Infected; MBAM Being Deleted - Malwarebytes Forum

Malwarebytes.org

Welcome Guest ( Log In | Register )

Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs

4 Pages

< 1 2 3 4 >

Closed Topic

Start new topic

Infected; MBAM Being Deleted

ent View Member Profile	Nov 15 2009, 09:03 AM Post #41
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	I'm happy to report that extracting and installing the iastor.sys driver made my computer bootable again! Almost as soon as I rebooted, I started getting malware intrusions. In particular, a fake malware program called Personal Guard 2009 kept popping up. I could delete all of its files and kill the process, but it would come back. I was able to stop this cycle by copying a random .exe file into the Personal Guard directory and renaming it to personalguard.exe. This kept it from running. Then I tried reinstalling MBAM and got the same symptoms as before -- an mbam.exe file that would disappear within seconds of its creation. To combat this, I tried going to the Windows command line and quickly running a copy command to copy mbam.exe to another file name, while MBAM was in the process of installing. I was thinking that I might be able to run MBAM via this other executable. Not sure why, but the copying alone seemed to stop mbam.exe from being deleted, so then I was able to run a scan. On a quick scan, MBAM found 43 infected objects! Memory Processes Infected: C:\Documents and Settings\All Users\Microsoft AData\setup.exe (Rogue.Installer) -> Unloaded process successfully. Memory Modules Infected: c:\WINDOWS\system32\zayezeru.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (Rogue.Installer) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{df8ba2ed-e102-44d6-89d9-cebb037d8dd6} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{81ccb0cf-1404-4b92-aaf2-090ba3b6d4d5} (Rogue.Installer) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\personal guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\surezadil (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{df8ba2ed-e102-44d6-89d9-cebb037d8dd6} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\heramineh (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysnet (Rogue.Installer) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalguard (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dofobobadu (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Program Files\Personal Guard 2009\q (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Microsoft AData (Rogue.SmartProtector) -> Quarantined and deleted successfully. Files Infected: c:\WINDOWS\system32\zayezeru.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Documents and Settings\All Users\Microsoft AData\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\system32\logon.exe (Worm.Emold) -> Delete on reboot. C:\WINDOWS\Temp\7E9.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill Entwistle\Local Settings\temp\trt.exe (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill Entwistle\Local Settings\temp\trt57.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\Personal Guard 2009\config.scf (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Program Files\Personal Guard 2009\mmbase.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Program Files\Personal Guard 2009\personalguard.exe (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Program Files\Personal Guard 2009\q.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Program Files\Personal Guard 2009\queue.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Program Files\Personal Guard 2009\uninstalls.exe (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Program Files\Personal Guard 2009\vvbase.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009\Personal Guard 2009.lnk (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009\Uninstall.lnk (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Microsoft AData\t.sid (Rogue.SmartProtector) -> Quarantined and deleted successfully. C:\WINDOWS\system32\diwunawo.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\certSystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\Microsoftdef.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\regred.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\securits.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\spoov.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\usExplorer.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. I removed these, rebooted and re-quick-scanned and it found 2 infected objects: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dofobobadu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. I removed them, rebooted and they came back. I removed them and ran a full scan and it found 5 items: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025338.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025341.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025346.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AE1PGLU0\load-full[1].exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\7E7.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully. I removed them, rebooted and re-full-scanned and it only found the 2 objects -- the other 5 did not come back. I also noticed that something is hijacking the Windows Update feature. Every couple of minutes or so, it disables the automatic update feature. So I can't say for sure whether or not I am up to date with the Windows security updates. I might be -- I was able to circumvent this by running services.msi, waiting for the status to flip to Disabled, then quickly re-enabling it and running the next step of the update process. I tried booting to safe mode to run the updates, but I still get the blue screen of death when I do. By the way, somewhere in the middle of all this, I also updated and ran Windows Defender and it found and removed: Trojan:Win32/Vundo.LP I rebooted and ran it again, and it did not seem to come back. So, in summary, I still have these three known symptoms: * the two infected objects that keep coming back * the disabling of the Windows update process * the inability to run in safe mode. Thanks.

IndiGenus View Member Profile	Nov 15 2009, 03:20 PM Post #42
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	Nice work!!! Some really nasty stuff you picked up there... Obviously still more work to do. But since we got it running I'd like to do some scans before we make any changes. Download DDS and save it to your desktop from here or here or here. Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txt Save both reports to your desktop. Post them back to your topic. ~~~~~~~~~~~~~~~~~~~ Download This file. Note its name and save it to your root folder, such as C:\. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security program drivers will not conflict with this file. Click on this link to see a list of programs that should be disabled. Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator") Allow the driver to load if asked. You may be prompted to scan immediately if it detects rootkit activity. If you are prompted to scan your system click "Yes" to begin the scan. If not prompted, click the "Rootkit/Malware" tab. On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked. Select all drives that are connected to your system to be scanned. Click the Scan button to begin. (Please be patient as it can take some time to complete) When the scan is finished, click Save to save the scan results to your Desktop. Save the file as Results.log and copy/paste the contents in your next reply. Exit the program and re-enable all active protection when done. -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

IndiGenus View Member Profile	Nov 15 2009, 04:13 PM Post #43
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	Hello ent, A favor to ask please... Did you rename the old iastor.sys when you copied the new one over, or did you just copy over it? If you renamed it could you please upload the renamed file to the following link: http://www.bleepingcomputer.com/submit-malware.php?channel=4 Also, could you upload the following file to the same place. C:\Qoobox\Quarantine\C\Windows\System32\Drivers\iastor.sys.vir Thank you. -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

ent View Member Profile	Nov 15 2009, 06:44 PM Post #44
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	I did save a copy and I have uploaded the requested files to Bleeping Computer. By the way, this morning (before you left your reply), I ran Spybot to see what it would turn up and it found and deleted several objects. I'm just mentioning it in case it might provide some more diagnostic info. Anyway, Spybot turned up several infections. I couldn't find a log file to paste in here, but they included references to: Microsoft.WindowsSecurityCenter.FirewallBypass Microsoft.WindowsSecurityCenter_disabled Virtumonde.sdn Virtumonde.atr Virtumonde.dll After rebooting, some of the Virtumonde objects came back. But it seems to have fixed the automatic disabling of Windows updates. I successfully did a Windows update, although I'm not real confident that I can trust that it worked. I will take your next steps. It might take a while because I have this crushing deadline at work and if I don't get it done today, heads will roll. I probably won't be able to do anything before late tonight or tomorrow.

IndiGenus View Member Profile	Nov 15 2009, 09:06 PM Post #45
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	QUOTE I did save a copy and I have uploaded the requested files to Bleeping Computer. Thank you, we appreciate it. QUOTE I will take your next steps. It might take a while because I have this crushing deadline at work and if I don't get it done today, heads will roll. I probably won't be able to do anything before late tonight or tomorrow. No problem, whenever you can get to it. We don't want to see any heads rolling around... -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

ent View Member Profile	Nov 19 2009, 01:26 AM Post #46
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	Here is the DDS.txt and Attach.txt as a zip file (per DDS's instructions). I assume that you want me to continue with the rest of the steps. DDS (Ver_09-10-26.01) - NTFSx86 Run by Bill Entwistle at 19:13:59.23 on Wed 11/18/2009 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.140 [GMT -6:00] AV: Symantec AntiVirus Corporate Edition On-access scanning disabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe svchost.exe C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\PROGRA~1\RCrawler\RCrawler.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe C:\Program Files\CapsUnlock\CapsUnlock.exe C:\Program Files\FlashTray Pro\FlashTray.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\WINDOWS\system32\SNDVOL32.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Bill Entwistle\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: {826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRunOnce: [SpybotDeletingB2949] command.com /c del "c:\windows\system32\jibikupa.dll_old" uRunOnce: [SpybotDeletingD613] cmd.exe /c del "c:\windows\system32\jibikupa.dll_old" mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Registry Crawler] c:\progra~1\rcrawler\RCrawler.exe -TRAYONLY mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [surezadil] Rundll32.exe "c:\windows\system32\jibikupa.dll",a mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck mRunOnce: [SpybotDeletingA4277] command.com /c del "c:\windows\system32\jibikupa.dll_old" mRunOnce: [SpybotDeletingC3045] cmd.exe /c del "c:\windows\system32\jibikupa.dll_old" StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\alarm.lnk - c:\program files\alarm\Alarm.exe StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\flasht~1.lnk - c:\program files\flashtray pro\FlashTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: internet Trusted Zone: netflix.com\www Trusted Zone: pandora.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177138576847 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177467272937 DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} Notify: igfxcui - igfxdev.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: pirovebob - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll SSODL: toyufibod - {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll STS: gahurihor: {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll STS: jugezatag: {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll LSA: Notification Packages = scecli diwunawo.dll mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\billen~1\applic~1\mozilla\firefox\profiles\6xnqpoll.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-14 38224] S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x] S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x] S3 LW;LW;c:\docume~1\billen~1\locals~1\temp\lw.exe --> c:\docume~1\billen~1\locals~1\temp\LW.exe [?] S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464] =============== Created Last 30 ================ 2009-11-15 05:38:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-15 05:38:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-14 23:10:57 304920 ------w- c:\windows\system32\drivers\iastor.sys 2009-11-08 23:54:32 98816 ----a-w- c:\windows\sed.exe 2009-11-08 23:54:32 77312 ----a-w- c:\windows\MBR.exe 2009-11-08 23:54:32 267264 ----a-w- c:\windows\PEV.exe 2009-11-08 23:54:32 161792 ----a-w- c:\windows\SWREG.exe 2009-11-08 23:54:08 0 d-s---w- C:\ComboFix 2009-11-08 14:48:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware ==================== Find3M ==================== 2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll 2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll 2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll 2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll 2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll 2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2008-11-28 08:08:22 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys 2008-11-27 07:59:36 88 --sh--r- c:\windows\system32\736179D2E2.sys 2008-11-28 08:08:24 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 19:15:17.95 =============== Attached File(s) Attach.zip ( 4.41K ) Number of downloads: 51

