Solved Have a virus or something....

molsonrn · 2010/09/26

[Resolved] Have a virus or something....

I had an ad that kept popping up, so I ran malware bytes and it eliminated two infected files........I'll post the log at the end. Seems to be better now, but internet running slowly. Do you see anything in the DDS logs that show something still wrong?

Thanks.
Melanie

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/22/2007 7:37:33 PM
System Uptime: 9/26/2010 1:31:27 PM (0 hours ago)

Motherboard: Dell Inc | | 0CT103
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket M2 | 2004/1000mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 21.07 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP810: 8/3/2010 11:31:13 PM - System Checkpoint
RP811: 8/3/2010 11:32:10 PM - Cleaned registry with Windows Live OneCare safety scanner
RP812: 8/3/2010 11:34:19 PM - Removed Ask Toolbar.
RP813: 8/3/2010 11:38:39 PM - Software Distribution Service 3.0
RP814: 8/4/2010 8:51:57 AM - Removed Java(TM) 6 Update 17
RP815: 8/4/2010 8:52:31 AM - Installed Java(TM) 6 Update 21
RP816: 8/4/2010 8:57:56 AM - Installed Windows Internet Explorer 8.
RP817: 8/4/2010 8:58:30 AM - Software Distribution Service 3.0
RP818: 8/4/2010 12:55:51 PM - Software Distribution Service 3.0
RP819: 8/5/2010 12:03:29 PM - Before speedboost run
RP820: 8/5/2010 12:17:55 PM - Installed Paragon Backup & Recoveryâ„¢ 10.2 Free Edition.
RP821: 8/6/2010 12:33:41 PM - System Checkpoint
RP822: 8/7/2010 3:12:11 PM - System Checkpoint
RP823: 8/8/2010 4:23:52 PM - System Checkpoint
RP824: 8/11/2010 11:03:29 AM - System Checkpoint
RP825: 8/12/2010 11:05:28 AM - System Checkpoint
RP826: 8/13/2010 3:00:15 AM - Software Distribution Service 3.0
RP827: 8/16/2010 12:57:51 PM - Installed Rise Of Legends
RP828: 8/17/2010 1:19:41 PM - System Checkpoint
RP829: 8/18/2010 2:55:13 PM - System Checkpoint
RP830: 8/19/2010 4:59:40 PM - System Checkpoint
RP831: 8/20/2010 5:47:56 PM - System Checkpoint
RP832: 8/21/2010 6:12:56 PM - System Checkpoint
RP833: 8/22/2010 6:43:01 PM - System Checkpoint
RP834: 8/25/2010 1:21:56 PM - System Checkpoint
RP835: 8/26/2010 4:16:47 PM - System Checkpoint
RP836: 8/27/2010 5:07:59 PM - System Checkpoint
RP837: 8/28/2010 6:07:59 PM - System Checkpoint
RP838: 8/29/2010 7:07:58 PM - System Checkpoint
RP839: 8/30/2010 8:18:17 PM - System Checkpoint
RP840: 8/31/2010 8:59:37 PM - System Checkpoint
RP841: 9/1/2010 9:59:37 PM - System Checkpoint
RP842: 9/4/2010 11:42:07 AM - Installed LEGO® Indiana Jonesâ„¢
RP843: 9/5/2010 12:20:18 PM - System Checkpoint
RP844: 9/8/2010 5:25:50 PM - System Checkpoint
RP845: 9/9/2010 5:52:46 PM - System Checkpoint
RP846: 9/10/2010 6:17:06 PM - System Checkpoint
RP847: 9/11/2010 6:53:08 PM - System Checkpoint
RP848: 9/12/2010 7:06:40 PM - System Checkpoint
RP849: 9/13/2010 8:05:02 PM - System Checkpoint
RP850: 9/15/2010 4:21:57 PM - System Checkpoint
RP851: 9/15/2010 6:33:57 PM - Removed Ben 10 Alien Force Bounty Hunters.
RP852: 9/15/2010 6:39:50 PM - Removed Star Wars Galactic Battlegrounds: Clone Campaigns
RP853: 9/15/2010 6:40:26 PM - Removed Ultimate Spider-Man (TM)
RP854: 9/16/2010 7:28:11 PM - System Checkpoint
RP855: 9/17/2010 8:28:10 PM - System Checkpoint
RP856: 9/18/2010 9:15:45 PM - System Checkpoint
RP857: 9/19/2010 9:16:50 PM - System Checkpoint
RP858: 9/22/2010 4:17:15 PM - System Checkpoint
RP859: 9/24/2010 6:05:34 PM - System Checkpoint
RP860: 9/25/2010 8:01:59 PM - System Checkpoint

==== Installed Programs ======================

3D Groove Playback Engine
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Age of Mythology
Antivirus 2010
AOLIcon
Auslogics Disk Defrag
Axis & Allies
Belarc Advisor 7.2
Broadcom Management Programs
CCleaner
Defender of the Crown
Dell CinePlayer
Dell Support 3.2.1
Demolition Champions
Digital Content Portal
DirectX Media Runtime 5.1
Disney Pirates of the Caribbean Online
EA Mobile Games
Glary Utilities 2.27.0.982
GPGNet
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Iron Man
ISO Recorder
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 21
Java(TM) 6 Update 5
Jetfighter V Homeland Protector
LEGO® Indiana Jonesâ„¢
Mall Tycoon 2 Deluxe
Malwarebytes' Anti-Malware
Marvel(TM) - Ultimate Alliance
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Rise Of Nations
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.6.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
Norman Security Suite
NVIDIA Drivers
Paragon Backup & Recoveryâ„¢ 10.2 Free Edition
PunkBuster Services
QuickTime
RealPlayer Basic
Rise Of Legends
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sonic Activation Module
Sonic Update Manager
SPOREâ„¢
Spybot - Search & Destroy
Supreme Commander
Symantec KB-DocID:2003093015493306
TeamViewer 4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
WebFldrs XP
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Wizard101

==== Event Viewer Messages From Past Week ========

9/26/2010 9:54:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
9/26/2010 8:54:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
9/26/2010 7:54:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
9/26/2010 6:54:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
9/26/2010 5:54:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
9/26/2010 4:54:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
9/26/2010 3:54:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
9/26/2010 2:54:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
9/26/2010 12:54:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
9/26/2010 12:54:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
9/26/2010 11:54:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
9/26/2010 10:54:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
9/26/2010 1:54:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
9/26/2010 1:32:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
9/25/2010 9:54:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
9/25/2010 8:54:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
9/25/2010 7:54:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
9/25/2010 11:54:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
9/25/2010 10:54:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
9/24/2010 5:36:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvatabus nvraid
9/24/2010 5:36:50 PM, error: Service Control Manager [7000] - The iWon Toolbar Service service failed to start due to the following error: The system cannot find the path specified.
9/22/2010 4:29:44 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file rundll32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

==== End Of File ===========================

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ben Olson at 13:37:39.43 on Sun 09/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1420 [GMT -5:00]

AV: Norman Security Suite *On-access scanning enabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nnf.exe
C:\Program Files\Norman\Ngs\Bin\Nprosec.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norman\npc\bin\npc_tray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\Program Files\Norman\Npm\Bin\scheduler.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\Program Files\Norman\npc\bin\nuaa.exe
C:\Program Files\Common Files\Java\Java Update\jusched .exe
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ben Olson\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; AskTB5.6)" - "http://www.mostfungames.com/brakeless.htm "
mRun: [NPCTray] c:\program files\norman\npc\bin\npc_tray.exe /LOAD
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Norman ZANDA] "c:\program files\norman\npm\bin\ZLH.EXE" /LOAD /SPLASH
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [Dgovahacafo] rundll32.exe "c:\windows\owlwcx.dll ",Startup
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
IE: &Search - http://tbedits.iwon.com/one-toolbar...0377-BCD4-433A-8344-8B5093F98D88&n=2010062120
IE: E&xport to Microsoft Excel
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB}
LSP: c:\program files\norman\ngs\bin\nlf.dll
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1224.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\benols~1\applic~1\mozilla\firefox\profiles\e9l048xv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2570793&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2570793&q=
FF - plugin: c:\documents and settings\ben olson\application data\mozilla\firefox\profiles\e9l048xv.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-8-5 40560]
R1 NGS;Norman General Security Driver;c:\program files\norman\ngs\bin\ngs.sys [2010-8-19 26744]
R1 NPROSEC;Norman Security driver;c:\program files\norman\ngs\bin\nprosec.sys [2010-8-19 72392]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-8-3 93872]
R2 Ndiskio;Ndiskio;c:\program files\norman\nse\bin\Ndiskio.sys [2009-12-3 22880]
R2 NNFSVC;Norman Network Filtering service;c:\program files\norman\ngs\bin\nnf.exe [2010-8-19 219904]
R2 Norman ZANDA;Norman ZANDA;c:\program files\norman\npm\bin\Zanda.exe [2009-10-7 301192]
R2 NPROSECSVC;Norman Security service;c:\program files\norman\ngs\bin\nprosec.exe [2010-8-19 103016]
R2 nregsec;Norman Registry Security driver;c:\program files\norman\ngs\bin\nregsec.sys [2010-8-19 40384]
R2 NVOY;Norman Resource Provider;c:\program files\norman\npm\bin\nvoy.exe [2009-12-3 98776]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-1-28 185640]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\norman\nse\bin\Nsesvc.exe [2010-6-21 282624]
R3 NUAA;Norman User Activity Agent;c:\program files\norman\npc\bin\nuaa.exe [2009-12-3 99656]
R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [2009-12-3 21832]
R3 nvcoas;Norman Virus Control on-access component;c:\program files\norman\nvc\bin\Nvcoas.exe [2009-12-3 210248]
R3 Scheduler;Norman Scheduler Service;c:\program files\norman\npm\bin\scheduler.exe [2009-12-3 133272]
S2 iWonService;iWon Toolbar Service;c:\progra~1\iwon\bar\1.bin\jfbarsvc.exe --> c:\progra~1\iwon\bar\1.bin\jfbarsvc.exe [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-11-29 1174152]

=============== Created Last 30 ================

2010-09-24 22:45:30 72706 ----a-w- c:\docume~1\alluse~1\applic~1\m8BN7Y5H.exe
2010-09-22 21:31:09 112 ----a-w- c:\docume~1\alluse~1\applic~1\V5Y0Ai2e.dat
2010-09-15 23:34:31 0 d-----w- c:\program files\Blockland
2010-09-15 20:58:44 68176 ----a-w- c:\windows\system32\drivers\ale_nf64.sys
2010-09-15 20:58:44 61472 ----a-w- c:\windows\system32\drivers\ale_nf.sys
2010-09-05 15:22:41 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-08-26 19:38:47 99 ----a-w- c:\documents and settings\ben olson\jagex_runescape_preferences2.dat
2010-08-26 19:01:49 46 ----a-w- c:\documents and settings\ben olson\jagex_runescape_preferences.dat
2010-08-11 20:13:48 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-11 20:13:23 215016 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-04 13:52:35 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2008-06-22 21:24:37 88 --sh--r- c:\windows\system32\94B7304BDE.sys
2008-06-22 21:24:48 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:39:15.04 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/22/2007 7:37:33 PM
System Uptime: 9/26/2010 1:31:27 PM (0 hours ago)

Motherboard: Dell Inc | | 0CT103
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket M2 | 2004/1000mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 21.07 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP810: 8/3/2010 11:31:13 PM - System Checkpoint
RP811: 8/3/2010 11:32:10 PM - Cleaned registry with Windows Live OneCare safety scanner
RP812: 8/3/2010 11:34:19 PM - Removed Ask Toolbar.
RP813: 8/3/2010 11:38:39 PM - Software Distribution Service 3.0
RP814: 8/4/2010 8:51:57 AM - Removed Java(TM) 6 Update 17
RP815: 8/4/2010 8:52:31 AM - Installed Java(TM) 6 Update 21
RP816: 8/4/2010 8:57:56 AM - Installed Windows Internet Explorer 8.
RP817: 8/4/2010 8:58:30 AM - Software Distribution Service 3.0
RP818: 8/4/2010 12:55:51 PM - Software Distribution Service 3.0
RP819: 8/5/2010 12:03:29 PM - Before speedboost run
RP820: 8/5/2010 12:17:55 PM - Installed Paragon Backup & Recoveryâ„¢ 10.2 Free Edition.
RP821: 8/6/2010 12:33:41 PM - System Checkpoint
RP822: 8/7/2010 3:12:11 PM - System Checkpoint
RP823: 8/8/2010 4:23:52 PM - System Checkpoint
RP824: 8/11/2010 11:03:29 AM - System Checkpoint
RP825: 8/12/2010 11:05:28 AM - System Checkpoint
RP826: 8/13/2010 3:00:15 AM - Software Distribution Service 3.0
RP827: 8/16/2010 12:57:51 PM - Installed Rise Of Legends
RP828: 8/17/2010 1:19:41 PM - System Checkpoint
RP829: 8/18/2010 2:55:13 PM - System Checkpoint
RP830: 8/19/2010 4:59:40 PM - System Checkpoint
RP831: 8/20/2010 5:47:56 PM - System Checkpoint
RP832: 8/21/2010 6:12:56 PM - System Checkpoint
RP833: 8/22/2010 6:43:01 PM - System Checkpoint
RP834: 8/25/2010 1:21:56 PM - System Checkpoint
RP835: 8/26/2010 4:16:47 PM - System Checkpoint
RP836: 8/27/2010 5:07:59 PM - System Checkpoint
RP837: 8/28/2010 6:07:59 PM - System Checkpoint
RP838: 8/29/2010 7:07:58 PM - System Checkpoint
RP839: 8/30/2010 8:18:17 PM - System Checkpoint
RP840: 8/31/2010 8:59:37 PM - System Checkpoint
RP841: 9/1/2010 9:59:37 PM - System Checkpoint
RP842: 9/4/2010 11:42:07 AM - Installed LEGO® Indiana Jonesâ„¢
RP843: 9/5/2010 12:20:18 PM - System Checkpoint
RP844: 9/8/2010 5:25:50 PM - System Checkpoint
RP845: 9/9/2010 5:52:46 PM - System Checkpoint
RP846: 9/10/2010 6:17:06 PM - System Checkpoint
RP847: 9/11/2010 6:53:08 PM - System Checkpoint
RP848: 9/12/2010 7:06:40 PM - System Checkpoint
RP849: 9/13/2010 8:05:02 PM - System Checkpoint
RP850: 9/15/2010 4:21:57 PM - System Checkpoint
RP851: 9/15/2010 6:33:57 PM - Removed Ben 10 Alien Force Bounty Hunters.
RP852: 9/15/2010 6:39:50 PM - Removed Star Wars Galactic Battlegrounds: Clone Campaigns
RP853: 9/15/2010 6:40:26 PM - Removed Ultimate Spider-Man (TM)
RP854: 9/16/2010 7:28:11 PM - System Checkpoint
RP855: 9/17/2010 8:28:10 PM - System Checkpoint
RP856: 9/18/2010 9:15:45 PM - System Checkpoint
RP857: 9/19/2010 9:16:50 PM - System Checkpoint
RP858: 9/22/2010 4:17:15 PM - System Checkpoint
RP859: 9/24/2010 6:05:34 PM - System Checkpoint
RP860: 9/25/2010 8:01:59 PM - System Checkpoint

==== Installed Programs ======================

3D Groove Playback Engine
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Age of Mythology
Antivirus 2010
AOLIcon
Auslogics Disk Defrag
Axis & Allies
Belarc Advisor 7.2
Broadcom Management Programs
CCleaner
Defender of the Crown
Dell CinePlayer
Dell Support 3.2.1
Demolition Champions
Digital Content Portal
DirectX Media Runtime 5.1
Disney Pirates of the Caribbean Online
EA Mobile Games
Glary Utilities 2.27.0.982
GPGNet
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Iron Man
ISO Recorder
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 21
Java(TM) 6 Update 5
Jetfighter V Homeland Protector
LEGO® Indiana Jonesâ„¢
Mall Tycoon 2 Deluxe
Malwarebytes' Anti-Malware
Marvel(TM) - Ultimate Alliance
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Rise Of Nations
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.6.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
Norman Security Suite
NVIDIA Drivers
Paragon Backup & Recoveryâ„¢ 10.2 Free Edition
PunkBuster Services
QuickTime
RealPlayer Basic
Rise Of Legends
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sonic Activation Module
Sonic Update Manager
SPOREâ„¢
Spybot - Search & Destroy
Supreme Commander
Symantec KB-DocID:2003093015493306
TeamViewer 4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
WebFldrs XP
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Wizard101

==== Event Viewer Messages From Past Week ========

9/26/2010 9:54:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
9/26/2010 8:54:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
9/26/2010 7:54:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
9/26/2010 6:54:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
9/26/2010 5:54:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
9/26/2010 4:54:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
9/26/2010 3:54:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
9/26/2010 2:54:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
9/26/2010 12:54:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
9/26/2010 12:54:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
9/26/2010 11:54:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
9/26/2010 10:54:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
9/26/2010 1:54:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
9/26/2010 1:32:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
9/25/2010 9:54:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
9/25/2010 8:54:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
9/25/2010 7:54:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
9/25/2010 11:54:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
9/25/2010 10:54:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
9/24/2010 5:36:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: nvatabus nvraid
9/24/2010 5:36:50 PM, error: Service Control Manager [7000] - The iWon Toolbar Service service failed to start due to the following error: The system cannot find the path specified.
9/22/2010 4:29:44 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file rundll32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.

==== End Of File ===========================

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4386

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/25/2010 7:00:43 PM
mbam-log-2010-09-25 (19-00-43).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 291263
Time elapsed: 1 hour(s), 39 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\eAcr1a.com (Malware.Generic) -> Quarantined and deleted successfully.

broni · 2010/09/26

What is your current security program, Norman, or Norton?

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

==============================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

molsonrn · 2010/09/28

reply

It is Norman.

