,288 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000000-00001102-00000004-10031102}.dat
[2010/11/01 07:23:18 | 001,170,678 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\Cat.DB
[2010/10/28 14:20:40 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/10/28 14:09:47 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/10/27 12:11:37 | 000,000,489 | ---- | M] () -- C:\WINDOWS\DELLSTAT.INI
[2010/10/26 11:45:00 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/10/26 10:21:55 | 003,886,730 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/10/25 22:16:10 | 000,079,872 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/10/21 16:50:40 | 005,223,811 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\A major city view on smart ICT applications for electric mobility..pdf
[2010/10/19 19:36:38 | 000,001,964 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/10/18 22:51:33 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/10/18 22:51:33 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/10/18 22:51:33 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/10/18 22:51:33 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/10/18 10:10:01 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/10/16 08:28:09 | 000,333,872 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/07 16:01:47 | 000,000,966 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Plants vs. Zombies.lnk
[2010/10/07 12:43:35 | 000,001,285 | ---- | M] () -- C:\WINDOWS\MyHeritage.INI
[2010/10/07 10:10:10 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\IObit Security 360.lnk
[2010/10/07 01:43:40 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/10/06 14:58:47 | 000,075,164 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/10/06 13:15:45 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/10/06 13:13:39 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

========== Files Created - No Company Name ==========

Will40, Nov 1, 2010

#20

(You must log in or sign up to reply here.)

Page 1 of 2

Thread Status:: Not open for further replies.

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved