Jump to content


Photo
- - - - -

Infected; MBAM Being Deleted


  • This topic is locked This topic is locked
71 replies to this topic

#41 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 15 November 2009 - 04:03 AM

I'm happy to report that extracting and installing the iastor.sys driver made my computer bootable again!

Almost as soon as I rebooted, I started getting malware intrusions. In particular, a fake malware program called Personal Guard 2009 kept popping up. I could delete all of its files and kill the process, but it would come back. I was able to stop this cycle by copying a random .exe file into the Personal Guard directory and renaming it to personalguard.exe. This kept it from running.

Then I tried reinstalling MBAM and got the same symptoms as before -- an mbam.exe file that would disappear within seconds of its creation. To combat this, I tried going to the Windows command line and quickly running a copy command to copy mbam.exe to another file name, while MBAM was in the process of installing. I was thinking that I might be able to run MBAM via this other executable. Not sure why, but the copying alone seemed to stop mbam.exe from being deleted, so then I was able to run a scan.

On a quick scan, MBAM found 43 infected objects!

Memory Processes Infected:
C:\Documents and Settings\All Users\Microsoft AData\setup.exe (Rogue.Installer) -> Unloaded process successfully.
Memory Modules Infected:
c:\WINDOWS\system32\zayezeru.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (Rogue.Installer) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{df8ba2ed-e102-44d6-89d9-cebb037d8dd6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{81ccb0cf-1404-4b92-aaf2-090ba3b6d4d5} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\personal guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\surezadil (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{df8ba2ed-e102-44d6-89d9-cebb037d8dd6} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\heramineh (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysnet (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalguard (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dofobobadu (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Program Files\Personal Guard 2009\q (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009 (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Microsoft AData (Rogue.SmartProtector) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\zayezeru.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Microsoft AData\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Worm.Emold) -> Delete on reboot.
C:\WINDOWS\Temp\7E9.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Entwistle\Local Settings\temp\trt.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Entwistle\Local Settings\temp\trt57.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Personal Guard 2009\config.scf (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Program Files\Personal Guard 2009\mmbase.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Program Files\Personal Guard 2009\personalguard.exe (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Program Files\Personal Guard 2009\q.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Program Files\Personal Guard 2009\queue.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Program Files\Personal Guard 2009\uninstalls.exe (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Program Files\Personal Guard 2009\vvbase.sdb (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009\Personal Guard 2009.lnk (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Personal Guard 2009\Uninstall.lnk (Rogue.PersonalGuard2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Microsoft AData\t.sid (Rogue.SmartProtector) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\diwunawo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\certSystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Microsoftdef.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\regred.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\securits.com (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\spoov.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\usExplorer.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

I removed these, rebooted and re-quick-scanned and it found 2 infected objects:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dofobobadu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

I removed them, rebooted and they came back. I removed them and ran a full scan and it found 5 items:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025338.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025341.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0025346.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AE1PGLU0\load-full[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\7E7.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

I removed them, rebooted and re-full-scanned and it only found the 2 objects -- the other 5 did not come back.

I also noticed that something is hijacking the Windows Update feature. Every couple of minutes or so, it disables the automatic update feature. So I can't say for sure whether or not I am up to date with the Windows security updates. I might be -- I was able to circumvent this by running services.msi, waiting for the status to flip to Disabled, then quickly re-enabling it and running the next step of the update process.

I tried booting to safe mode to run the updates, but I still get the blue screen of death when I do.

By the way, somewhere in the middle of all this, I also updated and ran Windows Defender and it found and removed:

Trojan:Win32/Vundo.LP

I rebooted and ran it again, and it did not seem to come back.

So, in summary, I still have these three known symptoms:

* the two infected objects that keep coming back
* the disabling of the Windows update process
* the inability to run in safe mode.

Thanks.

#42 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 15 November 2009 - 10:20 AM

Nice work!!! :) Some really nasty stuff you picked up there...

Obviously still more work to do. But since we got it running I'd like to do some scans before we make any changes.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

~~~~~~~~~~~~~~~~~~~

Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image

#43 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 15 November 2009 - 11:13 AM

Hello ent,

A favor to ask please...

Did you rename the old iastor.sys when you copied the new one over, or did you just copy over it? If you renamed it could you please upload the renamed file to the following link:

http://www.bleepingc...e.php?channel=4

Also, could you upload the following file to the same place.

C:\Qoobox\Quarantine\C\Windows\System32\Drivers\iastor.sys.vir

Thank you.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image

#44 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 15 November 2009 - 01:44 PM

I did save a copy and I have uploaded the requested files to Bleeping Computer.

By the way, this morning (before you left your reply), I ran Spybot to see what it would turn up and it found and deleted several objects. I'm just mentioning it in case it might provide some more diagnostic info. Anyway, Spybot turned up several infections. I couldn't find a log file to paste in here, but they included references to:

Microsoft.WindowsSecurityCenter.FirewallBypass
Microsoft.WindowsSecurityCenter_disabled
Virtumonde.sdn
Virtumonde.atr
Virtumonde.dll

After rebooting, some of the Virtumonde objects came back. But it seems to have fixed the automatic disabling of Windows updates. I successfully did a Windows update, although I'm not real confident that I can trust that it worked.

I will take your next steps. It might take a while because I have this crushing deadline at work and if I don't get it done today, heads will roll. I probably won't be able to do anything before late tonight or tomorrow.

#45 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 15 November 2009 - 04:06 PM

I did save a copy and I have uploaded the requested files to Bleeping Computer.

Thank you, we appreciate it.


I will take your next steps. It might take a while because I have this crushing deadline at work and if I don't get it done today, heads will roll. I probably won't be able to do anything before late tonight or tomorrow.

No problem, whenever you can get to it. We don't want to see any heads rolling around... :)
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image

#46 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 18 November 2009 - 08:26 PM

Here is the DDS.txt and Attach.txt as a zip file (per DDS's instructions). I assume that you want me to continue with the rest of the steps.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Bill Entwistle at 19:13:59.23 on Wed 11/18/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.140 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
svchost.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\RCrawler\RCrawler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\CapsUnlock\CapsUnlock.exe
C:\Program Files\FlashTray Pro\FlashTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bill Entwistle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB2949] command.com /c del "c:\windows\system32\jibikupa.dll_old"
uRunOnce: [SpybotDeletingD613] cmd.exe /c del "c:\windows\system32\jibikupa.dll_old"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Registry Crawler] c:\progra~1\rcrawler\RCrawler.exe -TRAYONLY
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [surezadil] Rundll32.exe "c:\windows\system32\jibikupa.dll",a
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA4277] command.com /c del "c:\windows\system32\jibikupa.dll_old"
mRunOnce: [SpybotDeletingC3045] cmd.exe /c del "c:\windows\system32\jibikupa.dll_old"
StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\alarm.lnk - c:\program files\alarm\Alarm.exe
StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe
StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\flasht~1.lnk - c:\program files\flashtray pro\FlashTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: netflix.com\www
Trusted Zone: pandora.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177138576847
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177467272937
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: pirovebob - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll
SSODL: toyufibod - {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll
STS: gahurihor: {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll
STS: jugezatag: {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli diwunawo.dll
mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billen~1\applic~1\mozilla\firefox\profiles\6xnqpoll.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-14 38224]
S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x]
S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x]
S3 LW;LW;c:\docume~1\billen~1\locals~1\temp\lw.exe --> c:\docume~1\billen~1\locals~1\temp\LW.exe [?]
S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2009-11-15 05:38:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 05:38:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 23:10:57 304920 ------w- c:\windows\system32\drivers\iastor.sys
2009-11-08 23:54:32 98816 ----a-w- c:\windows\sed.exe
2009-11-08 23:54:32 77312 ----a-w- c:\windows\MBR.exe
2009-11-08 23:54:32 267264 ----a-w- c:\windows\PEV.exe
2009-11-08 23:54:32 161792 ----a-w- c:\windows\SWREG.exe
2009-11-08 23:54:08 0 d-s---w- C:\ComboFix
2009-11-08 14:48:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2008-11-28 08:08:22 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys
2008-11-27 07:59:36 88 --sh--r- c:\windows\system32\736179D2E2.sys
2008-11-28 08:08:24 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:15:17.95 ===============

Attached Files



#47 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 18 November 2009 - 10:26 PM

I'm not sure if I ran it right, but here's my GMER log.


GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-18 21:23:34
Windows 5.1.2600 Service Pack 3
Running: 11lrt2zh.exe; Driver: C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\uftdipoc.sys


---- System - GMER 1.0.15 ----

SSDT 860F8380 ZwConnectPort
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA6F83350]
SSDT 862B5A90 ZwQueryValueKey
SSDT 861960B8 ZwResumeThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA6F83580]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\PROGRA~1\RCrawler\RCrawler.exe [264] 0x10000000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [300] 0x10000000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Dell Support\DSAgnt.exe [492] 0x10000000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [516] 0x009A0000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [604] 0x10000000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [848] 0x00AF0000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\system32\hkcmd.exe [1256] 0x00EB0000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\system32\igfxpers.exe [1312] 0x00F60000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\stsystra.exe [1384] 0x014F0000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [1416] 0x010E0000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Dell\Media Experience\DMXLauncher.exe [1444] 0x10000000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\System32\DLA\DLACTRLW.EXE [1500] 0x00940000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [1912] 0x00FB0000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe [1944] 0x02410000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [1984] 0x00D50000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [2044] 0x00AA0000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe [2344] 0x009E0000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\CapsUnlock\CapsUnlock.exe [2448] 0x00880000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\FlashTray Pro\FlashTray.exe [2604] 0x10000000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jucheck.exe [2868] 0x00A70000
Library c:\windows\system32\jibikupa.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [3256] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

#48 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 19 November 2009 - 11:25 AM

You're still heavily infected here. :)

MBAM was able to get part of it, but not all. This is where combofix does its' best work. Would you object to running combofix again? Delete the version you have now if you haven't already done so and download a fresh copy. I'm not exactly sure what happened the first time you ran cf but iastor.sys was definitely infected at the time. Being such a low level driver it can be difficult to remove without having any issues. I don't think it's infected at this point (no guarantees but...) so I think we're in better shape to make a run at it with combofix. Worst case? We now know how to get it running again. But I don't think that's going to happen this time.

Let me know.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image

#49 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 19 November 2009 - 12:18 PM

I've had an interesting development. Let me know what you think.

I've been trying lots of things and running some scans. I had been avoiding rebooting because this is when malware seems to reinstall itself. I realized that the malware had done a good job of deactivating all of my virus protection. I was able to turn Symantec back on and it immediately detected and stopped a real-time intrusion from something, I think it was a Virtumonde trojan. I did a scan with Spybot and I think it found nothing, so I decided I would risk rebooting.

I've never seen this before, but when it started up, Spybot started running before the desktop displayed. On a blank background, it ran a full scan. I don't recall seeing any results, but when it finished booting, I found that I could enable all of my malware protection (Symantec, Spybot, Malwarebytes, Windows Defender). I updated all of them to their latest versions. My Windows security seems to be up to date, as well.

I can now run a full scan with all four products and none of them turn up anything. Also, all of the telltale signs of being highjacked seem to be gone (odd blinking of the task manager display, a window that blinks open and closed on boot, an error message about failure to load a driver on boot, etc). They're gone and the system seems to be operating OK.

So I am a little hesitant to re-run combofix. Would it make sense to go back to square one and generate a HijackThis log? Or re-run some of these other less intrusive diagnostics, maybe the live CD?

#50 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 19 November 2009 - 12:20 PM

Okay great. Let's get another scan with DDS and post the logs.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image

#51 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 19 November 2009 - 08:15 PM

Here you go.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Bill Entwistle at 19:09:19.84 on Thu 11/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.254 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\RCrawler\RCrawler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\CapsUnlock\CapsUnlock.exe
C:\Program Files\FlashTray Pro\FlashTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Putty\Putty.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bill Entwistle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Registry Crawler] c:\progra~1\rcrawler\RCrawler.exe -TRAYONLY
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\alarm.lnk - c:\program files\alarm\Alarm.exe
StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\capsun~1.lnk - c:\program files\capsunlock\CapsUnlock.exe
StartupFolder: c:\docume~1\billen~1\startm~1\programs\startup\flasht~1.lnk - c:\program files\flashtray pro\FlashTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: netflix.com\www
Trusted Zone: pandora.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177138576847
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177467272937
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: pirovebob - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll
SSODL: toyufibod - {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll
STS: gahurihor: {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll
STS: jugezatag: {57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli diwunawo.dll
mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billen~1\applic~1\mozilla\firefox\profiles\6xnqpoll.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-4 102448]
S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x]
S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x]
S3 LW;LW;c:\docume~1\billen~1\locals~1\temp\lw.exe --> c:\docume~1\billen~1\locals~1\temp\LW.exe [?]
S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2009-11-15 05:38:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 05:38:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 23:10:57 304920 ------w- c:\windows\system32\drivers\iastor.sys
2009-11-08 23:54:32 98816 ----a-w- c:\windows\sed.exe
2009-11-08 23:54:32 77312 ----a-w- c:\windows\MBR.exe
2009-11-08 23:54:32 267264 ----a-w- c:\windows\PEV.exe
2009-11-08 23:54:32 161792 ----a-w- c:\windows\SWREG.exe
2009-11-08 23:54:08 0 d-s---w- C:\ComboFix
2009-11-08 14:48:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:11 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:37:11 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2008-11-28 08:08:22 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys
2008-11-27 07:59:36 88 --sh--r- c:\windows\system32\736179D2E2.sys
2008-11-28 08:08:24 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:10:12.15 ===============

Attached Files



#52 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 19 November 2009 - 08:27 PM

Vundo is still present. Doesn't look like it's hooking Winlogon anymore though. What do you get after running MBAM? Still finding anything?

I would really like to try combofix again here. I don't believe that your iastor.sys is infected so there should not be an issue with that. I've used and seen combofix used thousands of times with an extremely small percentage of issues like you had. But I'll understand if you don't want to run it.

We may be able to take care of the rest of this manually. DDS does not provide any options for fixing things, so we'd need to run another tool that will. If you want to go that way then download and run the following tool, then post the logs.

Posted Image OTL - Download

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5
    %SYSTEMDRIVE%\nvatabus.sys /s /md5
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image

#53 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 19 November 2009 - 09:28 PM

Malwarebytes turns up no infections on a full scan.

I ran combofix and it did a long scan, then started to reboot and put up the following dialog box:

-----

Unable to create a backup of the current registry file
C:\WINDOWS\system32\config\SOFTWARE

Continue restoration of the file?

| Yes | | No |

-----

Should I confirm?

#54 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 19 November 2009 - 11:19 PM

Just a wild guess. Could this be because it's trying to overwrite a read-only backup from the previous time I ran combofix?

#55 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 20 November 2009 - 01:29 AM

Just a wild guess. Could this be because it's trying to overwrite a read-only backup from the previous time I ran combofix?

That's what I was thinking...I've never seen that one before but I'll look into it. Did you continue? I would just advise continuing with Yes. Hopefully you will get a log and we can move forward.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image

#56 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 20 November 2009 - 01:43 AM

I clicked Yes and got the following dialog box:

-----

Error restoring
C:\WINDOWS\erdnt\subs\SOFTWARE

Continue with the next file?

[ RegReplacekey: 1450 - Insufficient system resources
to complete the requested service. ]

| Yes | | No |

-----

Keep going?

#57 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 20 November 2009 - 02:28 AM

I clicked "Yes" and it finished booting. During the boot up process. it displayed a brief message about checking drive J:, said it was "dirty", and displayed a chkdsk-like message before proceeding, fwiw.

Here's the log:

ComboFix 09-11-19.05 - Bill Entwistle 11/19/2009 20:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.376 [GMT -6:00]
Running from: c:\documents and settings\Bill Entwistle\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((( Files Created from 2009-10-20 to 2009-11-20 )))))))))))))))))))))))))))))))
.

2009-11-15 07:07 . 2009-11-15 07:07 -------- d-----w- c:\program files\Windows Defender
2009-11-15 05:38 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-15 05:38 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-14 23:10 . 2009-11-14 23:10 304920 ------w- c:\windows\system32\drivers\iastor.sys
2009-11-08 14:48 . 2009-11-15 05:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 16:03 . 2009-11-15 14:42 79488 ----a-w- c:\documents and settings\Bill Entwistle\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-20 07:09 . 2009-04-04 17:50 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-20 00:53 . 2007-04-27 06:01 -------- d-----w- c:\program files\Firefox
2009-11-19 07:10 . 2009-01-11 08:54 -------- d-----w- c:\program files\Thunderbird
2009-11-17 02:33 . 2007-04-26 04:52 -------- d-----w- c:\program files\TextPad 4
2009-11-17 02:02 . 2007-04-27 01:17 -------- d-----w- c:\program files\LView
2009-11-15 05:15 . 2009-04-01 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-12 23:55 . 2007-05-11 03:22 -------- d-----w- c:\program files\Common Files\Motive
2009-11-03 02:42 . 2009-10-02 22:36 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 17:41 . 2009-05-12 14:19 1324 ------w- c:\windows\system32\d3d9caps.dat
2009-09-25 05:37 . 2004-08-11 21:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-11 21:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2004-08-11 21:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-11 21:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-11 21:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-11-28 08:08 . 2007-05-07 06:28 88 --sh--r- c:\windows\system32\3EEC6A8C6D.sys
2008-11-27 07:59 . 2007-04-24 04:52 88 --sh--r- c:\windows\system32\736179D2E2.sys
2008-11-28 08:08 . 2007-04-24 04:52 5174 --sh--w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-30 177448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Registry Crawler"="c:\progra~1\RCrawler\RCrawler.exe" [2004-02-03 454656]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-09-28 125168]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\Bill Entwistle\Start Menu\Programs\Startup\
Alarm.lnk - c:\program files\Alarm\Alarm.exe [2007-6-28 167936]
CapsUnlock.lnk - c:\program files\CapsUnlock\CapsUnlock.exe [2007-4-24 13312]
FlashTray.lnk - c:\program files\FlashTray Pro\FlashTray.exe [2007-5-7 555520]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-1-14 344064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\WS FTP\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TeraTerm\\ttermpro.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Seagate\\SeagateManager\\FreeAgent Status\\stxmenumgr.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/30/2008 2:23 PM 161064]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/4/2009 7:03 PM 102448]
S2 0258161238559076mcinstcleanup;0258161238559076mcinstcleanup; [x]
S2 0327391238561196mcinstcleanup;0327391238561196mcinstcleanup; [x]
S3 LW;LW;c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe --> c:\docume~1\BILLEN~1\LOCALS~1\Temp\LW.exe [?]
S3 notecable;NoteCable Driver (WDM);c:\windows\system32\drivers\notcable.sys --> c:\windows\system32\drivers\notcable.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2009-11-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-30 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: netflix.com\www
Trusted Zone: pandora.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{826e7566-fc8a-4294-a7f9-3025321aa7d8} - beyofaji.dll
SharedTaskScheduler-{04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll
SharedTaskScheduler-{57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll
SSODL-pirovebob-{04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll
SSODL-toyufibod-{57bc0a5c-54d7-4a9a-9c1d-a46094d906a6} - c:\windows\system32\jibikupa.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 01:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1208)
c:\progra~1\SBCLIG~1\SMARTB~1\SBHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\FlashTray Pro\BSFTHOOK.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\progra~1\SYMANT~1\vptray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-20 01:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-20 07:23
ComboFix2.txt 2008-11-30 16:59

Pre-Run: 45,873,872,896 bytes free
Post-Run: 45,545,304,064 bytes free

- - End Of File - - 3ED94EFF952BA2D6659CEF95D37E63EF

#58 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 20 November 2009 - 11:14 AM

Well it looks like iastor.sys had been re-infected.

Some of the errors may have been due to the fact Symantec was still running during cf.

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}


How is it running?

I would like to see an OTL scan done. Can you run that as instructed earlier, with the switches.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image

#59 ent

ent

    Regular Member

  • Honorary Members
  • PipPip
  • 56 posts

Posted 21 November 2009 - 06:56 PM

It seems to be running fine. Nothing showing up on full scans.

Here are the two logs:

--------------------------------------------

OTL logfile created on: 11/21/2009 5:35:16 PM - Run 1
OTL by OldTimer - Version 3.1.6.2 Folder = C:\Documents and Settings\Bill Entwistle\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.84 Mb Total Physical Memory | 110.82 Mb Available Physical Memory | 10.93% Memory free
2.38 Gb Paging File | 1.57 Gb Available in Paging File | 65.90% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 42.44 Gb Free Space | 62.08% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 68.36 Gb Total Space | 37.28 Gb Free Space | 54.53% Space Free | Partition Type: NTFS
Drive G: | 2.93 Gb Total Space | 1.13 Gb Free Space | 38.52% Space Free | Partition Type: NTFS
Drive H: | 6.31 Gb Total Space | 5.17 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: TUCKER
Current User Name: Bill Entwistle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/21 17:34:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe
PRC - [2009/09/10 14:53:56 | 01,312,080 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2009/08/20 21:13:33 | 08,318,056 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Thunderbird\thunderbird.exe
PRC - [2009/03/05 16:07:20 | 02,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 14:31:12 | 05,365,592 | ---- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PRC - [2008/11/10 05:43:42 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/07/30 14:23:26 | 00,161,064 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2008/07/30 14:23:02 | 00,177,448 | ---- | M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
PRC - [2008/04/13 18:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\taskmgr.exe
PRC - [2008/04/13 18:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2008/04/13 18:12:23 | 00,677,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mstsc.exe
PRC - [2008/04/13 18:12:22 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 18:12:14 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2007/11/08 09:20:22 | 00,344,064 | ---- | M] () -- C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
PRC - [2007/09/26 13:42:04 | 00,267,064 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2007/09/26 13:41:56 | 00,503,608 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/06/13 06:17:45 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/04/24 23:12:13 | 00,013,312 | ---- | M] (BrainSystems) -- C:\Program Files\CapsUnlock\CapsUnlock.exe
PRC - [2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/09/27 19:33:44 | 00,125,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/09/27 19:33:42 | 00,280,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPC32.exe
PRC - [2006/09/27 19:33:32 | 01,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/09/27 19:33:22 | 00,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/08/28 19:57:12 | 00,395,776 | ---- | M] (Gteko Ltd.) -- C:\Program Files\Dell Support\DSAgnt.exe
PRC - [2006/08/14 12:20:26 | 00,462,336 | ---- | M] (Corel, Inc.) -- C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
PRC - [2006/07/24 08:20:00 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/07/21 14:50:10 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2006/07/21 14:47:00 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2006/07/19 18:26:12 | 00,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 18:26:06 | 00,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/07/19 18:26:04 | 00,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/07/06 05:15:00 | 00,151,552 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/07/06 05:14:30 | 00,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2006/05/29 15:37:53 | 00,421,888 | ---- | M] () -- C:\Program Files\Putty\Putty.exe
PRC - [2006/04/11 16:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2005/10/05 01:12:00 | 00,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005/09/08 03:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2004/08/03 21:11:46 | 00,555,520 | ---- | M] (BlackSun Software) -- C:\Program Files\FlashTray Pro\FlashTray.exe
PRC - [2004/07/27 14:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2004/02/03 08:06:00 | 00,454,656 | ---- | M] (4Developers LLC) -- C:\Program Files\RCrawler\rcrawler.exe
PRC - [2003/12/10 03:52:40 | 00,380,928 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe


========== Modules (SafeList) ==========

MOD - [2009/11/21 17:34:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe
MOD - [2008/04/13 18:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 18:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2007/04/24 23:12:13 | 00,003,072 | ---- | M] () -- C:\Program Files\CapsUnlock\CapsUnlock.dll
MOD - [2004/04/16 09:04:58 | 00,126,976 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\SBHook.dll
MOD - [2002/11/09 19:28:16 | 00,041,984 | ---- | M] () -- C:\Program Files\FlashTray Pro\BSFThook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (McNASvc)
SRV - File not found -- -- (mcmscsvc)
SRV - File not found -- -- (LW)
SRV - File not found -- -- (0327391238561196mcinstcleanup)
SRV - File not found -- -- (0258161238559076mcinstcleanup)
SRV - [2009/04/22 18:52:55 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/07/30 14:23:26 | 00,161,064 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/13 18:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2007/09/26 13:41:56 | 00,503,608 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/09/27 19:33:38 | 00,116,464 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 19:33:32 | 01,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 19:33:22 | 00,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/08/25 12:00:38 | 02,528,960 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 15:03:02 | 00,214,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 18:26:12 | 00,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 18:26:06 | 00,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/07/06 05:14:30 | 00,090,112 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2006/04/11 16:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/11/09 22:23:16 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 02:01:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Firefox\components [2009/11/14 23:36:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Firefox\plugins [2009/11/14 23:36:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Thunderbird\components [2009/08/20 21:13:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Thunderbird\plugins

[2009/11/14 23:34:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Extensions
[2009/11/14 23:34:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/15 01:17:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions
[2009/09/09 21:27:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla\Firefox\Profiles\6xnqpoll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe (Corel, Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [Motive SmartBridge] C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [Registry Crawler] C:\Program Files\RCrawler\rcrawler.exe (4Developers LLC)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\Dell Support\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe ()
O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\Alarm.lnk = C:\Program Files\Alarm\Alarm.exe (Bluefive software)
O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe (BrainSystems)
O4 - Startup: C:\Documents and Settings\Bill Entwistle\Start Menu\Programs\Startup\FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe (BlackSun Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: netflix.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: netflix.com ([www] https in Trusted sites)
O15 - HKCU\..Trusted Domains: pandora.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: 55 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1177138576847 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1177467272937 (MUWebControl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} Reg Error: Value error. (McFreeScan Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Eudora\EuShlExt.dll (Qualcomm Inc.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/02/25 23:03:54 | 00,000,194 | ---- | M] () - G:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 15:02:12 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16892114965102592)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/21 17:34:15 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe
[2009/11/15 01:07:15 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/11/15 01:03:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Bill Entwistle\My Documents\Downloads
[2009/11/14 23:38:43 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/14 23:38:40 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/14 17:10:57 | 00,304,920 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iastor.sys
[2009/11/08 17:54:32 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/11/08 17:54:32 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/11/08 17:54:32 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/11/08 17:54:32 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/11/08 17:53:26 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/08 08:49:35 | 03,550,592 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Bill Entwistle\Desktop\winlogin.exe
[2009/11/08 08:48:18 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[6 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/11/21 17:34:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill Entwistle\Desktop\OTL.exe
[2009/11/21 02:06:00 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/11/21 01:00:31 | 00,000,655 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Windows Defender.lnk
[2009/11/21 00:57:36 | 00,000,246 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Security Center.lnk
[2009/11/21 00:50:09 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Spybot.lnk
[2009/11/21 00:47:59 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/21 00:47:43 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/11/21 00:47:33 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/11/21 00:47:24 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/21 00:47:20 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/21 00:47:18 | 10,631,65952 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/21 00:46:23 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Bill Entwistle\ntuser.ini
[2009/11/21 00:46:22 | 08,650,752 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\ntuser.dat
[2009/11/20 01:25:32 | 00,001,491 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\C Drive.lnk
[2009/11/20 01:12:01 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/20 01:11:07 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/19 20:11:07 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\PUTTY.RND
[2009/11/19 20:10:53 | 00,001,784 | -H-- | M] () -- C:\Documents and Settings\Bill Entwistle\My Documents\Default.rdp
[2009/11/19 19:42:38 | 03,568,341 | R--- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\ComboFix.exe
[2009/11/17 16:48:39 | 00,003,782 | ---- | M] () -- C:\WINDOWS\SDTAR861.BMP
[2009/11/17 16:48:39 | 00,003,782 | ---- | M] () -- C:\WINDOWS\SDTAR860.BMP
[2009/11/17 16:48:39 | 00,002,678 | ---- | M] () -- C:\WINDOWS\SDTAR863.BMP
[2009/11/17 16:48:39 | 00,001,334 | ---- | M] () -- C:\WINDOWS\SDTAR862.BMP
[2009/11/16 20:03:22 | 00,008,500 | ---- | M] () -- C:\WINDOWS\lviewpro.ini
[2009/11/15 12:10:21 | 00,000,259 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/11/15 03:05:36 | 00,000,118 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Infected; MBAM Being Deleted - Malwarebytes Forum.URL
[2009/11/15 02:27:37 | 00,139,648 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/14 23:42:10 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
[2009/11/14 23:36:45 | 00,001,528 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Firefox.lnk
[2009/11/14 17:10:57 | 00,304,920 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\iastor.sys
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/08 11:39:39 | 00,000,182 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\November 8th, 2009 1138 am #10.URL
[2009/11/08 08:49:35 | 03,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Bill Entwistle\Desktop\winlogin.exe
[2009/11/07 17:52:44 | 00,000,076 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\CMS - State Employee Services.URL
[2009/11/07 17:52:10 | 00,000,075 | ---- | M] () -- C:\Documents and Settings\Bill Entwistle\Desktop\SURS - Insurance.URL
[6 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/21 01:00:31 | 00,000,655 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Windows Defender.lnk
[2009/11/21 00:57:36 | 00,000,246 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Security Center.lnk
[2009/11/21 00:50:09 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Spybot.lnk
[2009/11/19 20:09:53 | 03,568,341 | R--- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\ComboFix.exe
[2009/11/15 01:10:20 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/11/14 23:38:48 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
[2009/11/08 17:54:32 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/08 17:54:32 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/08 17:54:32 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/08 17:54:32 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/08 17:54:32 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/08 11:39:39 | 00,000,182 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\November 8th, 2009 1138 am #10.URL
[2009/11/08 09:13:35 | 00,000,118 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\Infected; MBAM Being Deleted - Malwarebytes Forum.URL
[2009/11/07 17:52:44 | 00,000,076 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\CMS - State Employee Services.URL
[2009/11/07 17:52:10 | 00,000,075 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Desktop\SURS - Insurance.URL
[2009/10/01 15:35:58 | 00,000,061 | ---- | C] () -- C:\WINDOWS\TaxACT09.ini
[2009/08/08 00:52:03 | 00,005,632 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/04 22:12:20 | 00,000,075 | ---- | C] () -- C:\WINDOWS\TaxACT08.ini
[2008/11/25 20:01:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2008/01/14 01:02:51 | 00,044,491 | ---- | C] () -- C:\WINDOWS\System32\MiiIniFile13.ini
[2008/01/14 01:02:48 | 00,285,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\Onsio.sys
[2008/01/14 01:02:48 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\drivers\Onsreged.sys
[2007/10/18 21:56:34 | 00,001,377 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/03 21:43:36 | 00,000,088 | ---- | C] () -- C:\WINDOWS\TaxACT07.ini
[2007/08/23 19:30:00 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007/08/02 01:00:03 | 00,093,696 | ---- | C] () -- C:\WINDOWS\System32\hpgt42.dll
[2007/05/16 00:02:15 | 00,000,225 | ---- | C] () -- C:\WINDOWS\acdsee.ini
[2007/05/15 23:48:11 | 00,000,141 | ---- | C] () -- C:\WINDOWS\TaxACT06.ini
[2007/05/15 23:45:43 | 00,000,128 | ---- | C] () -- C:\WINDOWS\TaxACT05.ini
[2007/05/15 23:35:57 | 00,000,128 | ---- | C] () -- C:\WINDOWS\TaxACT04.ini
[2007/05/15 22:44:02 | 00,000,128 | ---- | C] () -- C:\WINDOWS\TaxACT03.ini
[2007/05/15 22:39:23 | 00,000,103 | ---- | C] () -- C:\WINDOWS\TaxACT02.ini
[2007/05/15 22:25:12 | 00,000,090 | ---- | C] () -- C:\WINDOWS\TAXACT01.INI
[2007/05/15 22:17:50 | 00,000,073 | ---- | C] () -- C:\WINDOWS\TaxAct00.ini
[2007/05/15 22:13:34 | 00,000,078 | ---- | C] () -- C:\WINDOWS\TaxAct99.ini
[2007/05/09 00:33:39 | 00,000,087 | ---- | C] () -- C:\WINDOWS\OPHCW.INI
[2007/05/07 00:28:48 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\3EEC6A8C6D.sys
[2007/04/28 20:26:12 | 00,000,042 | ---- | C] () -- C:\WINDOWS\entpack.ini
[2007/04/26 23:52:58 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/04/26 19:40:28 | 00,000,868 | ---- | C] () -- C:\WINDOWS\ULEAD32.INI
[2007/04/26 19:18:20 | 00,008,500 | ---- | C] () -- C:\WINDOWS\lviewpro.ini
[2007/04/23 22:52:15 | 00,005,174 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/04/23 22:52:15 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\736179D2E2.sys
[2007/04/21 11:45:43 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Application Data\dvd.bmk
[2007/04/21 11:39:12 | 00,000,137 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\fusioncache.dat
[2007/04/20 23:40:53 | 04,836,936 | -H-- | C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\IconCache.db
[2007/04/20 23:40:53 | 00,018,520 | ---- | C] () -- C:\Documents and Settings\Bill Entwistle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2007/04/20 23:40:53 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Bill Entwistle\Application Data\desktop.ini
[2007/04/17 23:10:53 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/04/17 23:06:50 | 00,000,259 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/04/17 22:41:31 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4642.dll
[2007/04/17 22:40:06 | 00,000,392 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2005/11/09 23:56:34 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/11 15:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 15:14:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\control.ini
[2004/08/11 15:12:00 | 00,000,037 | ---- | C] () -- C:\WINDOWS\vbaddin.ini
[2004/08/11 15:12:00 | 00,000,036 | ---- | C] () -- C:\WINDOWS\vb.ini
[2004/08/11 15:11:31 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\tslabels.ini
[2004/08/11 15:11:31 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.ini
[2004/08/11 15:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 15:07:25 | 00,524,016 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2004/08/11 15:07:24 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/11 15:07:11 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/08/11 15:00:52 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2004/08/11 15:00:52 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2004/08/11 15:00:37 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\win87em.dll
[2004/08/11 15:00:37 | 00,001,121 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/11 15:00:35 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2004/08/11 15:00:35 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\tsd32.dll
[2004/08/11 15:00:35 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/11 15:00:30 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2004/08/11 15:00:30 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\scriptpw.dll
[2004/08/11 15:00:29 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2004/08/11 15:00:29 | 01,287,168 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2004/08/11 15:00:29 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2004/08/11 15:00:29 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2004/08/11 15:00:29 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2004/08/11 15:00:29 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2004/08/11 15:00:29 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2004/08/11 15:00:29 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\rsvp.ini
[2004/08/11 15:00:29 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\rasctrs.ini
[2004/08/11 15:00:28 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\pschdprf.ini
[2004/08/11 15:00:28 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\perfci.ini
[2004/08/11 15:00:28 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\perfwci.ini