I'm going to attempt to post the gmer log below before moving on to the next things, as it has been very trying to even get that accomplished. Computer keeps freezing up completely. This time upon start-up and trying to get on IE, it opened 170 windows. Ugh.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-28 15:37:16
Windows 5.1.2600 Service Pack 3
Running: spb6fm7m[1].exe; Driver: C:\DOCUME~1\BENOLS~1\LOCALS~1\Temp\pxtdqpow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys (Norman Process Security Driver/Norman ASA) ZwCreateEvent [0xB632B99A]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys (Norman Process Security Driver/Norman ASA) ZwCreateFile [0xB632B3B8]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys (Norman Process Security Driver/Norman ASA) ZwCreateProcess [0xB632A83E]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys (Norman Process Security Driver/Norman ASA) ZwCreateProcessEx [0xB632A86E]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys (Norman Process Security Driver/Norman ASA) ZwCreateThread [0xB632A89E]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys (Norman Process Security Driver/Norman ASA) ZwSetSystemInformation [0xB632B4C2]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys (Norman Process Security Driver/Norman ASA) ZwTerminateProcess [0xB632B0C4]
SSDT \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys (Norman Process Security Driver/Norman ASA) ZwWriteVirtualMemory [0xB632B1B6]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8C98360, 0x21235D, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB4945300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA458300, 0x1B7E, 0xE8000020]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xB48D0F00, 0x24000, 0x48000000]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
.text C:\WINDOWS\System32\svchost.exe[1140] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\wuauclt.exe[1712] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[1712] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0094000A
.text C:\WINDOWS\system32\wuauclt.exe[1712] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0092000C
.text C:\WINDOWS\Explorer.EXE[1824] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1824] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\Explorer.EXE[1824] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D3000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3568] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D0000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D0000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0262000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0263000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0261000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3796] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CE000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD135 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4B6F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4AA1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4B0C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4972 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E49D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4BD2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4A36 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3896] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4EF0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[3740] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3788] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3896] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore@Count 111238

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Ben Olson\Cookies\ben_olson@invitemedia[3].txt 1269 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temp\~DF4805.tmp 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\1YHWP3JS\iframe3[1].htm 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\1YHWP3JS\iframe3[2].htm 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\1YHWP3JS\st[10] 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\1YHWP3JS\st[5] 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\1YHWP3JS\st[6] 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\1YHWP3JS\st[9] 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\QFBFT6IK\aopix[2].gif 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\QFBFT6IK\json[2] 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\QFBFT6IK\json[3] 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\QFBFT6IK\st[2] 0 bytes
File C:\Documents and Settings\Ben Olson\Local Settings\Temporary Internet Files\Content.IE5\QFBFT6IK\st[3] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\box_640w_rounded_gradbox_topgrad[1].gif 2893 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\CODA[1].js 88722 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\alertbg[1].gif 49 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\FFpremiumCSS[1].swf 109216 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\pach_dollar[1].jpg 697 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\gt6forumuserDivider[1].gif 1030 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\gt6_subtabs[1].css 1695 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\gt6_usermovie_display[1].css 2041 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\GTAuctionHouse[1].jpg 1431 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\GTHD[1].jpg 1454 bytes
5 ----

molsonrn · 2010/09/28

second part of gmer log

GMER 1.0.15.15281 -

http://www.gmer.nUSER32.dll!CallN\GTHD[1].jpg 1454 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\GTTV[1].jpg 1488 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\hdvsb40e[1].css 24266 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\ge=player;vars=;sz=300x250;title;platform=na;genre=all;!category=expand;game_id=13540;;!category=movies;!category=expand;!category=pop;ord=33885612151999[1] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\plat_ipad_default[1].gif 245 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\plat_na_default[1].gif 73 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\plat_psp_default[1].gif 71 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\plat_tba_default[1].gif 165 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\plat_wiiware_default[1].gif 93 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\plat_wii_default[1].gif 68 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\plat_xbla_default[1].gif 91 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\plat_xblig_default[1].gif 267 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\player_comments_ajaxfuncs_read[1].htm 24509 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\beacon[1].js 1233 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\beacon[2].js 1191 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\beacon[3].js 1227 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\mn;pos=btf;tag=adj;mtype=standard;research=survey;!categories=;sz=1x2;tile=4;u=pos-btf%7C%7Ctag-adj%7Cmtype-standard%7Csz-728x90%7Ctile-4;ord=1285678163;[1] 118 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\connect-css[1].txt 14259 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\connect-css[2].txt 14267 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\41373_100000217563757_9522_q[1].jpg 2685 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\41643_1468561611_1916_q[1].jpg 2077 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\41771_859005491_7368_q[1].jpg 2450 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\48892_1071774266_5729_q[1].jpg 2372 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\quick_registration_43[1].js 12351 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\ScrewAttack[1].jpg 1346 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\SDlower[1].gif 2142 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\send_button[1].gif 201 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\sidebarbadge_ach[1].png 1165 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\sideblue_01[1].gif 271 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\sm_GTTV_thumb_AlanWake_Debut_09-23-2010[1].jpg 1741 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\sm_GT_InvisibleWallsThumb_Ep126_MGSR-BioShockInfinite_09_24_2010_V1[1].jpg 2662 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\sm_GT_thumb_FrontMissionEvolved_ExLaunch_09-24-2010[1].jpg 2360 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\sm_PennyArcade_thumb[1].jpg 2999 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N01HE8A7\sm_thumb_bonusround[1].jpg 2090 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SVUH17PH\override_site_skin[1].htm 105 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SVUH17PH\confirmation_stripes[1].gif 88 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SVUH17PH\likebox[1].php 13395 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SVUH17PH\login_status[1].php 1074 bytes
File C:\WINDOWS\Temp\~DF8E1C.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

molsonrn · 2010/09/28

mbr log

It said there is a fake MBR....whatever that is.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0x89BA5000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA0C8000 \WINDOWS\system32\drivers\CLASSPNP.SYS
0xBA330000 PartMgr.sys
0xBA0D8000 VolSnap.sys
0xB9F1B000 atapi.sys
0xBA0E8000 disk.sys
0xB9EE1000 fltmgr.sys
0xB9ECF000 sr.sys
0xB9EB9000 DRVMCDB.SYS
0xBA0F8000 PxHelp20.sys
0xB9EA2000 KSecDD.sys
0xB9E15000 Ntfs.sys
0xB9DE8000 NDIS.sys
0xB9DCE000 Mup.sys
0xBA338000 hotcore3.sys
0xBA308000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB8B94000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8B80000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA418000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB8B5C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA318000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5D8000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xBA128000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA138000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8B39000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA148000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB8B11000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9C0B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA158000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA584000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8AFA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA168000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA178000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA428000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8AE9000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA188000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA430000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA438000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA198000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA440000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA448000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5DA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8A8B000 \SystemRoot\system32\DRIVERS\update.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA450000 \SystemRoot\system32\DRIVERS\UimBus.sys
0xB8A32000 \SystemRoot\System32\Drivers\Uim_IM.sys
0xB89F6000 \SystemRoot\System32\Drivers\UimFIO.SYS
0xB88BB000 \SystemRoot\system32\drivers\sthda.sys
0xB8897000 \SystemRoot\system32\drivers\portcls.sys
0xBA1A8000 \SystemRoot\system32\drivers\drmk.sys
0xBA1B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA1F8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5E8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9D8A000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xB6221000 \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys
0xBA5F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA79F000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5F2000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA480000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xB620B000 \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
0xBA488000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA490000 \SystemRoot\System32\drivers\vga.sys
0xBA5F4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5F6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA4A0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA538000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB61B0000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB6157000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB612F000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA540000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB610D000 \SystemRoot\System32\drivers\afd.sys
0xBA218000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB60E2000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA4A8000 \??\c:\program files\norman\ngs\bin\ngs.sys
0xB6072000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA248000 \SystemRoot\System32\Drivers\Fips.SYS
0xB604C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA7BC000 \SystemRoot\System32\Drivers\BANTExt.sys
0xBA278000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB600C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5FA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB89D6000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA368000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB9BDF000 \SystemRoot\System32\drivers\dxgthk.sys
0xB61EF000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA238000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA3C8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB61E7000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB61E3000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA258000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA1E8000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA6EB000 \SystemRoot\System32\DLA\DLADResN.SYS
0xB4FD2000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xB50E0000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xBA5C2000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xB50D4000 \??\C:\Program Files\Norman\Nse\Bin\NDISKIO.SYS
0xB4FAE000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA408000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xB4F96000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xB4F80000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xB50B0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB4CEB000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4E10000 \SystemRoot\system32\drivers\sysaudio.sys
0xB4930000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA634000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xB48ED000 \SystemRoot\system32\DRIVERS\atksgt.sys
0xB5E7F000 \SystemRoot\system32\DRIVERS\lirsgt.sys
0xB5F07000 \??\C:\Program Files\Norman\Ngs\Bin\nregsec.sys
0xB4875000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xBA388000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xB43D4000 \SystemRoot\System32\Drivers\HTTP.sys
0xB41F2000 \SystemRoot\system32\DRIVERS\nvcw32mf.sys
0xB0DD9000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 45):
0 System Idle Process
4 System
380 C:\WINDOWS\system32\smss.exe
444 csrss.exe
628 C:\WINDOWS\system32\winlogon.exe
676 C:\WINDOWS\system32\services.exe
688 C:\WINDOWS\system32\lsass.exe
856 C:\Program Files\Norman\Npm\Bin\elogsvc.exe
888 C:\Program Files\Norman\Ngs\Bin\nnf.exe
908 C:\Program Files\Norman\Ngs\Bin\nprosec.exe
964 C:\WINDOWS\system32\svchost.exe
1036 svchost.exe
1148 C:\WINDOWS\system32\svchost.exe
1208 C:\Program Files\Norman\Npm\Bin\Zanda.exe
1312 C:\Program Files\Norman\Npm\Bin\nvoy.exe
1368 svchost.exe
1452 svchost.exe
1544 C:\WINDOWS\system32\spoolsv.exe
1832 C:\WINDOWS\explorer.exe
1996 C:\Program Files\Norman\Npc\Bin\npc_tray.exe
188 C:\Program Files\Norman\Npm\Bin\ZLH.EXE
264 svchost.exe
372 C:\Program Files\Java\jre6\bin\jqs.exe
432 C:\WINDOWS\system32\nvsvc32.exe
456 C:\WINDOWS\system32\PnkBstrA.exe
532 C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
1100 C:\WINDOWS\system32\UAService7.exe
1292 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1376 C:\Program Files\TeamViewer\Version4\TeamViewer.exe
2076 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2644 C:\Program Files\Norman\Npm\Bin\scheduler.exe
2736 C:\Program Files\Norman\Npm\Bin\Njeeves.exe
2904 C:\Program Files\Norman\Npc\Bin\nuaa.exe
2984 alg.exe
3192 Nsesvc.exe
3564 C:\Program Files\Norman\nvc\bin\Nvcoas.exe
3772 C:\Program Files\Common Files\Java\Java Update\jusched .exe
3548 C:\Program Files\Mozilla Firefox\firefox.exe
4184 C:\WINDOWS\system32\notepad.exe
3088 C:\Documents and Settings\All Users\Application Data\m8BN7Y5H.exe
3376 C:\Documents and Settings\All Users\Application Data\m8BN7Y5H.exe
2756 C:\Documents and Settings\All Users\Application Data\m8BN7Y5H.exe
2976 C:\Program Files\Internet Explorer\iexplore.exe
3176 C:\Program Files\Internet Explorer\iexplore.exe
1016 C:\Documents and Settings\Ben Olson\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: ST3808110AS, Rev: 3.ADH

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: D13DDF8A51F8C99D562C7C0018E2F8FDA7D48E07

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

molsonrn · 2010/09/28

further info

I just figured out why you may have asked Norton vs. Norman. The system info listed on my profile is for MY computer. The problem right now is on my son's computer which is where I am typing from now. Didn't know if that made a difference.

broni · 2010/09/28

Yeah, your MBR seems to be infected....