ent View Member Profile	Nov 19 2009, 03:26 AM Post #47
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	I'm not sure if I ran it right, but here's my GMER log. GMER 1.0.15.15227 - http://www.gmer.net Rootkit scan 2009-11-18 21:23:34 Windows 5.1.2600 Service Pack 3 Running: 11lrt2zh.exe; Driver: C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\uftdipoc.sys ---- System - GMER 1.0.15 ---- SSDT 860F8380 ZwConnectPort SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA6F83350] SSDT 862B5A90 ZwQueryValueKey SSDT 861960B8 ZwResumeThread SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA6F83580] ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation) Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\PROGRA~1\RCrawler\RCrawler.exe [264] 0x10000000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [300] 0x10000000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Dell Support\DSAgnt.exe [492] 0x10000000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [516] 0x009A0000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Messenger\msmsgs.exe [604] 0x10000000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\WINDOWS\Explorer.EXE [848] 0x00AF0000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\WINDOWS\system32\hkcmd.exe [1256] 0x00EB0000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\WINDOWS\system32\igfxpers.exe [1312] 0x00F60000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\WINDOWS\stsystra.exe [1384] 0x014F0000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [1416] 0x010E0000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Dell\Media Experience\DMXLauncher.exe [1444] 0x10000000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\WINDOWS\System32\DLA\DLACTRLW.EXE [1500] 0x00940000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [1912] 0x00FB0000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe [1944] 0x02410000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\iTunes\iTunesHelper.exe [1984] 0x00D50000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [2044] 0x00AA0000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2344] 0x009E0000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\CapsUnlock\CapsUnlock.exe [2448] 0x00880000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\FlashTray Pro\FlashTray.exe [2604] 0x10000000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\Program Files\Java\jre6\bin\jucheck.exe [2868] 0x00A70000 Library c:\windows\system32\jibikupa.dll (* hidden * ) @ C:\WINDOWS\system32\wscntfy.exe [3256] 0x10000000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1 ---- EOF - GMER 1.0.15 ----

IndiGenus View Member Profile	Nov 19 2009, 04:25 PM Post #48
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	You're still heavily infected here. MBAM was able to get part of it, but not all. This is where combofix does its' best work. Would you object to running combofix again? Delete the version you have now if you haven't already done so and download a fresh copy. I'm not exactly sure what happened the first time you ran cf but iastor.sys was definitely infected at the time. Being such a low level driver it can be difficult to remove without having any issues. I don't think it's infected at this point (no guarantees but...) so I think we're in better shape to make a run at it with combofix. Worst case? We now know how to get it running again. But I don't think that's going to happen this time. Let me know. -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

ent View Member Profile	Nov 19 2009, 05:18 PM Post #49
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	I've had an interesting development. Let me know what you think. I've been trying lots of things and running some scans. I had been avoiding rebooting because this is when malware seems to reinstall itself. I realized that the malware had done a good job of deactivating all of my virus protection. I was able to turn Symantec back on and it immediately detected and stopped a real-time intrusion from something, I think it was a Virtumonde trojan. I did a scan with Spybot and I think it found nothing, so I decided I would risk rebooting. I've never seen this before, but when it started up, Spybot started running before the desktop displayed. On a blank background, it ran a full scan. I don't recall seeing any results, but when it finished booting, I found that I could enable all of my malware protection (Symantec, Spybot, Malwarebytes, Windows Defender). I updated all of them to their latest versions. My Windows security seems to be up to date, as well. I can now run a full scan with all four products and none of them turn up anything. Also, all of the telltale signs of being highjacked seem to be gone (odd blinking of the task manager display, a window that blinks open and closed on boot, an error message about failure to load a driver on boot, etc). They're gone and the system seems to be operating OK. So I am a little hesitant to re-run combofix. Would it make sense to go back to square one and generate a HijackThis log? Or re-run some of these other less intrusive diagnostics, maybe the live CD?

IndiGenus View Member Profile	Nov 19 2009, 05:20 PM Post #50
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	Okay great. Let's get another scan with DDS and post the logs. -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

ent View Member Profile	Nov 20 2009, 01:15 AM Post #51
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	Here you go. DDS (Ver_09-10-26.01) - NTFSx86 Run by Bill Entwistle at 19:09:19.84 on Thu 11/19/2009 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.254 [GMT -6:00] AV: Symantec AntiVirus Corporate Edition On-access scanning enabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\RCrawler\RCrawler.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\SYMANT~1\vptray.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe C:\Program Files\CapsUnlock\CapsUnlock.exe C:\Program Files\FlashTray Pro\FlashTray.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Putty\Putty.exe C:\WINDOWS\system32\mstsc.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Bill Entwistle\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: {826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Registry Crawler] c:\progra~1\rcrawler\RCrawler.exe -TRAYONLY mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [vptray] c:\progra~1\symant~1\\vptray.exe StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\alarm.lnk - c:\program files\alarm\Alarm.exe StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\flasht~1.lnk - c:\program files\flashtray pro\FlashTray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: internet Trusted Zone: netflix.com\www Trusted Zone: pandora.com DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177138576847 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177467272937 DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} Notify: igfxcui - igfxdev.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: pirovebob - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll SSODL: toyufibod - {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll STS: gahurihor: {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll STS: jugezatag: {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll LSA: Notification Packages = scecli diwunawo.dll mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\billen~1\applic~1\mozilla\firefox\profiles\6xnqpoll.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448] S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x] S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x] S3 LW;LW;c:\docume~1\billen~1\locals~1\temp\lw.exe --> c:\docume~1\billen~1\locals~1\temp\LW.exe [?] S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464] =============== Created Last 30 ================ 2009-11-15 05:38:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-15 05:38:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-14 23:10:57 304920 ------w- c:\windows\system32\drivers\iastor.sys 2009-11-08 23:54:32 98816 ----a-w- c:\windows\sed.exe 2009-11-08 23:54:32 77312 ----a-w- c:\windows\MBR.exe 2009-11-08 23:54:32 267264 ----a-w- c:\windows\PEV.exe 2009-11-08 23:54:32 161792 ----a-w- c:\windows\SWREG.exe 2009-11-08 23:54:08 0 d-s---w- C:\ComboFix 2009-11-08 14:48:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware ==================== Find3M ==================== 2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll 2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll 2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll 2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll 2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll 2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll 2008-11-28 08:08:22 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys 2008-11-27 07:59:36 88 --sh--r- c:\windows\system32\736179D2E2.sys 2008-11-28 08:08:24 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 19:10:12.15 =============== Attached File(s) Attach.zip ( 4.45K ) Number of downloads: 9

IndiGenus View Member Profile	Nov 20 2009, 01:27 AM Post #52
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	Vundo is still present. Doesn't look like it's hooking Winlogon anymore though. What do you get after running MBAM? Still finding anything? I would really like to try combofix again here. I don't believe that your iastor.sys is infected so there should not be an issue with that. I've used and seen combofix used thousands of times with an extremely small percentage of issues like you had. But I'll understand if you don't want to run it. We may be able to take care of the rest of this manually. DDS does not provide any options for fixing things, so we'd need to run another tool that will. If you want to go that way then download and run the following tool, then post the logs. OTL - Download Download OTL to your Desktop Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. Under the Custom Scan box paste this in netsvcs %SYSTEMDRIVE%\.exe %SYSTEMDRIVE%\eventlog.dll /s /md5 %SYSTEMDRIVE%\scecli.dll /s /md5 %SYSTEMDRIVE%\netlogon.dll /s /md5 %SYSTEMDRIVE%\cngaudit.dll /s /md5 %SYSTEMDRIVE%\sceclt.dll /s /md5 %SYSTEMDRIVE%\ntelogon.dll /s /md5 %SYSTEMDRIVE%\logevent.dll /s /md5 %SYSTEMDRIVE%\iaStor.sys /s /md5 %SYSTEMDRIVE%\nvstor.sys /s /md5 %SYSTEMDRIVE%\atapi.sys /s /md5 %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 %SYSTEMDRIVE%\viasraid.sys /s /md5 %SYSTEMDRIVE%\AGP440.sys /s /md5 %SYSTEMDRIVE%\vaxscsi.sys /s /md5 %SYSTEMDRIVE%\nvatabus.sys /s /md5 CREATERESTOREPOINT Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt* and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic. -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

ent View Member Profile	Nov 20 2009, 02:28 AM Post #53
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	Malwarebytes turns up no infections on a full scan. I ran combofix and it did a long scan, then started to reboot and put up the following dialog box: ----- Unable to create a backup of the current registry file C:\WINDOWS\system32\config\SOFTWARE Continue restoration of the file? \| Yes \| \| No \| ----- Should I confirm?

ent View Member Profile	Nov 20 2009, 04:19 AM Post #54
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	Just a wild guess. Could this be because it's trying to overwrite a read-only backup from the previous time I ran combofix?

IndiGenus View Member Profile	Nov 20 2009, 06:29 AM Post #55
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	QUOTE (ent @ Nov 19 2009, 11:19 PM) Just a wild guess. Could this be because it's trying to overwrite a read-only backup from the previous time I ran combofix? That's what I was thinking...I've never seen that one before but I'll look into it. Did you continue? I would just advise continuing with Yes. Hopefully you will get a log and we can move forward. -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

ent View Member Profile	Nov 20 2009, 06:43 AM Post #56
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	I clicked Yes and got the following dialog box: ----- Error restoring C:\WINDOWS\erdnt\subs\SOFTWARE Continue with the next file? [ RegReplacekey: 1450 - Insufficient system resources to complete the requested service. ] \| Yes \| \| No \| ----- Keep going?

ent View Member Profile	Nov 20 2009, 07:28 AM Post #57
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	I clicked "Yes" and it finished booting. During the boot up process. it displayed a brief message about checking drive J:, said it was "dirty", and displayed a chkdsk-like message before proceeding, fwiw. Here's the log: ComboFix 09-11-19.05 - Bill Entwistle 11/19/2009 20:13.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.376 [GMT -6:00] Running from: c:\documents and settings\Bill Entwistle\Desktop\ComboFix.exe AV: Symantec AntiVirus Corporate Edition On-access scanning enabled (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Common Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 ))))))))))))))))))))))))))))))) . 2009-11-15 07:07 . 2009-11-15 07:07 -------- d-----w- c:\program files\Windows Defender 2009-11-15 05:38 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-15 05:38 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-14 23:10 . 2009-11-14 23:10 304920 ------w- c:\windows\system32\drivers\iastor.sys 2009-11-08 14:48 . 2009-11-15 05:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-07 16:03 . 2009-11-15 14:42 79488 ----a-w- c:\documents and settings\Bill Entwistle\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-20 07:09 . 2009-04-04 17:50 -------- d-----w- c:\program files\Symantec AntiVirus 2009-11-20 00:53 . 2007-04-27 06:01 -------- d-----w- c:\program files\Firefox 2009-11-19 07:10 . 2009-01-11 08:54 -------- d-----w- c:\program files\Thunderbird 2009-11-17 02:33 . 2007-04-26 04:52 -------- d-----w- c:\program files\TextPad 4 2009-11-17 02:02 . 2007-04-27 01:17 -------- d-----w- c:\program files\LView 2009-11-15 05:15 . 2009-04-01 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-11-12 23:55 . 2007-05-11 03:22 -------- d-----w- c:\program files\Common Files\Motive 2009-11-03 02:42 . 2009-10-02 22:36 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-31 17:41 . 2009-05-12 14:19 1324 ------w- c:\windows\system32\d3d9caps.dat 2009-09-25 05:37 . 2004-08-11 21:00 667136 ----a-w- c:\windows\system32\wininet.dll 2009-09-25 05:37 . 2004-08-11 21:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-09-11 14:18 . 2004-08-11 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-26 08:00 . 2004-08-11 21:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2008-11-28 08:08 . 2007-05-07 06:28 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys 2008-11-27 07:59 . 2007-04-24 04:52 88 --sh--r- c:\windows\system32\736179D2E2.sys 2008-11-28 08:08 . 2007-04-24 04:52 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016] "Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336] "Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064] "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-30 177448] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "Registry Crawler"="c:\progra~1\RCrawler\RCrawler.exe" [2004-02-03 454656] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-09-28 125168] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624] c:\documents and settings\Bill Entwistle\Start Menu\Programs\Startup\ Alarm.lnk - c:\program files\Alarm\Alarm.exe [2007-6-28 167936] CapsUnlock.lnk - c:\program files\CapsUnlock\CapsUnlock.exe [2007-4-24 13312] FlashTray.lnk - c:\program files\FlashTray Pro\FlashTray.exe [2007-5-7 555520] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-1-14 344064] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora\EuShlExt.dll" [2006-08-17 86016] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "g:\\WS FTP\\WS_FTP95.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\TeraTerm\\ttermpro.exe"= "c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"= "c:\\Program Files\\Seagate\\SeagateManager\\FreeAgent Status\\stxmenumgr.exe"= "c:\\Program Files\\Dell Support\\DSAgnt.exe"= R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/30/2008 2:23 PM 161064] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/4/2009 7:03 PM 102448] S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x] S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x] S3 LW;LW;c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe --> c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe [?] S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?] S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2009-11-20 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20] 2009-11-20 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18] . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = 127.0.0.1 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: internet Trusted Zone: netflix.com\www Trusted Zone: pandora.com DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); . - - - - ORPHANS REMOVED - - - - BHO-{826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll SharedTaskScheduler-{04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll SharedTaskScheduler-{57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll SSODL-pirovebob-{04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll SSODL-toyufibod-{57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-20 01:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1208) c:\progra~1\SBCLIG~1\SMARTB~1\SBHook.dll c:\progra~1\WINDOW~2\wmpband.dll c:\program files\FlashTray Pro\BSFTHOOK.DLL c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\progra~1\SYMANT~1\vptray.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2009-11-20 01:23 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-20 07:23 ComboFix2.txt 2008-11-30 16:59 Pre-Run: 45,873,872,896 bytes free Post-Run: 45,545,304,064 bytes free - - End Of File - - 3ED94EFF952BA2D6659CEF95D37E63EF

IndiGenus View Member Profile	Nov 20 2009, 04:14 PM Post #58
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	Well it looks like iastor.sys had been re-infected. Some of the errors may have been due to the fact Symantec was still running during cf. QUOTE AV: Symantec AntiVirus Corporate Edition On-access scanning enabled** (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} How is it running? I would like to see an OTL scan done. Can you run that as instructed earlier, with the switches. -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

ent View Member Profile	Nov 21 2009, 11:56 PM Post #59
New Member Group: Members Posts: 35 Joined: 8-November 09 Member No.: 24,416	It seems to be running fine. Nothing showing up on full scans. Here are the two logs: -------------------------------------------- OTL logfile created on: 11/21/2009 5:35:16 PM - Run 1 OTL by OldTimer - Version 3.1.6.2 Folder = C:\Documents and Settings\Bill Entwistle\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 1013.84 Mb Total Physical Memory \| 110.82 Mb Available Physical Memory \| 10.93% Memory free 2.38 Gb Paging File \| 1.57 Gb Available in Paging File \| 65.90% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 68.36 Gb Total Space \| 42.44 Gb Free Space \| 62.08% Space Free \| Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: \| 68.36 Gb Total Space \| 37.28 Gb Free Space \| 54.53% Space Free \| Partition Type: NTFS Drive G: \| 2.93 Gb Total Space \| 1.13 Gb Free Space \| 38.52% Space Free \| Partition Type: NTFS Drive H: \| 6.31 Gb Total Space \| 5.17 Gb Free Space \| 81.96% Space Free \| Partition Type: NTFS I: Drive not present or media not loaded Computer Name: TUCKER Current User Name: Bill Entwistle Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2009/11/21 17:34:15 \| 00,529,408 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe PRC - [2009/09/10 14:53:56 \| 01,312,080 \| ---- \| M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe PRC - [2009/08/20 21:13:33 \| 08,318,056 \| ---- \| M] (Mozilla Corporation) -- C:\Program Files\Thunderbird\thunderbird.exe PRC - [2009/03/05 16:07:20 \| 02,260,480 \| RHS- \| M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe PRC - [2009/01/26 14:31:12 \| 05,365,592 \| ---- \| M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe PRC - [2008/11/10 05:43:42 \| 00,136,600 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe PRC - [2008/11/10 05:43:40 \| 00,152,984 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe PRC - [2008/07/30 14:23:26 \| 00,161,064 \| ---- \| M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe PRC - [2008/07/30 14:23:02 \| 00,177,448 \| ---- \| M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe PRC - [2008/04/13 18:12:37 \| 00,135,680 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\system32\taskmgr.exe PRC - [2008/04/13 18:12:28 \| 01,695,232 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe PRC - [2008/04/13 18:12:23 \| 00,677,888 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\system32\mstsc.exe PRC - [2008/04/13 18:12:22 \| 00,093,184 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe PRC - [2008/04/13 18:12:19 \| 01,033,728 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2008/04/13 18:12:14 \| 00,389,120 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe PRC - [2007/11/08 09:20:22 \| 00,344,064 \| ---- \| M] () -- C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe PRC - [2007/09/26 13:42:04 \| 00,267,064 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe PRC - [2007/09/26 13:41:56 \| 00,503,608 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe PRC - [2007/09/06 12:28:18 \| 00,110,592 \| ---- \| M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe PRC - [2007/06/13 06:17:45 \| 00,068,856 \| ---- \| M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe PRC - [2007/04/24 23:12:13 \| 00,013,312 \| ---- \| M] (BrainSystems) -- C:\Program Files\CapsUnlock\CapsUnlock.exe PRC - [2006/11/03 19:20:12 \| 00,866,584 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe PRC - [2006/11/03 19:19:58 \| 00,013,592 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe PRC - [2006/09/27 19:33:44 \| 00,125,168 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe PRC - [2006/09/27 19:33:42 \| 00,280,304 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPC32.exe PRC - [2006/09/27 19:33:32 \| 01,813,232 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe PRC - [2006/09/27 19:33:22 \| 00,031,472 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe PRC - [2006/08/28 19:57:12 \| 00,395,776 \| ---- \| M] (Gteko Ltd.) -- C:\Program Files\Dell Support\DSAgnt.exe PRC - [2006/08/14 12:20:26 \| 00,462,336 \| ---- \| M] (Corel, Inc.) -- C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe PRC - [2006/07/24 08:20:00 \| 00,282,624 \| ---- \| M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe PRC - [2006/07/21 14:50:10 \| 00,086,016 \| ---- \| M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe PRC - [2006/07/21 14:47:00 \| 00,081,920 \| ---- \| M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe PRC - [2006/07/19 18:26:12 \| 00,169,632 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe PRC - [2006/07/19 18:26:06 \| 00,192,160 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe PRC - [2006/07/19 18:26:04 \| 00,052,896 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe PRC - [2006/07/06 05:15:00 \| 00,151,552 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe PRC - [2006/07/06 05:14:30 \| 00,090,112 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe PRC - [2006/05/29 15:37:53 \| 00,421,888 \| ---- \| M] () -- C:\Program Files\Putty\Putty.exe PRC - [2006/04/11 16:13:38 \| 01,160,848 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe PRC - [2005/10/05 01:12:00 \| 00,094,208 \| ---- \| M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe PRC - [2005/09/08 03:20:00 \| 00,122,940 \| ---- \| M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE PRC - [2004/08/03 21:11:46 \| 00,555,520 \| ---- \| M] (BlackSun Software) -- C:\Program Files\FlashTray Pro\FlashTray.exe PRC - [2004/07/27 14:50:18 \| 00,081,920 \| ---- \| M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe PRC - [2004/02/03 08:06:00 \| 00,454,656 \| ---- \| M] (4Developers LLC) -- C:\Program Files\RCrawler\rcrawler.exe PRC - [2003/12/10 03:52:40 \| 00,380,928 \| ---- \| M] (Motive Communications, Inc.) -- C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe ========== Modules (SafeList) ========== MOD - [2009/11/21 17:34:15 \| 00,529,408 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe MOD - [2008/04/13 18:12:51 \| 01,054,208 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll MOD - [2008/04/13 18:11:53 \| 00,185,344 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll MOD - [2007/04/24 23:12:13 \| 00,003,072 \| ---- \| M] () -- C:\Program Files\CapsUnlock\CapsUnlock.dll MOD - [2004/04/16 09:04:58 \| 00,126,976 \| ---- \| M] (Motive Communications, Inc.) -- C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\SBHook.dll MOD - [2002/11/09 19:28:16 \| 00,041,984 \| ---- \| M] () -- C:\Program Files\FlashTray Pro\BSFThook.dll ========== Win32 Services (SafeList) ========== SRV - File not found -- -- (McNASvc) SRV - File not found -- -- (mcmscsvc) SRV - File not found -- -- (LW) SRV - File not found -- -- (0327391238561196mcinstcleanup) SRV - File not found -- -- (0258161238559076mcinstcleanup) SRV - [2009/04/22 18:52:55 \| 00,182,768 \| ---- \| M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc) SRV - [2008/11/10 05:43:40 \| 00,152,984 \| ---- \| M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2008/07/30 14:23:26 \| 00,161,064 \| ---- \| M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service) SRV - [2008/07/29 20:10:04 \| 00,046,104 \| ---- \| M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0) SRV - [2008/07/29 18:24:50 \| 00,881,664 \| ---- \| M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc) SRV - [2008/07/29 18:16:38 \| 00,132,096 \| ---- \| M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing) SRV - [2008/07/25 10:17:02 \| 00,069,632 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2008/07/25 10:16:40 \| 00,034,312 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state) SRV - [2008/04/13 18:12:02 \| 00,038,400 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc) SRV - [2007/09/26 13:41:56 \| 00,503,608 \| ---- \| M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service) SRV - [2007/09/06 12:28:18 \| 00,110,592 \| ---- \| M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device) SRV - [2006/11/03 19:19:58 \| 00,013,592 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend) SRV - [2006/10/18 20:05:24 \| 00,913,408 \| ---- \| M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc) SRV - [2006/09/27 19:33:38 \| 00,116,464 \| ---- \| M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam) SRV - [2006/09/27 19:33:32 \| 01,813,232 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus) SRV - [2006/09/27 19:33:22 \| 00,031,472 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch) SRV - [2006/08/25 12:00:38 \| 02,528,960 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate) SRV - [2006/08/07 15:03:02 \| 00,214,720 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc) SRV - [2006/07/19 18:26:12 \| 00,169,632 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr) SRV - [2006/07/19 18:26:06 \| 00,192,160 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr) SRV - [2006/07/06 05:14:30 \| 00,090,112 \| ---- \| M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel® SRV - [2006/04/11 16:13:38 \| 01,160,848 \| ---- \| M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "about:blank" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1 FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5 FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/11/09 22:23:16 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 02:01:01 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Firefox\components [2009/11/14 23:36:40 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Firefox\plugins [2009/11/14 23:36:34 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Thunderbird\components [2009/08/20 21:13:36 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Thunderbird\plugins [2009/11/14 23:34:03 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Extensions [2009/11/14 23:34:03 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/11/15 01:17:55 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions [2009/09/09 21:27:30 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions) O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.) O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.) O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.) O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation) O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe (Corel, Inc.) O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions) O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe () O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation) O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC) O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe (Motive Communications, Inc.) O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\Run: [Registry Crawler] C:\Program Files\RCrawler\rcrawler.exe (4Developers LLC) O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe () O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.) O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe () O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\Alarm.lnk = C:\Program Files\Alarm\Alarm.exe (Bluefive software) O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe (BrainSystems) O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe (BlackSun Software) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone. O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites) O15 - HKCU\..Trusted Domains: netflix.com ([www] http in Trusted sites) O15 - HKCU\..Trusted Domains: netflix.com ([www] https in Trusted sites) O15 - HKCU\..Trusted Domains: pandora.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: 55 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1177138576847 (WUWebControl Class) O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1177467272937 (MUWebControl Class) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object) O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} Reg Error: Value error. (McFreeScan Class) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation) O24 - Desktop Components:0 (My Current Home Page) - About:Home O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Eudora\EuShlExt.dll (Qualcomm Inc.) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/11 15:15:00 \| 00,000,000 \| ---- \| M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2004/02/25 23:03:54 \| 00,000,194 \| ---- \| M] () - G:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: () - File not found O35 - comfile [open] -- "%1" % File not found O35 - exefile [open] -- "%1" %* File not found NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 15:02:12 \| 00,000,000 \| ---D \| M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation) CREATERESTOREPOINT Restore point Set: OTL Restore Point (16892114965102592) ========== Files/Folders - Created Within 14 Days ========== [2009/11/21 17:34:15 \| 00,529,408 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe [2009/11/15 01:07:15 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Windows Defender [2009/11/15 01:03:10 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Bill Entwistle\My Documents\Downloads [2009/11/14 23:38:43 \| 00,038,224 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/11/14 23:38:40 \| 00,019,160 \| ---- \| C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/11/14 17:10:57 \| 00,304,920 \| ---- \| C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iastor.sys [2009/11/08 17:54:32 \| 00,212,480 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2009/11/08 17:54:32 \| 00,161,792 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2009/11/08 17:54:32 \| 00,136,704 \| ---- \| C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2009/11/08 17:54:32 \| 00,031,232 \| ---- \| C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2009/11/08 17:53:26 \| 00,000,000 \| ---D \| C] -- C:\Qoobox [2009/11/08 08:49:35 \| 03,550,592 \| ---- \| C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Bill Entwistle\Desktop\winlogin.exe [2009/11/08 08:48:18 \| 00,000,000 \| ---D \| C] -- C:\Program Files\Malwarebytes' Anti-Malware [6 C:\WINDOWS\System32\dllcache\.tmp files -> C:\WINDOWS\System32\dllcache\.tmp -> ] [1 C:\WINDOWS\System32\.tmp files -> C:\WINDOWS\System32\.tmp -> ] [1 C:\WINDOWS\.tmp files -> C:\WINDOWS\.tmp -> ] ========== Files - Modified Within 14 Days ========== [2009/11/21 17:34:15 \| 00,529,408 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe [2009/11/21 02:06:00 \| 00,000,330 \| -H-- \| M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2009/11/21 01:00:31 \| 00,000,655 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Windows Defender.lnk [2009/11/21 00:57:36 \| 00,000,246 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Security Center.lnk [2009/11/21 00:50:09 \| 00,000,933 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Spybot.lnk [2009/11/21 00:47:59 \| 00,002,206 \| ---- \| M] () -- C:\WINDOWS\System32\wpa.dbl [2009/11/21 00:47:43 \| 00,054,156 \| -H-- \| M] () -- C:\WINDOWS\QTFont.qfn [2009/11/21 00:47:33 \| 00,000,260 \| ---- \| M] () -- C:\WINDOWS\tasks\WGASetup.job [2009/11/21 00:47:24 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2009/11/21 00:47:20 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\bootstat.dat [2009/11/21 00:47:18 \| 10,631,65952 \| -HS- \| M] () -- C:\hiberfil.sys [2009/11/21 00:46:23 \| 00,000,278 \| -HS- \| M] () -- C:\Documents and Settings\Bill Entwistle\ntuser.ini [2009/11/21 00:46:22 \| 08,650,752 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\ntuser.dat [2009/11/20 01:25:32 \| 00,001,491 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\C Drive.lnk [2009/11/20 01:12:01 \| 00,000,227 \| ---- \| M] () -- C:\WINDOWS\system.ini [2009/11/20 01:11:07 \| 00,000,027 \| ---- \| M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2009/11/19 20:11:07 \| 00,000,600 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\PUTTY.RND [2009/11/19 20:10:53 \| 00,001,784 \| -H-- \| M] () -- C:\Documents and Settings\Bill Entwistle\My Documents\Default.rdp [2009/11/19 19:42:38 \| 03,568,341 \| R--- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\ComboFix.exe [2009/11/17 16:48:39 \| 00,003,782 \| ---- \| M] () -- C:\WINDOWS\SDTAR861.BMP [2009/11/17 16:48:39 \| 00,003,782 \| ---- \| M] () -- C:\WINDOWS\SDTAR860.BMP [2009/11/17 16:48:39 \| 00,002,678 \| ---- \| M] () -- C:\WINDOWS\SDTAR863.BMP [2009/11/17 16:48:39 \| 00,001,334 \| ---- \| M] () -- C:\WINDOWS\SDTAR862.BMP [2009/11/16 20:03:22 \| 00,008,500 \| ---- \| M] () -- C:\WINDOWS\lviewpro.ini [2009/11/15 12:10:21 \| 00,000,259 \| ---- \| M] () -- C:\WINDOWS\wininit.ini [2009/11/15 03:05:36 \| 00,000,118 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Infected; MBAM Being Deleted - Malwarebytes Forum.URL [2009/11/15 02:27:37 \| 00,139,648 \| ---- \| M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009/11/14 23:42:10 \| 00,000,696 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk [2009/11/14 23:36:45 \| 00,001,528 \| ---- \| M] () -- C:\Documents and Settings\All Users\Desktop\Firefox.lnk [2009/11/14 17:10:57 \| 00,304,920 \| ---- \| M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iastor.sys [2009/11/14 01:47:57 \| 00,260,608 \| ---- \| M] () -- C:\WINDOWS\PEV.exe [2009/11/08 11:39:39 \| 00,000,182 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\November 8th, 2009 1138 am #10.URL [2009/11/08 08:49:35 \| 03,550,592 \| ---- \| M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Bill Entwistle\Desktop\winlogin.exe [2009/11/07 17:52:44 \| 00,000,076 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\CMS - State Employee Services.URL [2009/11/07 17:52:10 \| 00,000,075 \| ---- \| M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\SURS - Insurance.URL [6 C:\WINDOWS\System32\dllcache\.tmp files -> C:\WINDOWS\System32\dllcache\.tmp -> ] [1 C:\WINDOWS\System32\.tmp files -> C:\WINDOWS\System32\.tmp -> ] [1 C:\WINDOWS\.tmp files -> C:\WINDOWS\.tmp -> ] ========== Files Created - No Company Name ========== [2009/11/21 01:00:31 \| 00,000,655 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Windows Defender.lnk [2009/11/21 00:57:36 \| 00,000,246 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Security Center.lnk [2009/11/21 00:50:09 \| 00,000,933 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Spybot.lnk [2009/11/19 20:09:53 \| 03,568,341 \| R--- \| C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\ComboFix.exe [2009/11/15 01:10:20 \| 00,000,330 \| -H-- \| C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2009/11/14 23:38:48 \| 00,000,696 \| ---- \| C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk [2009/11/08 17:54:32 \| 00,260,608 \| ---- \| C] () -- C:\WINDOWS\PEV.exe [2009/11/08 17:54:32 \| 00,098,816 \| ---- \| C] () -- C:\WINDOWS\sed.exe [2009/11/08 17:54:32 \| 00,080,412 \| ---- \| C] () -- C:\WINDOWS\grep.exe [2009/11/08 17:54:32 \| 00,077,312 \| ---- \| C] () -- C:\WINDOWS\MBR.exe [2009/11/08 17:54:32 \| 00,068,096 \| ---- \| C] () -- C:\WINDOWS\zip.exe [2009/11/08 11:39:39 \| 00,000,182 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\November 8th, 2009 1138 am #10.URL [2009/11/08 09:13:35 \| 00,000,118 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Infected; MBAM Being Deleted - Malwarebytes Forum.URL [2009/11/07 17:52:44 \| 00,000,076 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\CMS - State Employee Services.URL [2009/11/07 17:52:10 \| 00,000,075 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\SURS - Insurance.URL [2009/10/01 15:35:58 \| 00,000,061 \| ---- \| C] () -- C:\WINDOWS\TaxACT09.ini [2009/08/08 00:52:03 \| 00,005,632 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008/12/04 22:12:20 \| 00,000,075 \| ---- \| C] () -- C:\WINDOWS\TaxACT08.ini [2008/11/25 20:01:34 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\VPC32.INI [2008/01/14 01:02:51 \| 00,044,491 \| ---- \| C] () -- C:\WINDOWS\System32\MiiIniFile13.ini [2008/01/14 01:02:48 \| 00,285,216 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\Onsio.sys [2008/01/14 01:02:48 \| 00,007,680 \| ---- \| C] () -- C:\WINDOWS\System32\drivers\Onsreged.sys [2007/10/18 21:56:34 \| 00,001,377 \| ---- \| C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache [2007/10/03 21:43:36 \| 00,000,088 \| ---- \| C] () -- C:\WINDOWS\TaxACT07.ini [2007/08/23 19:30:00 \| 00,007,680 \| ---- \| C] () -- C:\WINDOWS\System32\ff_vfw.dll [2007/08/02 01:00:03 \| 00,093,696 \| ---- \| C] () -- C:\WINDOWS\System32\hpgt42.dll [2007/05/16 00:02:15 \| 00,000,225 \| ---- \| C] () -- C:\WINDOWS\acdsee.ini [2007/05/15 23:48:11 \| 00,000,141 \| ---- \| C] () -- C:\WINDOWS\TaxACT06.ini [2007/05/15 23:45:43 \| 00,000,128 \| ---- \| C] () -- C:\WINDOWS\TaxACT05.ini [2007/05/15 23:35:57 \| 00,000,128 \| ---- \| C] () -- C:\WINDOWS\TaxACT04.ini [2007/05/15 22:44:02 \| 00,000,128 \| ---- \| C] () -- C:\WINDOWS\TaxACT03.ini [2007/05/15 22:39:23 \| 00,000,103 \| ---- \| C] () -- C:\WINDOWS\TaxACT02.ini [2007/05/15 22:25:12 \| 00,000,090 \| ---- \| C] () -- C:\WINDOWS\TAXACT01.INI [2007/05/15 22:17:50 \| 00,000,073 \| ---- \| C] () -- C:\WINDOWS\TaxAct00.ini [2007/05/15 22:13:34 \| 00,000,078 \| ---- \| C] () -- C:\WINDOWS\TaxAct99.ini [2007/05/09 00:33:39 \| 00,000,087 \| ---- \| C] () -- C:\WINDOWS\OPHCW.INI [2007/05/07 00:28:48 \| 00,000,088 \| RHS- \| C] () -- C:\WINDOWS\System32\3EEC6A8C6D.sys [2007/04/28 20:26:12 \| 00,000,042 \| ---- \| C] () -- C:\WINDOWS\entpack.ini [2007/04/26 23:52:58 \| 00,000,376 \| ---- \| C] () -- C:\WINDOWS\ODBC.INI [2007/04/26 19:40:28 \| 00,000,868 \| ---- \| C] () -- C:\WINDOWS\ULEAD32.INI [2007/04/26 19:18:20 \| 00,008,500 \| ---- \| C] () -- C:\WINDOWS\lviewpro.ini [2007/04/23 22:52:15 \| 00,005,174 \| -HS- \| C] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2007/04/23 22:52:15 \| 00,000,088 \| RHS- \| C] () -- C:\WINDOWS\System32\736179D2E2.sys [2007/04/21 11:45:43 \| 00,005,120 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Application Data\dvd.bmk [2007/04/21 11:39:12 \| 00,000,137 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\fusioncache.dat [2007/04/20 23:40:53 \| 04,836,936 \| -H-- \| C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\IconCache.db [2007/04/20 23:40:53 \| 00,018,520 \| ---- \| C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2007/04/20 23:40:53 \| 00,000,062 \| -HS- \| C] () -- C:\Documents and Settings\Bill Entwistle\Application Data\desktop.ini [2007/04/17 23:10:53 \| 00,000,061 \| ---- \| C] () -- C:\WINDOWS\smscfg.ini [2007/04/17 23:06:50 \| 00,000,259 \| ---- \| C] () -- C:\WINDOWS\wininit.ini [2007/04/17 22:41:31 \| 00,192,512 \| ---- \| C] () -- C:\WINDOWS\System32\igfxCoIn_v4642.dll [2007/04/17 22:40:06 \| 00,000,392 \| ---- \| C] () -- C:\WINDOWS\System32\OEMINFO.INI [2006/06/29 13:58:52 \| 00,030,808 \| ---- \| C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont [2006/06/29 13:53:56 \| 00,026,489 \| ---- \| C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont [2006/04/18 14:39:28 \| 00,029,779 \| ---- \| C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont [2006/04/18 14:39:28 \| 00,026,040 \| ---- \| C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont [2005/11/09 23:56:34 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\System32\px.ini [2004/08/11 15:24:19 \| 00,000,791 \| ---- \| C] () -- C:\WINDOWS\orun32.ini [2004/08/11 15:14:58 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\control.ini [2004/08/11 15:12:00 \| 00,000,037 \| ---- \| C] () -- C:\WINDOWS\vbaddin.ini [2004/08/11 15:12:00 \| 00,000,036 \| ---- \| C] () -- C:\WINDOWS\vb.ini [2004/08/11 15:11:31 \| 00,013,223 \| ---- \| C] () -- C:\WINDOWS\System32\tslabels.ini [2004/08/11 15:11:31 \| 00,001,931 \| ---- \| C] () -- C:\WINDOWS\System32\msdtcprf.ini [2004/08/11 15:11:31 \| 00,001,793 \| ---- \| C] () -- C:\WINDOWS\System32\fxsperf.ini [2004/08/11 15:07:25 \| 00,524,016 \| ---- \| C] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2004/08/11 15:07:24 \| 00,004,161 \| ---- \| C] () -- C:\WINDOWS\ODBCINST.INI [2004/08/11 15:07:11 \| 00,000,062 \| -HS- \| C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini [2004/08/11 15:00:52 \| 00,498,742 \| ---- \| C] () -- C:\WINDOWS\System32\dxmasf.dll [2004/08/11 15:00:52 \| 00,004,126 \| ---- \| C] () -- C:\WINDOWS\System32\msdxmlc.dll [2004/08/11 15:00:37 \| 00,013,312 \| ---- \| C] () -- C:\WINDOWS\System32\win87em.dll [2004/08/11 15:00:37 \| 00,001,121 \| ---- \| C] () -- C:\WINDOWS\win.ini [2004/08/11 15:00:35 \| 00,053,478 \| ---- \| C] () -- C:\WINDOWS\System32\tcpmon.ini [2004/08/11 15:00:35 \| 00,015,360 \| ---- \| C] () -- C:\WINDOWS\System32\tsd32.dll [2004/08/11 15:00:35 \| 00,000,227 \| ---- \| C] () -- C:\WINDOWS\system.ini [2004/08/11 15:00:30 \| 00,270,848 \| ---- \| C] () -- C:\WINDOWS\System32\sbe.dll [2004/08/11 15:00:30 \| 00,010,240 \| ---- \| C] () -- C:\WINDOWS\System32\scriptpw.dll [2004/08/11 15:00:29 \| 01,291,264 \| ---- \| C] () -- C:\WINDOWS\System32\quartz.dll [2004/08/11 15:00:29 \| 01,287,168 \| ---- \| C] () -- C:\WINDOWS\System32\quartz(2).dll [2004/08/11 15:00:29 \| 00,733,696 \| ---- \| C] () -- C:\WINDOWS\System32\qedwipes.dll [2004/08/11 15:00:29 \| 00,562,176 \| ---- \| C] () -- C:\WINDOWS\System32\qedit.dll [2004/08/11 15:00:29 \| 00,386,048 \| ---- \| C] () -- C:\WINDOWS\System32\qdvd.dll [2004/08/11 15:00:29 \| 00,279,040 \| ---- \| C] () -- C:\WINDOWS\System32\qdv.dll [2004/08/11 15:00:29 \| 00,192,512 \| ---- \| C] () -- C:\WINDOWS\System32\qcap.dll [2004/08/11 15:00:29 \| 00,012,082 \| ---- \| C] () -- C:\WINDOWS\System32\rsvp.ini [2004/08/11 15:00:29 \| 00,003,458 \| ---- \| C] () -- C:\WINDOWS\System32\rasctrs.ini [2004/08/11 15:00:28 \| 00,006,877 \| ---- \| C] () -- C:\WINDOWS\System32\pschdprf.ini [2004/08/11 15:00:28 \| 00,002,891 \| ---- \| C] () -- C:\WINDOWS\System32\perfci.ini [2004/08/11 15:00:28 \| 00,002,732 \| ---- \| C] () -- C:\WINDOWS\System32\perfwci.ini [2004/08/11 15:00:28 \| 00,001,152 \| ---- \| C] () -- C:\WINDOWS\System32\perffilt.ini [2004/08/11 15:00:28 \| 00,000,343 \| ---- \| C] () -- C:\WINDOWS\System32\prodspec.ini [2004/08/11 15:00:25 \| 00,035,648 \| ---- \| C] () -- C:\WINDOWS\System32\ntio411.sys [2004/08/11 15:00:25 \| 00,035,424 \| ---- \| C] () -- C:\WINDOWS\System32\ntio412.sys [2004/08/11 15:00:25 \| 00,034,560 \| ---- \| C] () -- C:\WINDOWS\System32\ntio804.sys [2004/08/11 15:00:25 \| 00,034,560 \| ---- \| C] () -- C:\WINDOWS\System32\ntio404.sys [2004/08/11 15:00:25 \| 00,033,840 \| ---- \| C] () -- C:\WINDOWS\System32\ntio.sys [2004/08/11 15:00:25 \| 00,029,370 \| ---- \| C] () -- C:\WINDOWS\System32\ntdos411.sys [2004/08/11 15:00:25 \| 00,029,274 \| ---- \| C] () -- C:\WINDOWS\System32\ntdos412.sys [2004/08/11 15:00:25 \| 00,029,146 \| ---- \| C] () -- C:\WINDOWS\System32\ntdos804.sys [2004/08/11 15:00:25 \| 00,029,146 \| ---- \| C] () -- C:\WINDOWS\System32\ntdos404.sys [2004/08/11 15:00:25 \| 00,027,866 \| ---- \| C] () -- C:\WINDOWS\System32\ntdos.sys [2004/08/11 15:00:24 \| 00,002,656 \| ---- \| C] () -- C:\WINDOWS\System32\netware.drv [2004/08/11 15:00:21 \| 00,094,282 \| ---- \| C] () -- C:\WINDOWS\System32\msencode.dll [2004/08/11 15:00:21 \| 00,014,336 \| ---- \| C] () -- C:\WINDOWS\System32\msdmo.dll [2004/08/11 15:00:21 \| 00,001,405 \| ---- \| C] () -- C:\WINDOWS\msdfmap.ini [2004/08/11 15:00:20 \| 00,010,110 \| ---- \| C] () -- C:\WINDOWS\System32\mqperf.ini [2004/08/11 15:00:18 \| 00,042,809 \| ---- \| C] () -- C:\WINDOWS\System32\key01.sys [2004/08/11 15:00:18 \| 00,042,537 \| ---- \| C] () -- C:\WINDOWS\System32\keyboard.sys [2004/08/11 15:00:18 \| 00,035,328 \| ---- \| C] () -- C:\WINDOWS\System32\mciqtz32.dll [2004/08/11 15:00:17 \| 00,199,168 \| ---- \| C] () -- C:\WINDOWS\System32\ir32_32.dll [2004/08/11 15:00:15 \| 00,004,768 \| ---- \| C] () -- C:\WINDOWS\System32\himem.sys [2004/08/11 15:00:13 \| 01,015,477 \| ---- \| C] () -- C:\WINDOWS\System32\esentprf.ini [2004/08/11 15:00:13 \| 00,186,880 \| ---- \| C] () -- C:\WINDOWS\System32\encdec.dll [2004/08/11 15:00:04 \| 00,059,904 \| ---- \| C] () -- C:\WINDOWS\System32\devenum.dll [2004/08/11 15:00:04 \| 00,027,097 \| ---- \| C] () -- C:\WINDOWS\System32\country.sys [2004/08/11 15:00:03 \| 00,252,928 \| ---- \| C] () -- C:\WINDOWS\System32\compatui.dll [2004/08/11 15:00:02 \| 00,355,112 \| ---- \| C] () -- C:\WINDOWS\System32\msjetoledb40.dll [2004/08/11 15:00:01 \| 00,070,656 \| ---- \| C] () -- C:\WINDOWS\System32\amstream.dll [2004/08/11 15:00:01 \| 00,009,029 \| ---- \| C] () -- C:\WINDOWS\System32\ansi.sys [2001/09/11 15:06:50 \| 00,001,787 \| ---- \| C] () -- C:\WINDOWS\SDDM.INI [2001/08/17 20:36:28 \| 00,157,696 \| ---- \| C] () -- C:\WINDOWS\System32\paqsp.dll [1999/01/22 12:46:58 \| 00,065,536 \| ---- \| C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL [1996/07/30 23:00:00 \| 00,041,472 \| ---- \| C] () -- C:\WINDOWS\System32\WOSAXRT.DLL [1996/07/30 23:00:00 \| 00,006,656 \| ---- \| C] () -- C:\WINDOWS\System32\MSNWEBQT.DLL ========== LOP Check ========== [2007/04/17 23:08:32 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Adobe [2007/08/28 19:06:43 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Apple [2007/08/28 19:07:57 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer [2009/03/29 15:27:19 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Citrix [2007/04/17 23:02:39 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Corel [2008/01/29 10:17:22 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Dell [2009/01/15 02:57:03 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Google [2007/04/17 23:09:10 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\GTek [2007/04/17 23:07:51 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\InstallShield [2008/11/30 14:16:31 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2009/03/31 22:09:09 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\McAfee [2008/12/03 21:39:02 \| 00,000,000 \| --SD \| M] -- C:\Documents and Settings\All Users\Application Data\Microsoft [2007/05/10 21:22:17 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Motive [2008/01/18 21:49:47 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\RapidSolution [2004/08/11 15:25:52 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\SBSI [2008/12/03 20:00:59 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Seagate [2007/04/17 23:07:30 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Sonic [2009/11/21 00:50:22 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [2009/04/04 11:50:30 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Symantec [2007/04/21 01:00:26 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage [2009/03/14 20:28:37 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Adobe [2007/04/21 11:50:06 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\AdobeUM [2008/03/15 17:02:39 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Amazon [2007/09/27 00:28:46 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Apple Computer [2008/11/22 18:39:05 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Corel [2007/04/20 23:59:29 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Google [2007/04/17 23:09:10 \| 00,000,000 \| -H-D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Gtek [2007/04/22 18:52:53 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Help [2004/08/11 15:20:36 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Identities [2007/08/26 22:04:54 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\lalacollection [2007/08/25 20:40:20 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\lalaplayer [2007/04/24 23:23:51 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Leadertech [2007/04/21 01:21:03 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Macromedia [2008/11/30 14:16:38 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Malwarebytes [2009/03/31 20:59:03 \| 00,000,000 \| --SD \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Microsoft [2007/04/26 23:50:36 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Microsoft Web Folders [2007/05/10 21:27:04 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Motive [2009/11/14 23:34:03 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla [2008/01/18 20:59:30 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\NoteCable [2008/01/18 21:53:48 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\RTPlayer [2007/04/29 23:49:27 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Sonic [2007/04/28 22:58:54 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Sun [2007/04/27 00:03:08 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Talkback [2009/01/11 02:56:24 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Thunderbird [2008/01/18 22:23:06 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Tunebite [2009/10/30 01:29:11 \| 00,000,000 \| ---D \| M] -- C:\Documents and Settings\Bill Entwistle\Application Data\WinRAR [2004/08/04 03:00:00 \| 00,000,065 \| RH-- \| M] () -- C:\WINDOWS\Tasks\desktop.ini [2009/11/21 02:06:00 \| 00,000,330 \| -H-- \| M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job [2009/11/21 00:47:24 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\Tasks\SA.DAT [2009/11/21 00:47:33 \| 00,000,260 \| ---- \| M] () -- C:\WINDOWS\Tasks\WGASetup.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\.exe > < %SYSTEMDRIVE%\eventlog.dll /s /md5 > [2004/08/04 03:00:00 \| 00,055,808 \| ---- \| M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll [1 C:\i386\.tmp files -> C:\i386\.tmp -> ] [2004/08/04 03:00:00 \| 00,055,808 \| ---- \| M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll [2008/04/13 18:11:53 \| 00,056,320 \| ---- \| M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll [2008/04/13 18:11:53 \| 00,056,320 \| ---- \| M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/13 18:11:53 \| 00,056,320 \| ---- \| M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [1 C:\WINDOWS\system32\.tmp files -> C:\WINDOWS\system32\.tmp -> ] < %SYSTEMDRIVE%\scecli.dll /s /md5 > [2004/08/04 03:00:00 \| 00,180,224 \| ---- \| M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll [1 C:\i386\.tmp files -> C:\i386\.tmp -> ] [2004/08/04 03:00:00 \| 00,180,224 \| ---- \| M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/13 18:12:05 \| 00,181,248 \| ---- \| M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll [2008/04/13 18:12:05 \| 00,181,248 \| ---- \| M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/13 18:12:05 \| 00,181,248 \| ---- \| M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll [1 C:\WINDOWS\system32\.tmp files -> C:\WINDOWS\system32\.tmp -> ] < %SYSTEMDRIVE%\netlogon.dll /s /md5 > [2004/08/04 03:00:00 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll [1 C:\i386\.tmp files -> C:\i386\.tmp -> ] [2004/08/04 03:00:00 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll [2008/04/13 18:12:01 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll [2008/04/13 18:12:01 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/13 18:12:01 \| 00,407,040 \| ---- \| M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [1 C:\WINDOWS\system32\.tmp files -> C:\WINDOWS\system32\.tmp -> ] < %SYSTEMDRIVE%\cngaudit.dll /s /md5 > < %SYSTEMDRIVE%\sceclt.dll /s /md5 > < %SYSTEMDRIVE%\ntelogon.dll /s /md5 > < %SYSTEMDRIVE%\logevent.dll /s /md5 > < %SYSTEMDRIVE%\iaStor.sys /s /md5 > [2006/10/10 11:03:48 \| 00,246,784 \| ---- \| M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\drivers\storage\R130118\iastor.sys [2006/07/06 04:59:42 \| 00,246,784 \| ---- \| M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\i386\iaStor.sys [1 C:\i386\.tmp files -> C:\i386\.tmp -> ] [2006/07/06 04:59:42 \| 00,246,784 \| ---- \| M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys [2006/07/06 05:01:32 \| 00,484,864 \| ---- \| M] (Intel Corporation) MD5=6A3C354BFC163B81F6EF2FC421280DB5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys [2009/11/14 17:10:57 \| 00,304,920 \| ---- \| M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\drivers\iastor.sys [2006/10/10 11:03:48 \| 00,246,784 \| ---- \| M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys < %SYSTEMDRIVE%\nvstor.sys /s /md5 > < %SYSTEMDRIVE%\atapi.sys /s /md5 > [2004/08/03 20:59:44 \| 00,095,360 \| ---- \| M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys [1 C:\i386\.tmp files -> C:\i386\.tmp -> ] [2004/08/03 20:59:44 \| 00,095,360 \| ---- \| M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys [2008/04/13 12:40:30 \| 00,096,512 \| ---- \| M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008/04/13 12:40:30 \| 00,096,512 \| ---- \| M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 12:40:30 \| 00,096,512 \| ---- \| M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys < %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 > < %SYSTEMDRIVE%\viasraid.sys /s /md5 > < %SYSTEMDRIVE%\AGP440.sys /s /md5 > [2004/08/03 21:07:42 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS [1 C:\i386\.tmp files -> C:\i386\.tmp -> ] [2004/08/03 21:07:42 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys [2008/04/13 12:36:38 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys [2008/04/13 12:36:38 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 12:36:38 \| 00,042,368 \| ---- \| M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys < %SYSTEMDRIVE%\vaxscsi.sys /s /md5 > < %SYSTEMDRIVE%\nvatabus.sys /s /md5 > < End of report > -------------------------------------------- OTL Extras logfile created on: 11/21/2009 5:35:16 PM - Run 1 OTL by OldTimer - Version 3.1.6.2 Folder = C:\Documents and Settings\Bill Entwistle\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 1013.84 Mb Total Physical Memory \| 110.82 Mb Available Physical Memory \| 10.93% Memory free 2.38 Gb Paging File \| 1.57 Gb Available in Paging File \| 65.90% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 68.36 Gb Total Space \| 42.44 Gb Free Space \| 62.08% Space Free \| Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded Drive F: \| 68.36 Gb Total Space \| 37.28 Gb Free Space \| 54.53% Space Free \| Partition Type: NTFS Drive G: \| 2.93 Gb Total Space \| 1.13 Gb Free Space \| 38.52% Space Free \| Partition Type: NTFS Drive H: \| 6.31 Gb Total Space \| 5.17 Gb Free Space \| 81.96% Space Free \| Partition Type: NTFS I: Drive not present or media not loaded Computer Name: TUCKER Current User Name: Bill Entwistle Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1 .html [@ = FirefoxHTML] -- C:\Program Files\Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" % File not found chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found cmdfile [open] -- "%1" %* File not found comfile [open] -- "%1" %* File not found exefile [open] -- "%1" %* File not found htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation) http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation) https [open] -- "C:\Program Files\Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) piffile [open] -- "%1" %* File not found regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" File not found scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S File not found txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation) CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "FirewallDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 "AntiVirusDisableNotify" = 0 "UpdatesDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "139:TCP" = 139:TCP::Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP::Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP::Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP::Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes -- (Apple Inc.) "G:\WS FTP\WS_FTP95.exe" = G:\WS FTP\WS_FTP95.exe::Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA 02173) "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) "C:\Program Files\TeraTerm\ttermpro.exe" = C:\Program Files\TeraTerm\ttermpro.exe::Enabled:Tera Term -- (TeraTerm Project T. Teranishi) "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe::Enabled:AppleMobileDeviceService -- (Apple, Inc.) "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe" = C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe::Enabled:StxMenuMgr -- (Seagate LLC) "C:\Program Files\Dell Support\DSAgnt.exe" = C:\Program Files\Dell Support\DSAgnt.exe::Enabled:DSAgnt -- (Gteko Ltd.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional "{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data "{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel® PRO Network Connections "{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA "{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{238B8820-011B-11D6-9C28-0080C85A0C2D}" = Microtek LightLid 35 Calibrator "{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 11 "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager "{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10 "{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3EBD3749-304E-4A4C-9575-C00E5F015217}" = Apple Mobile Device Support "{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant "{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool "{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module "{621FCD24-4498-4324-A81E-07D331376EDF}" = PixiePack Codec Pack "{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic "{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7ADE3A47-B425-45E9-8FF6-11BE2B775645}" = Corel Snapfire Plus "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{902C002A-60F8-45BD-9EFF-4DE38C99C51B}" = Eudora "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager "{93A1B09E-BAFA-4628-A5B6-921CB026955A}" = Corel Paint Shop Pro Photo XI "{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime "{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio "{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8 "{B045B608-4A47-4C77-9EAD-06C394503306}" = iTunes "{B08D262E-D902-11D5-9C28-0080C85A0C2D}" = ScanWizard 5 "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy "{B1D89E54-08B1-4542-A69B-E634AEF10A40}" = Seagate Manager Installer "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B702CCCE-3176-4DBF-B932-D1B8F402F330}" = Digital Content Portal "{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update "{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1 "{F51251E6-FF62-48D0-9F87-149F48CDE46C}" = OKI C5100 Digitally Signed Driver "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Alarm_is1" = Alarm 2.0.1 "Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3 "ColorMania_is1" = ColorMania 2.4 "DVD Identifier_is1" = DVD Identifier "HDMI" = Intel® Graphics Media Accelerator Driver "HijackThis" = HijackThis 2.0.2 "InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0 "LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5) "Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "MSMONEYV50" = Microsoft Money 5.0 "Multimedia Xplorer 2" = Multimedia Xplorer 2 "MyEntunnel" = MyEntunnel (remove only) "Registry Crawler" = Registry Crawler "SBC.MCCInstall" = SBC Self Support Tool "SearchAssist" = SearchAssist "TaxACT 2000" = TaxACT 2000 "TaxACT 2001" = TaxACT 2001 "TaxACT 2002" = TaxACT 2002 "TaxACT 2003" = TaxACT 2003 "TaxACT 2004" = TaxACT 2004 "TaxACT 2005" = TaxACT 2005 "TaxACT 2006" = TaxACT 2006 "TaxACT 2007" = TaxACT 2007 "TaxACT 2008" = TaxACT 2008 "TaxACT 2008 Illinois" = TaxACT 2008 Illinois "TaxACT 2009" = TaxACT 2009 "TaxACT Illinois 2003" = TaxACT Illinois 2003 "TaxACT Illinois 2004" = TaxACT Illinois 2004 "TaxACT Illinois 2005" = TaxACT Illinois 2005 "TaxACT Illinois 2006" = TaxACT Illinois 2006 "TaxACT Illinois 2007" = TaxACT Illinois 2007 "Tera Term Pro" = Tera Term Pro "Tera Term_is1" = Tera Term 4.62 "TextPad 4" = TextPad 4 "Ulead iPhoto Express 1.1" = Ulead iPhoto Express 1.1 "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinRAR archiver" = WinRAR archiver "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "YInstHelper" = Yahoo! Install Manager ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198 ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 11/19/2009 2:28:06 AM \| Computer Name = TUCKER \| Source = WinDefendRtp \| ID = 3003 Description = %%827 Real-Time Protection checkpoint has encountered an error and failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff Error description: Catastrophic failure Error - 11/19/2009 2:45:31 AM \| Computer Name = TUCKER \| Source = Symantec AntiVirus \| ID = 16711726 Description = Security Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents and Settings\Bill Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: Error - 11/19/2009 2:45:31 AM \| Computer Name = TUCKER \| Source = Symantec AntiVirus \| ID = 16711685 Description = Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents and Settings\Bill Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: Error - 11/19/2009 2:45:45 AM \| Computer Name = TUCKER \| Source = Symantec AntiVirus \| ID = 16711731 Description = Security Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents and Settings\Bill Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description: Error - 11/19/2009 3:38:19 AM \| Computer Name = TUCKER \| Source = WinDefendRtp \| ID = 3003 Description = %%827 Real-Time Protection checkpoint has encountered an error and failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x80070005 Error description: Access is denied. Error - 11/19/2009 3:38:19 AM \| Computer Name = TUCKER \| Source = WinDefendRtp \| ID = 3003 Description = %%827 Real-Time Protection checkpoint has encountered an error and failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff Error description: Catastrophic failure Error - 11/20/2009 3:11:18 AM \| Computer Name = TUCKER \| Source = WinDefendRtp \| ID = 3003 Description = %%827 Real-Time Protection checkpoint has encountered an error and failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x80070005 Error description: Access is denied. Error - 11/20/2009 3:11:18 AM \| Computer Name = TUCKER \| Source = WinDefendRtp \| ID = 3003 Description = %%827 Real-Time Protection checkpoint has encountered an error and failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff Error description: Catastrophic failure Error - 11/20/2009 10:48:38 AM \| Computer Name = TUCKER \| Source = MPSampleSubmission \| ID = 5000 Description = EventType avsubmit, P1 windefend, P2 1.1.5302.0, P3 unspecified, P4 1.71.26.0, P5 trojan_win32_vundo.gen!g, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL. Error - 11/21/2009 2:45:54 AM \| Computer Name = TUCKER \| Source = Application Error \| ID = 1000 Description = Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000. [ System Events ] Error - 11/19/2009 12:43:49 AM \| Computer Name = TUCKER \| Source = Service Control Manager \| ID = 7000 Description = The mcmscsvc service failed to start due to the following error: %%3 Error - 11/19/2009 12:43:49 AM \| Computer Name = TUCKER \| Source = Service Control Manager \| ID = 7000 Description = The McNASvc service failed to start due to the following error: %%3 Error - 11/19/2009 3:38:37 AM \| Computer Name = TUCKER \| Source = Service Control Manager \| ID = 7000 Description = The mcmscsvc service failed to start due to the following error: %%3 Error - 11/19/2009 3:38:37 AM \| Computer Name = TUCKER \| Source = Service Control Manager \| ID = 7000 Description = The McNASvc service failed to start due to the following error: %%3 Error - 11/19/2009 8:52:27 PM \| Computer Name = TUCKER \| Source = iaStor \| ID = 262153 Description = The device, \Device\Ide\iaStor0, did not respond within the timeout period. Error - 11/20/2009 3:11:08 AM \| Computer Name = TUCKER \| Source = Service Control Manager \| ID = 7000 Description = The mcmscsvc service failed to start due to the following error: %%3 Error - 11/20/2009 3:11:08 AM \| Computer Name = TUCKER \| Source = Service Control Manager \| ID = 7000 Description = The McNASvc service failed to start due to the following error: %%3 Error - 11/20/2009 3:11:18 AM \| Computer Name = TUCKER \| Source = ipnathlp \| ID = 32003 Description = The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code. Error - 11/21/2009 2:47:55 AM \| Computer Name = TUCKER \| Source = Service Control Manager \| ID = 7000 Description = The mcmscsvc service failed to start due to the following error: %%3 Error - 11/21/2009 2:47:55 AM \| Computer Name = TUCKER \| Source = Service Control Manager \| ID = 7000 Description = The McNASvc service failed to start due to the following error: %%3 < End of report >