[2004/08/11 15:00:28 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\perffilt.ini
[2004/08/11 15:00:28 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\prodspec.ini
[2004/08/11 15:00:25 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2004/08/11 15:00:25 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2004/08/11 15:00:25 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2004/08/11 15:00:25 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2004/08/11 15:00:25 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2004/08/11 15:00:25 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\ntdos411.sys
[2004/08/11 15:00:25 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\ntdos412.sys
[2004/08/11 15:00:25 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos804.sys
[2004/08/11 15:00:25 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\ntdos404.sys
[2004/08/11 15:00:25 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\ntdos.sys
[2004/08/11 15:00:24 | 00,002,656 | ---- | C] () -- C:\WINDOWS\System32\netware.drv
[2004/08/11 15:00:21 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\msencode.dll
[2004/08/11 15:00:21 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2004/08/11 15:00:21 | 00,001,405 | ---- | C] () -- C:\WINDOWS\msdfmap.ini
[2004/08/11 15:00:20 | 00,010,110 | ---- | C] () -- C:\WINDOWS\System32\mqperf.ini
[2004/08/11 15:00:18 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\key01.sys
[2004/08/11 15:00:18 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\keyboard.sys
[2004/08/11 15:00:18 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2004/08/11 15:00:17 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\ir32_32.dll
[2004/08/11 15:00:15 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\himem.sys
[2004/08/11 15:00:13 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\esentprf.ini
[2004/08/11 15:00:13 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2004/08/11 15:00:04 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2004/08/11 15:00:04 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\country.sys
[2004/08/11 15:00:03 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2004/08/11 15:00:02 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2004/08/11 15:00:01 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2004/08/11 15:00:01 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ansi.sys
[2001/09/11 15:06:50 | 00,001,787 | ---- | C] () -- C:\WINDOWS\SDDM.INI
[2001/08/17 20:36:28 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\paqsp.dll
[1999/01/22 12:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1996/07/30 23:00:00 | 00,041,472 | ---- | C] () -- C:\WINDOWS\System32\WOSAXRT.DLL
[1996/07/30 23:00:00 | 00,006,656 | ---- | C] () -- C:\WINDOWS\System32\MSNWEBQT.DLL

========== LOP Check ==========

[2007/04/17 23:08:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/08/28 19:06:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2007/08/28 19:07:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/03/29 15:27:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2007/04/17 23:02:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Corel
[2008/01/29 10:17:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2009/01/15 02:57:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2007/04/17 23:09:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GTek
[2007/04/17 23:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2008/11/30 14:16:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/31 22:09:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2008/12/03 21:39:02 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2007/05/10 21:22:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Motive
[2008/01/18 21:49:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RapidSolution
[2004/08/11 15:25:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2008/12/03 20:00:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2007/04/17 23:07:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sonic
[2009/11/21 00:50:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/04 11:50:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2007/04/21 01:00:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/03/14 20:28:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Adobe
[2007/04/21 11:50:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\AdobeUM
[2008/03/15 17:02:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Amazon
[2007/09/27 00:28:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Apple Computer
[2008/11/22 18:39:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Corel
[2007/04/20 23:59:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Google
[2007/04/17 23:09:10 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Gtek
[2007/04/22 18:52:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Help
[2004/08/11 15:20:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Identities
[2007/08/26 22:04:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\lalacollection
[2007/08/25 20:40:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\lalaplayer
[2007/04/24 23:23:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Leadertech
[2007/04/21 01:21:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Macromedia
[2008/11/30 14:16:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Malwarebytes
[2009/03/31 20:59:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Microsoft
[2007/04/26 23:50:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Microsoft Web Folders
[2007/05/10 21:27:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Motive
[2009/11/14 23:34:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Mozilla
[2008/01/18 20:59:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\NoteCable
[2008/01/18 21:53:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\RTPlayer
[2007/04/29 23:49:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Sonic
[2007/04/28 22:58:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Sun
[2007/04/27 00:03:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Talkback
[2009/01/11 02:56:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Thunderbird
[2008/01/18 22:23:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\Tunebite
[2009/10/30 01:29:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Bill Entwistle\Application Data\WinRAR
[2004/08/04 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/21 02:06:00 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2009/11/21 00:47:24 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/11/21 00:47:33 | 00,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2004/08/04 03:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]
[2004/08/04 03:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/04 03:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]
[2004/08/04 03:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2004/08/04 03:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]
[2004/08/04 03:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
[2006/10/10 11:03:48 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\drivers\storage\R130118\iastor.sys
[2006/07/06 04:59:42 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\i386\iaStor.sys
[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]
[2006/07/06 04:59:42 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys
[2006/07/06 05:01:32 | 00,484,864 | ---- | M] (Intel Corporation) MD5=6A3C354BFC163B81F6EF2FC421280DB5 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2009/11/14 17:10:57 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\WINDOWS\system32\drivers\iastor.sys
[2006/10/10 11:03:48 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2004/08/03 20:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]
[2004/08/03 20:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2004/08/03 21:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[1 C:\i386\*.tmp files -> C:\i386\*.tmp -> ]
[2004/08/03 21:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >
< End of report >

--------------------------------------------

OTL Extras logfile created on: 11/21/2009 5:35:16 PM - Run 1
OTL by OldTimer - Version 3.1.6.2 Folder = C:\Documents and Settings\Bill Entwistle\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1013.84 Mb Total Physical Memory | 110.82 Mb Available Physical Memory | 10.93% Memory free