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

Place a blank CD in your CD drive.

Double click on NTBR_CD.exe file and a folder of the same name will appear.

Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.

Follow the prompts to burn the CD.

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

Insert the newly created CD into your infected PC and reboot your computer.

Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!

Read the warning and then continue as prompted.

You first need to select your keyboard layout - press Enter for English.

Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK

On the following screen enter 5 to select Install Standard MBR code.

Enter 1 to overwrite the infected MBR Code with the Standard MBR code.

When asked to confirm please do so.

Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.

Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

broni · 2010/09/28

The system info listed on my profile is for MY computer. The problem right now is on my son's computer which is where I am typing from now.
Click to expand...

I hope, you're running all scans on bad computer.

I'll need DDS logs from your son's computer then.

molsonrn · 2010/09/28

yes

DDS log and all scans have been done from the bad computer.

I can download the last thing you said to download, but it doesn't let me choose where to save it and now I can't find it to open it.

broni · 2010/09/28

Search computer for NTBR_CD.exe file.
You can create that CD on any computer.

DDS log and all scans have been done from the bad computer.
Click to expand...

If so...

What is your current security program, Norman, or Norton?
Click to expand...

molsonrn · 2010/09/28

Wow...

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA0C8000 \WINDOWS\system32\drivers\CLASSPNP.SYS
0xBA330000 PartMgr.sys
0xBA0D8000 VolSnap.sys
0xB9F1B000 atapi.sys
0xBA0E8000 disk.sys
0xB9EE1000 fltmgr.sys
0xB9ECF000 sr.sys
0xB9EB9000 DRVMCDB.SYS
0xBA0F8000 PxHelp20.sys
0xB9EA2000 KSecDD.sys
0xB9E15000 Ntfs.sys
0xB9DE8000 NDIS.sys
0xB9DCE000 Mup.sys
0xBA338000 hotcore3.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB9A1B000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB9A07000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB99E3000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA308000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5D4000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xBA318000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA128000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB99C0000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA138000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB9998000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA6D2000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA148000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9981000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA158000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA168000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA410000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9970000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA178000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA418000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA420000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA188000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA428000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA430000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9912000 \SystemRoot\system32\DRIVERS\update.sys
0xBA588000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA438000 \SystemRoot\system32\DRIVERS\UimBus.sys
0xB9891000 \SystemRoot\System32\Drivers\Uim_IM.sys
0xB9855000 \SystemRoot\System32\Drivers\UimFIO.SYS
0xB96ED000 \SystemRoot\system32\drivers\sthda.sys
0xB96C9000 \SystemRoot\system32\drivers\portcls.sys
0xBA198000 \SystemRoot\system32\drivers\drmk.sys
0xBA1A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA1B8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5DE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9DA2000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xB61B3000 \??\C:\Program Files\Norman\Ngs\Bin\nprosec.sys
0xBA5E6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB7442000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5E8000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA450000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xB619D000 \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
0xBA458000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA460000 \SystemRoot\System32\drivers\vga.sys
0xBA5EA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5EC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA468000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA470000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9D9A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB6142000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB60E9000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB60C1000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB9D92000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB609F000 \SystemRoot\System32\drivers\afd.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB6074000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA478000 \??\c:\program files\norman\ngs\bin\ngs.sys
0xB6004000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA208000 \SystemRoot\System32\Drivers\Fips.SYS
0xB5FDE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA218000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB7435000 \SystemRoot\System32\Drivers\BANTExt.sys
0xBA54C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA228000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA480000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA554000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA248000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA560000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB5F9E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5F0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB98F6000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA490000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA738000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB6233000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xBA692000 \SystemRoot\System32\DLA\DLADResN.SYS
0xB561F000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xB5751000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xBA602000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xB5749000 \??\C:\Program Files\Norman\Nse\Bin\NDISKIO.SYS
0xB55FB000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA390000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xB55E3000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xB55CD000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xB5739000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB5338000 \SystemRoot\system32\drivers\wdmaud.sys
0xB56B5000 \SystemRoot\system32\drivers\sysaudio.sys
0xB506D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA5B0000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xB4F62000 \SystemRoot\system32\DRIVERS\atksgt.sys
0xBA3B8000 \SystemRoot\system32\DRIVERS\lirsgt.sys
0xB509A000 \??\C:\Program Files\Norman\Ngs\Bin\nregsec.sys
0xB4EEA000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xBA3C0000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xB4A99000 \SystemRoot\System32\Drivers\HTTP.sys
0xB48BA000 \SystemRoot\system32\DRIVERS\nvcw32mf.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 44):
0 System Idle Process
4 System
532 C:\WINDOWS\system32\smss.exe
600 csrss.exe
624 C:\WINDOWS\system32\winlogon.exe
668 C:\WINDOWS\system32\services.exe
680 C:\WINDOWS\system32\lsass.exe
844 C:\Program Files\Norman\Npm\Bin\elogsvc.exe
856 C:\Program Files\Norman\Ngs\Bin\nnf.exe
872 C:\Program Files\Norman\Ngs\Bin\nprosec.exe
936 C:\WINDOWS\system32\svchost.exe
1004 svchost.exe
1108 C:\WINDOWS\system32\svchost.exe
1152 C:\Program Files\Norman\Npm\Bin\Zanda.exe
1232 C:\Program Files\Norman\Npm\Bin\nvoy.exe
1300 svchost.exe
1392 svchost.exe
1484 C:\WINDOWS\system32\spoolsv.exe
1744 C:\WINDOWS\explorer.exe
1920 C:\Program Files\Norman\Npc\Bin\npc_tray.exe
1980 C:\Program Files\Common Files\Java\Java Update\jusched.exe
164 svchost.exe
232 C:\Program Files\Java\jre6\bin\jqs.exe
256 C:\WINDOWS\system32\nvsvc32.exe
292 C:\WINDOWS\system32\PnkBstrA.exe
376 C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
424 C:\WINDOWS\system32\UAService7.exe
488 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1084 C:\Program Files\TeamViewer\Version4\TeamViewer.exe
1312 C:\WINDOWS\system32\wuauclt.exe
1736 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
1900 C:\Program Files\Mozilla Firefox\firefox.exe
2564 C:\Program Files\Norman\Npm\Bin\scheduler.exe
2636 C:\Program Files\Norman\Npm\Bin\Njeeves.exe
2692 C:\Program Files\Norman\Npc\Bin\nuaa.exe
2724 alg.exe
2836 Nsesvc.exe
3096 C:\Program Files\Common Files\Java\Java Update\jusched .exe
3400 C:\Program Files\Norman\nvc\bin\Nvcoas.exe
3748 C:\Documents and Settings\All Users\Application Data\m8BN7Y5H.exe
1644 iexplore.exe
2440 C:\Program Files\Internet Explorer\iexplore.exe
2544 C:\Program Files\Internet Explorer\iexplore.exe
2940 C:\Documents and Settings\Ben Olson\My Documents\Downloads\MBRCheck(3).exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: ST3808110AS, Rev: 3.ADH

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

And I believe it to be Norman.

broni · 2010/09/28

Looks good now

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

molsonrn · 2010/09/28

after combofix

ComboFix 10-09-27.05 - Ben Olson 09/28/2010 19:11:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1428 [GMT -5:00]
Running from: c:\documents and settings\Ben Olson\My Documents\Downloads\ComboFix.exe
AV: Norman Security Suite *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\All Users\Application Data\m8BN7Y5H.exe
c:\documents and settings\All Users\Application Data\Toolbar4
C:\LOG3.tmp
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Norman\Npm\Bin\ZLH.EXE
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask.exe
c:\windows\pack.epk
c:\windows\system32\logs
c:\windows\system32\USRINI~1.EXE
c:\windows\Tasks\At100.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At102.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At105.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At108.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZUMIESEARCH_SERVICE

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-26 11:59 . 2010-09-26 11:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-09-25 18:05 . 2010-09-25 18:05 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-09-15 23:34 . 2010-09-15 23:34 -------- d-----w- c:\program files\Blockland
2010-09-15 20:58 . 2010-08-19 07:12 68176 ----a-w- c:\windows\system32\drivers\ale_nf64.sys
2010-09-15 20:58 . 2010-08-19 07:12 61472 ----a-w- c:\windows\system32\drivers\ale_nf.sys
2010-09-10 06:22 . 2010-09-10 06:22 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-09-05 15:22 . 2010-09-28 19:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-04 17:14 . 2010-09-04 17:14 -------- d-----w- c:\documents and settings\Ben Olson\Local Settings\Application Data\LucasArts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 00:15 . 2006-11-29 05:18 -------- d-----w- c:\program files\QuickTime
2010-09-28 21:28 . 2010-09-22 21:31 112 ----a-w- c:\documents and settings\All Users\Application Data\V5Y0Ai2e.dat
2010-09-18 20:13 . 2008-06-23 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-15 23:41 . 2007-01-27 02:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-15 23:41 . 2009-10-16 00:58 -------- d-----w- c:\program files\Activision
2010-09-15 23:40 . 2006-11-29 05:18 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-15 23:40 . 2007-03-23 21:34 -------- d-----w- c:\program files\LucasArts
2010-09-15 23:39 . 2007-08-09 14:17 -------- d-----w- c:\program files\THQ
2010-09-15 23:34 . 2007-06-30 17:12 -------- d-----w- c:\program files\Hasbro Interactive
2010-09-09 01:02 . 2007-01-23 01:38 96528 ----a-w- c:\documents and settings\Ben Olson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-26 19:38 . 2010-03-31 17:22 99 ----a-w- c:\documents and settings\Ben Olson\jagex_runescape_preferences2.dat
2010-08-26 19:01 . 2008-07-27 14:16 46 ----a-w- c:\documents and settings\Ben Olson\jagex_runescape_preferences.dat
2010-08-20 04:46 . 2010-08-26 19:47 1312120 ----a-w- c:\documents and settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2010-08-20 04:46 . 2010-08-26 19:47 724992 ----a-w- c:\documents and settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2010-08-18 18:46 . 2009-12-03 23:50 -------- d-----w- c:\program files\Norman
2010-08-16 17:59 . 2008-09-06 17:16 -------- d-----w- c:\program files\Microsoft Games
2010-08-11 20:13 . 2009-09-28 20:50 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-11 20:13 . 2009-09-28 20:50 215016 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-05 17:33 . 2010-08-05 17:33 -------- d-----w- c:\program files\Glary Utilities
2010-08-05 17:26 . 2010-08-05 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Paragon
2010-08-05 17:17 . 2010-08-05 17:17 -------- d-----w- c:\program files\Paragon Software
2010-08-05 17:16 . 2007-06-30 15:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 17:07 . 2009-03-02 03:52 -------- d-----w- c:\documents and settings\Ben Olson\Application Data\Auslogics
2010-08-05 16:51 . 2010-08-04 13:46 -------- d-----w- c:\program files\Auslogics
2010-08-04 13:53 . 2006-11-29 05:11 -------- d-----w- c:\program files\Common Files\Java
2010-08-04 13:52 . 2010-06-16 18:05 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-04 04:36 . 2008-12-13 14:23 -------- d-----w- c:\documents and settings\Ben Olson\Application Data\Unity
2010-08-04 04:36 . 2008-12-13 13:59 -------- d-----w- c:\program files\Unity
2010-08-04 04:36 . 2009-12-16 22:25 -------- d-----w- c:\program files\Pando Networks
2010-08-03 23:05 . 2008-06-23 04:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-03 22:33 . 2010-08-03 22:33 61440 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5d2d9614-n\decora-sse.dll
2010-08-03 22:33 . 2010-08-03 22:33 503808 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2c4dbbde-n\msvcp71.dll
2010-08-03 22:33 . 2010-08-03 22:33 499712 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2c4dbbde-n\jmc.dll
2010-08-03 22:33 . 2010-08-03 22:33 348160 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2c4dbbde-n\msvcr71.dll
2010-08-03 22:33 . 2010-08-03 22:33 12800 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5d2d9614-n\decora-d3d.dll
2010-08-03 21:30 . 2010-08-03 21:30 -------- d-----w- c:\documents and settings\Ben Olson\Application Data\Malwarebytes
2010-08-03 21:30 . 2010-08-03 21:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-03 21:30 . 2010-08-03 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-03 21:28 . 2008-06-22 21:35 -------- d-----w- c:\program files\CCleaner
2008-06-22 21:24 . 2007-12-15 19:36 88 --sh--r- c:\windows\system32\94B7304BDE.sys
2008-06-22 21:24 . 2007-12-15 19:36 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
Code:
<pre>
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Norman\Npm\Bin\ZLH .exe
c:\program files\QuickTime\qttask                                                .exe
c:\windows\system32\rundll32 .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "= "c:\program files\QuickTime\qttask .exe -atboottime" [X]
"NPCTray "= "c:\program files\Norman\npc\bin\npc_tray.exe" [2010-02-22 93616]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"Norman ZANDA "= "c:\program files\Norman\Npm\Bin\ZLH.EXE" [N/A]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
"FlashPlayerUpdate "= "c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-08-03 231888]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ben Olson^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kggyyc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegPowerClean
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 11:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-16 14:39 7323648 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-11-29 05:18 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-08-15 09:00 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
c:\program files\AWS\WeatherBug\Weather.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc "=3 (0x3)
"Symantec Core LC "=2 (0x2)
"ZumieSearch Service "=2 (0x2)
"WinDefend "=2 (0x2)
"MDM "=2 (0x2)
"gusvc "=3 (0x3)
"aawservice "=2 (0x2)
"JavaQuickStarterService "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\dplaysvr.exe "=
"c:\\WINDOWS\\system32\\javaw.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe "=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe "=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe "=
"c:\\Program Files\\SEGA\\Iron Man\\IronMan.exe "=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\Activision\\Marvel - Ultimate Alliance\\Game.exe "=
"c:\\Program Files\\Demolition Champions\\cars.exe "=
"c:\\Program Files\\Atari\\Axis & Allies\\AA.exe "=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe "=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe "=
"c:\\Program Files\\Microsoft Games\\Rise Of Legends\\legends.exe "=

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/5/2010 12:18 PM 40560]
R1 NGS;Norman General Security Driver;c:\program files\Norman\Ngs\Bin\ngs.sys [8/19/2010 10:44 PM 26744]
R1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin\nprosec.sys [8/19/2010 10:44 PM 72392]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/3/2010 8:59 AM 93872]
R2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\Ndiskio.sys [12/3/2009 6:52 PM 22880]
R2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\nnf.exe [8/19/2010 10:44 PM 219904]
R2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin\nprosec.exe [8/19/2010 10:44 PM 103016]
R2 nregsec;Norman Registry Security driver;c:\program files\Norman\Ngs\Bin\nregsec.sys [8/19/2010 10:44 PM 40384]
R2 NVOY;Norman Resource Provider;c:\program files\Norman\Npm\Bin\nvoy.exe [12/3/2009 6:52 PM 98776]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [1/28/2009 2:39 AM 185640]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\Nsesvc.exe [6/21/2010 12:22 PM 282624]
R3 NUAA;Norman User Activity Agent;c:\program files\Norman\Npc\Bin\nuaa.exe [12/3/2009 6:52 PM 99656]
R3 Scheduler;Norman Scheduler Service;c:\program files\Norman\Npm\Bin\scheduler.exe [12/3/2009 6:52 PM 133272]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [12/3/2009 6:52 PM 21832]
S3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman\nvc\bin\Nvcoas.exe [12/3/2009 6:52 PM 210248]
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-08-05 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
LSP: c:\program files\Norman\ngs\bin\nlf.dll
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1224.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
FF - ProfilePath - c:\documents and settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2570793&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2570793&q=
FF - plugin: c:\documents and settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{605B3D3F-4F33-41D0-BA27-98238E1E839F} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-28 19:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,86,97,2a,58,37,d5,4c,9e,b0,15,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,86,97,2a,58,37,d5,4c,9e,b0,15,\

[HKEY_USERS\S-1-5-21-3622982708-3699623442-3766893002-1007\Software\SecuROM\License information*]
"datasecu "=hex:ed,7a,66,53,da,62,81,06,84,cc,9d,ec,0d,23,27,dd,23,99,b2,84,47,
9b,66,06,05,4e,eb,cc,f4,3a,03,9c,4c,cf,86,df,f6,97,38,7b,36,ce,38,0b,94,d8,\
"rkeysecu "=hex:e7,2b,75,4a,e1,49,38,e6,9a,b2,81,c2,23,03,04,10

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2024)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Norman\Npm\Bin\Elogsvc.exe
c:\program files\Norman\Npm\Bin\Zanda.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\UAService7.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\TeamViewer\Version4\TeamViewer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Norman\Npm\Bin\Njeeves.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-28 19:25:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-29 00:25

Pre-Run: 21,920,751,616 bytes free
Post-Run: 23,718,924,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 68DCAE78B921841A941A682A01A7F537

When I tried to come on thru IE, tons of windows started popping up again, so I had to end task and come online with Firefox. So something must still be wrong somewhere.

broni · 2010/09/28

Your computer is still infected. That's why.

Before we go any further, I need you to answer my question, I asked twice already.
What is your current security program? Norman, or Norton?

molsonrn · 2010/09/29

reply

Norman.

broni · 2010/09/29

Run Norton Removal Tool: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

Then....

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\documents and settings\All Users\Application Data\V5Y0Ai2e.dat
c:\windows\system32\94B7304BDE.sys

RenV::
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Norman\Npm\Bin\ZLH .exe
c:\program files\QuickTime\qttask                                                .exe
c:\windows\system32\rundll32 .exe


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "QuickTime Task "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kggyyc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegPowerClean]
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

molsonrn · 2010/09/29

combofix

ComboFix 10-09-27.05 - Ben Olson 09/29/2010 20:31:16.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1478 [GMT -5:00]
Running from: c:\documents and settings\Ben Olson\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Ben Olson\Desktop\cfscript.txt
AV: Norman Security Suite *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

FILE ::
"c:\documents and settings\All Users\Application Data\V5Y0Ai2e.dat "
"c:\windows\system32\94B7304BDE.sys "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\V5Y0Ai2e.dat
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\94B7304BDE.sys

.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-30 )))))))))))))))))))))))))))))))
.

2010-09-29 21:09 . 2010-09-29 21:09 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-09-29 21:09 . 2010-09-29 21:09 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-09-29 21:09 . 2010-09-29 21:09 -------- d-----w- c:\program files\OpenAL
2010-09-29 21:08 . 2010-09-29 21:09 -------- d-----w- c:\program files\AssaultCube_v1.1.0.1
2010-09-26 11:59 . 2010-09-26 11:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-09-25 18:05 . 2010-09-25 18:05 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-09-15 23:34 . 2010-09-15 23:34 -------- d-----w- c:\program files\Blockland
2010-09-15 20:58 . 2010-08-19 07:12 68176 ----a-w- c:\windows\system32\drivers\ale_nf64.sys
2010-09-15 20:58 . 2010-08-19 07:12 61472 ----a-w- c:\windows\system32\drivers\ale_nf.sys
2010-09-10 06:22 . 2010-09-10 06:22 -------- d-sh--w- c:\documents and settings\NetworkService\UserData
2010-09-05 15:22 . 2010-09-28 19:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-04 17:14 . 2010-09-04 17:14 -------- d-----w- c:\documents and settings\Ben Olson\Local Settings\Application Data\LucasArts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-30 01:31 . 2006-11-29 05:18 -------- d-----w- c:\program files\QuickTime
2010-09-18 20:13 . 2008-06-23 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-15 23:41 . 2007-01-27 02:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-15 23:41 . 2009-10-16 00:58 -------- d-----w- c:\program files\Activision
2010-09-15 23:40 . 2006-11-29 05:18 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-15 23:40 . 2007-03-23 21:34 -------- d-----w- c:\program files\LucasArts
2010-09-15 23:39 . 2007-08-09 14:17 -------- d-----w- c:\program files\THQ
2010-09-15 23:34 . 2007-06-30 17:12 -------- d-----w- c:\program files\Hasbro Interactive
2010-09-09 01:02 . 2007-01-23 01:38 96528 ----a-w- c:\documents and settings\Ben Olson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-26 19:38 . 2010-03-31 17:22 99 ----a-w- c:\documents and settings\Ben Olson\jagex_runescape_preferences2.dat
2010-08-26 19:01 . 2008-07-27 14:16 46 ----a-w- c:\documents and settings\Ben Olson\jagex_runescape_preferences.dat
2010-08-20 04:46 . 2010-08-26 19:47 1312120 ----a-w- c:\documents and settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2010-08-20 04:46 . 2010-08-26 19:47 724992 ----a-w- c:\documents and settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2010-08-18 18:46 . 2009-12-03 23:50 -------- d-----w- c:\program files\Norman
2010-08-17 13:17 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 17:59 . 2008-09-06 17:16 -------- d-----w- c:\program files\Microsoft Games
2010-08-11 20:13 . 2009-09-28 20:50 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-11 20:13 . 2009-09-28 20:50 215016 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-08-05 17:33 . 2010-08-05 17:33 -------- d-----w- c:\program files\Glary Utilities
2010-08-05 17:26 . 2010-08-05 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Paragon
2010-08-05 17:17 . 2010-08-05 17:17 -------- d-----w- c:\program files\Paragon Software
2010-08-05 17:16 . 2007-06-30 15:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 17:07 . 2009-03-02 03:52 -------- d-----w- c:\documents and settings\Ben Olson\Application Data\Auslogics
2010-08-05 16:51 . 2010-08-04 13:46 -------- d-----w- c:\program files\Auslogics
2010-08-04 13:53 . 2006-11-29 05:11 -------- d-----w- c:\program files\Common Files\Java
2010-08-04 13:52 . 2010-06-16 18:05 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-04 04:36 . 2008-12-13 14:23 -------- d-----w- c:\documents and settings\Ben Olson\Application Data\Unity
2010-08-04 04:36 . 2008-12-13 13:59 -------- d-----w- c:\program files\Unity
2010-08-04 04:36 . 2009-12-16 22:25 -------- d-----w- c:\program files\Pando Networks
2010-08-03 23:05 . 2008-06-23 04:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-03 22:33 . 2010-08-03 22:33 61440 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5d2d9614-n\decora-sse.dll
2010-08-03 22:33 . 2010-08-03 22:33 503808 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2c4dbbde-n\msvcp71.dll
2010-08-03 22:33 . 2010-08-03 22:33 499712 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2c4dbbde-n\jmc.dll
2010-08-03 22:33 . 2010-08-03 22:33 348160 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2c4dbbde-n\msvcr71.dll
2010-08-03 22:33 . 2010-08-03 22:33 12800 ----a-w- c:\documents and settings\Ben Olson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5d2d9614-n\decora-d3d.dll
2010-08-03 21:30 . 2010-08-03 21:30 -------- d-----w- c:\documents and settings\Ben Olson\Application Data\Malwarebytes
2010-08-03 21:30 . 2010-08-03 21:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-03 21:30 . 2010-08-03 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-03 21:28 . 2008-06-22 21:35 -------- d-----w- c:\program files\CCleaner
2010-07-22 15:49 . 2004-08-10 18:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 15:02 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2008-06-22 21:24 . 2007-12-15 19:36 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NPCTray "= "c:\program files\Norman\npc\bin\npc_tray.exe" [2010-02-22 93616]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"Norman ZANDA "= "c:\program files\Norman\Npm\Bin\ZLH.EXE" [2010-01-29 189824]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" [2008-04-14 53760]
"FlashPlayerUpdate "= "c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-08-03 231888]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ben Olson^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
backup=c:\windows\pss\Yahoo! Widget Engine.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 11:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-16 14:39 7323648 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-11-29 05:18 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-11-29 05:18 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-08-15 09:00 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc "=3 (0x3)
"Symantec Core LC "=2 (0x2)
"ZumieSearch Service "=2 (0x2)
"WinDefend "=2 (0x2)
"MDM "=2 (0x2)
"gusvc "=3 (0x3)
"aawservice "=2 (0x2)
"JavaQuickStarterService "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\dplaysvr.exe "=
"c:\\WINDOWS\\system32\\javaw.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe "=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe "=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe "=
"c:\\Program Files\\SEGA\\Iron Man\\IronMan.exe "=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\Activision\\Marvel - Ultimate Alliance\\Game.exe "=
"c:\\Program Files\\Demolition Champions\\cars.exe "=
"c:\\Program Files\\Atari\\Axis & Allies\\AA.exe "=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe "=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe "=
"c:\\Program Files\\Microsoft Games\\Rise Of Legends\\legends.exe "=

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/5/2010 12:18 PM 40560]
R1 NGS;Norman General Security Driver;c:\program files\Norman\Ngs\Bin\ngs.sys [8/19/2010 10:44 PM 26744]
R1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin\nprosec.sys [8/19/2010 10:44 PM 72392]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/3/2010 8:59 AM 93872]
R2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\Ndiskio.sys [12/3/2009 6:52 PM 22880]
R2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\nnf.exe [8/19/2010 10:44 PM 219904]
R2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin\nprosec.exe [8/19/2010 10:44 PM 103016]
R2 nregsec;Norman Registry Security driver;c:\program files\Norman\Ngs\Bin\nregsec.sys [8/19/2010 10:44 PM 40384]
R2 NVOY;Norman Resource Provider;c:\program files\Norman\Npm\Bin\nvoy.exe [12/3/2009 6:52 PM 98776]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [1/28/2009 2:39 AM 185640]
R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\Nsesvc.exe [6/21/2010 12:22 PM 282624]
R3 NUAA;Norman User Activity Agent;c:\program files\Norman\Npc\Bin\nuaa.exe [12/3/2009 6:52 PM 99656]
R3 Scheduler;Norman Scheduler Service;c:\program files\Norman\Npm\Bin\scheduler.exe [12/3/2009 6:52 PM 133272]
S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [12/3/2009 6:52 PM 21832]
S3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman\nvc\bin\Nvcoas.exe [12/3/2009 6:52 PM 210248]

--- Other Services/Drivers In Memory ---

*Deregistered* - symlcbrd
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-08-05 16:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
LSP: c:\program files\Norman\ngs\bin\nlf.dll
DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} - hxxp://cdnrep.reimage.com/reix1224.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab
FF - ProfilePath - c:\documents and settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2570793&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - plugin: c:\documents and settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 20:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,86,97,2a,58,37,d5,4c,9e,b0,15,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,86,97,2a,58,37,d5,4c,9e,b0,15,\

[HKEY_USERS\S-1-5-21-3622982708-3699623442-3766893002-1007\Software\SecuROM\License information*]
"datasecu "=hex:ed,7a,66,53,da,62,81,06,84,cc,9d,ec,0d,23,27,dd,23,99,b2,84,47,
9b,66,06,05,4e,eb,cc,f4,3a,03,9c,4c,cf,86,df,f6,97,38,7b,36,ce,38,0b,94,d8,\
"rkeysecu "=hex:e7,2b,75,4a,e1,49,38,e6,9a,b2,81,c2,23,03,04,10

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-09-29 20:38:55
ComboFix-quarantined-files.txt 2010-09-30 01:38
ComboFix2.txt 2010-09-29 00:25

Pre-Run: 23,439,454,208 bytes free
Post-Run: 23,446,913,024 bytes free

- - End Of File - - D28FC51BE27B0C611F59F10E1973840C

broni · 2010/09/29

It looks pretty good now

How is computer doing?

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

molsonrn · 2010/10/01

otl.txt part 1

OTL logfile created on: 10/1/2010 6:58:15 AM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Ben Olson\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.20 Gb Total Space | 21.80 Gb Free Space | 30.61% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BEN
Current User Name: Ben Olson
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/10/01 06:57:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben Olson\My Documents\Downloads\OTL.exe
PRC - [2010/09/26 13:32:35 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/08/12 06:44:29 | 000,210,248 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\nvc\bin\Nvcoas.exe
PRC - [2010/06/24 04:35:17 | 000,219,904 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Ngs\Bin\nnf.exe
PRC - [2010/06/14 07:29:58 | 000,282,624 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Nse\Bin\Nsesvc.exe
PRC - [2010/05/18 07:40:06 | 000,301,192 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Npm\Bin\Zanda.exe
PRC - [2010/05/07 06:48:04 | 000,103,016 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Ngs\Bin\nprosec.exe
PRC - [2010/03/15 07:14:41 | 000,098,776 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Npm\Bin\nvoy.exe
PRC - [2010/02/22 08:49:46 | 000,093,616 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Npc\Bin\npc_tray.exe
PRC - [2009/10/15 09:50:54 | 000,133,272 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Npm\Bin\scheduler.exe
PRC - [2009/10/11 08:44:36 | 000,099,656 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Npc\Bin\nuaa.exe
PRC - [2009/10/11 08:07:33 | 000,152,904 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Npm\Bin\elogsvc.exe
PRC - [2009/10/07 06:04:51 | 000,129,928 | ---- | M] (Norman ASA) -- C:\Program Files\Norman\Npm\Bin\Njeeves.exe
PRC - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/08/18 11:29:22 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2009/01/28 03:11:42 | 004,023,080 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version4\TeamViewer.exe
PRC - [2009/01/28 02:39:02 | 000,185,640 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/10/01 06:57:02 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ben Olson\My Documents\Downloads\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/08/12 06:44:29 | 000,210,248 | ---- | M] (Norman ASA) [On_Demand | Running] -- C:\Program Files\Norman\Nvc\Bin\nvcoas.exe -- (nvcoas)
SRV - [2010/06/24 04:35:17 | 000,219,904 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Program Files\Norman\Ngs\Bin\Nnf.exe -- (NNFSVC)
SRV - [2010/06/14 07:29:58 | 000,282,624 | ---- | M] (Norman ASA) [On_Demand | Running] -- C:\Program Files\Norman\Nse\Bin\NSESVC.EXE -- (nsesvc)
SRV - [2010/05/18 07:40:06 | 000,301,192 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Program Files\Norman\Npm\Bin\Zanda.exe -- (Norman ZANDA)
SRV - [2010/05/07 06:48:04 | 000,103,016 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Program Files\Norman\Ngs\Bin\Nprosec.exe -- (NPROSECSVC)
SRV - [2010/03/15 07:14:41 | 000,098,776 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Program Files\Norman\npm\bin\nvoy.exe -- (NVOY)
SRV - [2009/10/15 09:50:54 | 000,133,272 | ---- | M] (Norman ASA) [On_Demand | Running] -- C:\Program Files\Norman\Npm\Bin\scheduler.exe -- (Scheduler)
SRV - [2009/10/11 08:44:36 | 000,099,656 | ---- | M] (Norman ASA) [On_Demand | Running] -- C:\Program Files\Norman\npc\bin\nuaa.exe -- (NUAA)
SRV - [2009/10/11 08:07:33 | 000,152,904 | ---- | M] (Norman ASA) [Auto | Running] -- C:\Program Files\Norman\Npm\Bin\Elogsvc.exe -- (eLoggerSvc6)
SRV - [2009/10/07 06:04:51 | 000,129,928 | ---- | M] (Norman ASA) [On_Demand | Running] -- C:\Program Files\Norman\Npm\Bin\Njeeves.exe -- (Norman NJeeves)
SRV - [2009/08/18 11:29:22 | 001,529,728 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/07/20 17:48:41 | 000,126,976 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\UAService7.exe -- (UserAccess7) SecuROM User Access Service (V7)
SRV - [2009/01/28 02:39:02 | 000,185,640 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe -- (TeamViewer4)
SRV - [2006/01/05 01:06:02 | 000,163,840 | ---- | M] (Alex Feinman) [On_Demand | Stopped] -- C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe -- (Imapi Helper)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\BENOLS~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/05/14 05:14:59 | 000,040,384 | ---- | M] (Norman ASA) [Kernel | Auto | Running] -- C:\Program Files\Norman\Ngs\Bin\nregsec.sys -- (nregsec)
DRV - [2010/05/10 03:06:10 | 000,072,392 | ---- | M] (Norman ASA) [Kernel | System | Running] -- C:\Program Files\Norman\Ngs\Bin\nprosec.sys -- (NPROSEC)
DRV - [2010/04/26 17:08:34 | 000,385,544 | ---- | M] (Paragon) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Uim_IM.sys -- (Uim_IM)
DRV - [2010/04/26 17:08:34 | 000,034,392 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\UimBus.sys -- (UimBus)
DRV - [2010/04/26 17:08:32 | 000,040,560 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hotcore3.sys -- (hotcore3)
DRV - [2010/01/04 07:44:43 | 000,026,744 | ---- | M] (Norman ASA) [Kernel | System | Running] -- c:\Program Files\Norman\Ngs\Bin\ngs.sys -- (NGS)
DRV - [2009/10/09 06:24:40 | 000,022,880 | ---- | M] (Norman ASA) [Kernel | Auto | Running] -- C:\Program Files\Norman\Nse\Bin\Ndiskio.sys -- (Ndiskio)
DRV - [2009/10/09 05:22:09 | 000,021,832 | ---- | M] (Norman ASA) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvcw32mf.sys -- (NvcMFlt)
DRV - [2009/08/05 15:58:40 | 000,093,872 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2008/12/09 17:28:24 | 000,271,360 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2008/12/09 17:28:24 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2008/04/13 13:45:32 | 000,059,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gckernel.sys -- (GcKernel)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2006/11/29 00:18:34 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM)
DRV - [2006/08/15 04:00:18 | 001,171,464 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/08/14 07:29:44 | 000,044,544 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/08/05 08:00:48 | 000,089,344 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce(tm)
DRV - [2006/08/05 08:00:40 | 000,105,344 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2006/06/18 22:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/16 09:39:00 | 003,581,888 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/01/10 12:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2005/09/12 04:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 06:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2001/08/17 15:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 15:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 15:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 15:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 15:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 15:02:50 | 000,002,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HIDSwvd.sys -- (HIDSwvd)
DRV - [2001/08/17 14:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 14:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 14:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 14:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 14:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 14:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 14:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 14:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 14:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 14:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061128

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://quizulous.myway.com/?ptnrS=YE&ptb=F8765830-D1D9-4A03-8F51-D89AE6F17647
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com "
FF - prefs.js..browser.search.defaultenginename: "Ask.com "
FF - prefs.js..browser.search.defaultthis.engineName: "BCexclusives Customized Web Search "
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2570793&SearchSource=3&q={searchTerms} "
FF - prefs.js..browser.search.order.1: "Ask.com "
FF - prefs.js..browser.search.selectedEngine: "Bing "
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.bing.com/?pc=ZUGO&form=ZGAPHP "
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: battlefieldheroespatcher@ea.com:5.0.31.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= "

FF - HKLM\software\mozilla\Firefox\extensions\\jfffxtbr@iWon.com: C:\Program Files\iWon\bar\1.bin File not found
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/26 13:33:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/26 13:33:03 | 000,000,000 | ---D | M]

[2010/06/03 19:52:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Extensions
[2010/09/29 19:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions
[2010/06/21 19:37:24 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/26 14:47:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\battlefieldheroespatcher@ea.com
[2010/09/29 16:03:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\extensions\searchtoolbar@zugo.com
[2010/08/02 21:52:05 | 000,002,397 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\searchplugins\askcom.xml
[2010/09/29 16:12:06 | 000,001,919 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\searchplugins\bing-zugo.xml
[2010/06/10 01:08:34 | 000,000,927 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\searchplugins\conduit.xml
[2010/06/21 20:43:28 | 000,010,039 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Application Data\Mozilla\Firefox\Profiles\e9l048xv.default\searchplugins\iWon.xml
[2010/09/29 19:50:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/04 08:52:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/08/04 08:52:36 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/09/29 20:37:22 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O4 - HKLM..\Run: [Norman ZANDA] C:\Program Files\Norman\Npm\Bin\ZLH.EXE (Norman ASA)
O4 - HKLM..\Run: [NPCTray] C:\Program Files\Norman\npc\bin\npc_tray.exe (Norman ASA)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla\4.0 ( File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Norman\ngs\bin\nlf.dll (Norman ASA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Norman\ngs\bin\nlf.dll (Norman ASA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Norman\ngs\bin\nlf.dll (Norman ASA)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Norman\ngs\bin\nlf.dll (Norman ASA)
O16 - DPF: {10ECCE17-29B5-4880-A8F5-EAD298611484} http://cdnrep.reimage.com/reix1224.cab (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab (Reg Error: Key error.)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab (Reg Error: Key error.)
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} http://www.nick.com/common/groove/gx/GrooveAX27.cab (Reg Error: Key error.)
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} https://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.53.0.cab (Battlefield Heroes Updater)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Ligos Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Ligos Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17183584330711040)