IndiGenus View Member Profile	Nov 22 2009, 01:57 AM Post #60
True Member Group: Experts Posts: 361 Joined: 19-May 09 From: New England, USA Member No.: 13,933	I would suggest maybe one more scan if all is well, then you should be good to go. The below scan can take up to an hour or longer, please be patient. Note It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time. Please don't go surfing while your resident protection is disabled! Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use. Please do a scan with Kaspersky Online Scanner or from here http://www.kaspersky.com/virusscanner Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.* Click on the Accept button and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer. This will start the program and scan your system. The scan will take a while, so be patient and let it run. (At times it may appear to stall) * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Once the scan is complete, click on View scan report To obtain the report: Click on: Save Report As Next, in the Save as prompt, Save in area, select: Desktop In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: *Text file [.txt] Then, click: Save Please post the Kaspersky Online Scanner Report in your reply. Animated tutorial http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.) Or use Firefox with IE-Tab plugin https://addons.mozilla.org/en-US/firefox/addon/1419 In your next reply post: Kaspersky log** -------------------- IndiGenus The help you receive here is free, but if you would like to help continue the fight against Malware then "To find perfect composure in the midst of change is to find ourselves in nirvana." Suzuki Roshi

« Next Oldest · Malware Removal - HijackThis Logs · Next Newest »

4 Pages

< 1 2 3 4 >

Closed Topic

Start new topic

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 2nd September 2010 - 02:22 PM ()

Powered By IP.Board © 2010 IPS, Inc.

Licensed to: Malwarebytes