2.38 Gb Paging File | 1.57 Gb Available in Paging File | 65.90% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 68.36 Gb Total Space | 42.44 Gb Free Space | 62.08% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 68.36 Gb Total Space | 37.28 Gb Free Space | 54.53% Space Free | Partition Type: NTFS
Drive G: | 2.93 Gb Total Space | 1.13 Gb Free Space | 38.52% Space Free | Partition Type: NTFS
Drive H: | 6.31 Gb Total Space | 5.17 Gb Free Space | 81.96% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: TUCKER
Current User Name: Bill Entwistle
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = FirefoxHTML] -- C:\Program Files\Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"G:\WS FTP\WS_FTP95.exe" = G:\WS FTP\WS_FTP95.exe:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA 02173)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\TeraTerm\ttermpro.exe" = C:\Program Files\TeraTerm\ttermpro.exe:*:Enabled:Tera Term -- (TeraTerm Project T. Teranishi)
"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService -- (Apple, Inc.)
"C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe" = C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe:*:Enabled:StxMenuMgr -- (Seagate LLC)
"C:\Program Files\Dell Support\DSAgnt.exe" = C:\Program Files\Dell Support\DSAgnt.exe:*:Enabled:DSAgnt -- (Gteko Ltd.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel® PRO Network Connections
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{238B8820-011B-11D6-9C28-0080C85A0C2D}" = Microtek LightLid 35 Calibrator
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 11
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EBD3749-304E-4A4C-9575-C00E5F015217}" = Apple Mobile Device Support
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{621FCD24-4498-4324-A81E-07D331376EDF}" = PixiePack Codec Pack
"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7ADE3A47-B425-45E9-8FF6-11BE2B775645}" = Corel Snapfire Plus
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{902C002A-60F8-45BD-9EFF-4DE38C99C51B}" = Eudora
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{93A1B09E-BAFA-4628-A5B6-921CB026955A}" = Corel Paint Shop Pro Photo XI
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B045B608-4A47-4C77-9EAD-06C394503306}" = iTunes
"{B08D262E-D902-11D5-9C28-0080C85A0C2D}" = ScanWizard 5
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B1D89E54-08B1-4542-A69B-E634AEF10A40}" = Seagate Manager Installer
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B702CCCE-3176-4DBF-B932-D1B8F402F330}" = Digital Content Portal
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1
"{F51251E6-FF62-48D0-9F87-149F48CDE46C}" = OKI C5100 Digitally Signed Driver
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Alarm_is1" = Alarm 2.0.1
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"ColorMania_is1" = ColorMania 2.4
"DVD Identifier_is1" = DVD Identifier
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSMONEYV50" = Microsoft Money 5.0
"Multimedia Xplorer 2" = Multimedia Xplorer 2
"MyEntunnel" = MyEntunnel (remove only)
"Registry Crawler" = Registry Crawler
"SBC.MCCInstall" = SBC Self Support Tool
"SearchAssist" = SearchAssist
"TaxACT 2000" = TaxACT 2000
"TaxACT 2001" = TaxACT 2001
"TaxACT 2002" = TaxACT 2002
"TaxACT 2003" = TaxACT 2003
"TaxACT 2004" = TaxACT 2004
"TaxACT 2005" = TaxACT 2005
"TaxACT 2006" = TaxACT 2006
"TaxACT 2007" = TaxACT 2007
"TaxACT 2008" = TaxACT 2008
"TaxACT 2008 Illinois" = TaxACT 2008 Illinois
"TaxACT 2009" = TaxACT 2009
"TaxACT Illinois 2003" = TaxACT Illinois 2003
"TaxACT Illinois 2004" = TaxACT Illinois 2004
"TaxACT Illinois 2005" = TaxACT Illinois 2005
"TaxACT Illinois 2006" = TaxACT Illinois 2006
"TaxACT Illinois 2007" = TaxACT Illinois 2007
"Tera Term Pro" = Tera Term Pro
"Tera Term_is1" = Tera Term 4.62
"TextPad 4" = TextPad 4
"Ulead iPhoto Express 1.1" = Ulead iPhoto Express 1.1
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/19/2009 2:28:06 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff

Error
description: Catastrophic failure

Error - 11/19/2009 2:45:31 AM | Computer Name = TUCKER | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents
and Settings\Bill Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Error - 11/19/2009 2:45:31 AM | Computer Name = TUCKER | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents and Settings\Bill
Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Error - 11/19/2009 2:45:45 AM | Computer Name = TUCKER | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Downloader.MisleadApp in File: C:\Documents
and Settings\Bill Entwistle\Local Settings\Temporary Internet Files\Content.IE5\YH16FMXW\op[1].exe
by: Auto-Protect scan. Action: Cleaned by Deletion. Action Description:

Error - 11/19/2009 3:38:19 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x80070005

Error
description: Access is denied.

Error - 11/19/2009 3:38:19 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff

Error
description: Catastrophic failure

Error - 11/20/2009 3:11:18 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x80070005

Error
description: Access is denied.

Error - 11/20/2009 3:11:18 AM | Computer Name = TUCKER | Source = WinDefendRtp | ID = 3003
Description = %%827 Real-Time Protection checkpoint has encountered an error and
failed to start. User: TUCKER\Bill Entwistle Checkpoint ID: 1 Error Code: 0x8000ffff

Error
description: Catastrophic failure

Error - 11/20/2009 10:48:38 AM | Computer Name = TUCKER | Source = MPSampleSubmission | ID = 5000
Description = EventType avsubmit, P1 windefend, P2 1.1.5302.0, P3 unspecified, P4
1.71.26.0, P5 trojan_win32_vundo.gen!g, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Error - 11/21/2009 2:45:54 AM | Computer Name = TUCKER | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 11/19/2009 12:43:49 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000
Description = The mcmscsvc service failed to start due to the following error: %%3

Error - 11/19/2009 12:43:49 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000
Description = The McNASvc service failed to start due to the following error: %%3

Error - 11/19/2009 3:38:37 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000
Description = The mcmscsvc service failed to start due to the following error: %%3

Error - 11/19/2009 3:38:37 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000
Description = The McNASvc service failed to start due to the following error: %%3

Error - 11/19/2009 8:52:27 PM | Computer Name = TUCKER | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.

Error - 11/20/2009 3:11:08 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000
Description = The mcmscsvc service failed to start due to the following error: %%3

Error - 11/20/2009 3:11:08 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000
Description = The McNASvc service failed to start due to the following error: %%3

Error - 11/20/2009 3:11:18 AM | Computer Name = TUCKER | Source = ipnathlp | ID = 32003
Description = The Network Address Translator (NAT) was unable to request an operation
of
the kernel-mode translation module. This may indicate misconfiguration, insufficient
resources, or an internal error. The data is the error code.

Error - 11/21/2009 2:47:55 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000
Description = The mcmscsvc service failed to start due to the following error: %%3

Error - 11/21/2009 2:47:55 AM | Computer Name = TUCKER | Source = Service Control Manager | ID = 7000
Description = The McNASvc service failed to start due to the following error: %%3


< End of report >

#60 IndiGenus

IndiGenus

    True Member

  • Experts
  • PipPipPipPip
  • 359 posts
  • Location:New England, USA

Posted 21 November 2009 - 08:57 PM

I would suggest maybe one more scan if all is well, then you should be good to go.

The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition
    files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
    * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobuc...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%
.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419

In your next reply post:
Kaspersky log
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users