========== Files/Folders - Created Within 90 Days ==========

[2010/09/29 21:04:58 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/09/29 20:30:10 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/29 16:09:22 | 000,444,952 | ---- | C] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2010/09/29 16:09:22 | 000,109,080 | ---- | C] (Portions (C) Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2010/09/29 16:09:22 | 000,000,000 | ---D | C] -- C:\Program Files\OpenAL
[2010/09/29 16:08:49 | 000,000,000 | ---D | C] -- C:\Program Files\AssaultCube_v1.1.0.1
[2010/09/28 19:07:11 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/28 19:00:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/28 19:00:47 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/28 19:00:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/28 19:00:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/28 18:55:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/27 08:25:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/09/27 08:25:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/09/26 06:59:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
[2010/09/26 06:59:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2010/09/15 18:34:31 | 000,000,000 | ---D | C] -- C:\Program Files\Blockland
[2010/09/15 15:58:44 | 000,068,176 | ---- | C] (Norman ASA) -- C:\WINDOWS\System32\drivers\ale_nf64.sys
[2010/09/15 15:58:44 | 000,061,472 | ---- | C] (Norman ASA) -- C:\WINDOWS\System32\drivers\ale_nf.sys
[2010/09/08 23:49:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/09/05 10:22:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/09/05 10:22:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/09/04 12:14:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\LucasArts
[2010/08/19 22:44:38 | 000,376,136 | ---- | C] (Norman ASA) -- C:\WINDOWS\System32\drivers\tdi_nf.sys
[2010/08/19 22:44:37 | 000,048,272 | ---- | C] (Norman ASA) -- C:\WINDOWS\System32\drivers\nnetsec.sys
[2010/08/19 22:44:37 | 000,034,192 | ---- | C] (Norman ASA) -- C:\WINDOWS\System32\drivers\nnetsecl64.sys
[2010/08/19 22:44:37 | 000,030,584 | ---- | C] (Norman ASA) -- C:\WINDOWS\System32\drive

molsonrn · 2010/10/01

otl.txt part 2

rs\nnetsecl.sys
[2010/08/06 08:31:56 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ben Olson\Recent
[2010/08/05 12:33:26 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities
[2010/08/05 12:27:40 | 000,000,000 | ---D | C] -- C:\archive_db
[2010/08/05 12:26:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Paragon
[2010/08/05 12:18:29 | 000,040,560 | ---- | C] (Paragon Software Group) -- C:\WINDOWS\System32\drivers\hotcore3.sys
[2010/08/05 12:18:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/08/05 12:17:57 | 000,000,000 | ---D | C] -- C:\Program Files\Paragon Software
[2010/08/04 09:13:36 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ben Olson\IECompatCache
[2010/08/04 09:12:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ben Olson\PrivacIE
[2010/08/04 09:12:25 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Ben Olson\IETldCache
[2010/08/04 09:05:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2010/08/04 08:58:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2010/08/04 08:57:21 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2010/08/04 08:52:48 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/08/04 08:52:48 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/08/04 08:52:48 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/08/04 08:46:34 | 000,000,000 | ---D | C] -- C:\Program Files\Auslogics
[2010/08/03 16:30:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Olson\Application Data\Malwarebytes
[2010/08/03 16:30:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/03 16:30:26 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/03 16:30:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/03 16:30:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/03 08:59:16 | 000,093,872 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/08/03 08:59:16 | 000,027,944 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\sbbd.exe
[2010/08/03 08:59:04 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE
[2010/08/02 12:19:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\vtydrxadh
[2010/07/05 18:52:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Olson\Logs
[2010/07/05 13:34:34 | 000,487,462 | ---- | C] (Big Huge Games, Inc.) -- C:\Documents and Settings\Ben Olson\My Documents\rise.exe
[2010/07/05 13:19:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Olson\Application Data\Microsoft Games
[2010/07/05 12:50:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ben Olson\Desktop\Rise Of Nations NO CD
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/09/29 20:38:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/29 20:37:28 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/29 20:37:22 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/29 20:27:29 | 000,000,910 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Desktop\Shortcut to ComboFix.exe.lnk
[2010/09/29 16:09:22 | 000,444,952 | ---- | M] (Creative Labs) -- C:\WINDOWS\System32\wrap_oal.dll
[2010/09/29 16:09:22 | 000,109,080 | ---- | M] (Portions (C) Creative Labs Inc. and NVIDIA Corp.) -- C:\WINDOWS\System32\OpenAL32.dll
[2010/09/29 16:09:22 | 000,001,665 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AssaultCube.lnk
[2010/09/29 15:59:58 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/09/29 15:52:52 | 000,039,472 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/09/29 15:52:50 | 000,000,320 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/09/29 15:52:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/29 03:32:54 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/29 03:31:57 | 007,602,176 | ---- | M] () -- C:\Documents and Settings\Ben Olson\ntuser.dat
[2010/09/29 03:31:57 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Ben Olson\ntuser.ini
[2010/09/29 03:16:43 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/28 19:07:15 | 000,000,311 | RHS- | M] () -- C:\boot.ini
[2010/09/28 17:50:49 | 006,399,118 | -H-- | M] () -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\IconCache.db
[2010/09/28 14:08:31 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/08 20:02:41 | 000,096,528 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/09/04 11:53:29 | 000,001,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Launch LEGO® Indiana Jonesâ„¢.lnk
[2010/08/26 14:38:47 | 000,000,099 | ---- | M] () -- C:\Documents and Settings\Ben Olson\jagex_runescape_preferences2.dat
[2010/08/26 14:01:49 | 000,000,046 | ---- | M] () -- C:\Documents and Settings\Ben Olson\jagex_runescape_preferences.dat
[2010/08/19 02:12:33 | 000,068,176 | ---- | M] (Norman ASA) -- C:\WINDOWS\System32\drivers\ale_nf64.sys
[2010/08/19 02:12:23 | 000,061,472 | ---- | M] (Norman ASA) -- C:\WINDOWS\System32\drivers\ale_nf.sys
[2010/08/18 13:46:36 | 000,344,216 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/16 13:42:24 | 000,001,794 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Rise Of Legends.lnk
[2010/08/13 03:18:01 | 000,503,854 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/13 03:18:01 | 000,442,796 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/13 03:18:01 | 000,071,936 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/11 15:13:48 | 000,138,184 | ---- | M] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2010/08/11 15:13:23 | 000,215,016 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrB.xtr
[2010/08/05 12:02:56 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\Ben Olson\My Documents\Default.rdp
[2010/08/05 00:40:51 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\housecall.guid.cache
[2010/08/04 09:12:28 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/08/04 08:52:35 | 000,423,656 | ---- | M] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/04 08:52:35 | 000,153,376 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/08/04 08:52:35 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/08/04 08:52:35 | 000,145,184 | ---- | M] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/08/04 08:52:35 | 000,073,728 | ---- | M] (Oracle) -- C:\WINDOWS\System32\javacpl.cpl
[2010/08/02 13:09:59 | 000,000,197 | ---- | M] () -- C:\Boot.bak
[2010/07/15 18:59:21 | 000,000,008 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\.mpid
[2010/07/05 13:33:59 | 000,000,049 | ---- | M] () -- C:\Documents and Settings\Ben Olson\rise.ini
[2010/07/05 13:19:02 | 000,001,769 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Rise Of Nations.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/29 20:27:29 | 000,000,910 | ---- | C] () -- C:\Documents and Settings\Ben Olson\Desktop\Shortcut to ComboFix.exe.lnk
[2010/09/29 16:09:22 | 000,001,665 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AssaultCube.lnk
[2010/09/28 19:07:15 | 000,000,197 | ---- | C] () -- C:\Boot.bak
[2010/09/28 19:07:13 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/28 19:00:47 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/28 19:00:47 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/28 19:00:47 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/28 19:00:47 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/28 19:00:47 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/05 10:22:41 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/04 11:53:29 | 000,001,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Launch LEGO® Indiana Jonesâ„¢.lnk
[2010/08/16 13:42:24 | 000,001,794 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Rise Of Legends.lnk
[2010/08/13 03:06:47 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/08/05 12:33:33 | 000,000,320 | ---- | C] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/08/05 12:02:56 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Ben Olson\My Documents\Default.rdp
[2010/08/05 00:40:51 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\housecall.guid.cache
[2010/07/14 13:14:02 | 007,602,176 | ---- | C] () -- C:\Documents and Settings\Ben Olson\ntuser.dat
[2010/07/05 13:33:53 | 000,000,049 | ---- | C] () -- C:\Documents and Settings\Ben Olson\rise.ini
[2010/07/05 13:19:02 | 000,001,769 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Rise Of Nations.lnk
[2010/05/02 21:03:40 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\.mpid
[2009/10/17 12:00:14 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/09/28 15:50:24 | 000,138,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/09/28 15:50:23 | 000,138,056 | ---- | C] () -- C:\Documents and Settings\Ben Olson\Application Data\PnkBstrK.sys
[2009/03/01 17:52:52 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/03/01 17:15:40 | 000,000,264 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2009/02/11 12:34:34 | 001,380,403 | ---- | C] () -- C:\WINDOWS\System32\avgsdk.dll
[2009/01/05 16:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/12/09 17:28:24 | 000,271,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2008/12/09 17:28:24 | 000,018,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2007/12/15 14:36:10 | 000,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007/12/01 12:59:56 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/09 08:00:44 | 000,000,157 | ---- | C] () -- C:\WINDOWS\disney.ini
[2007/08/09 08:00:38 | 000,000,193 | ---- | C] () -- C:\WINDOWS\disneysy.ini
[2007/05/06 20:22:51 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\Ben Olson\Application Data\dvd.bmk
[2007/04/08 21:20:15 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Ben Olson\Local Settings\Application Data\fusioncache.dat
[2007/03/23 16:36:18 | 000,056,320 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll
[2007/02/05 20:00:02 | 000,000,134 | ---- | C] () -- C:\WINDOWS\System32\usrgfil.dll
[2007/02/05 19:59:43 | 000,005,394 | ---- | C] () -- C:\WINDOWS\System32\wrestfil.dll
[2007/02/05 19:59:43 | 000,002,164 | ---- | C] () -- C:\WINDOWS\System32\wzfil.dll
[2007/02/05 19:59:42 | 000,022,384 | ---- | C] () -- C:\WINDOWS\System32\perfil.dll
[2007/02/05 19:59:42 | 000,017,488 | ---- | C] () -- C:\WINDOWS\System32\nvgamfil.dll
[2007/02/05 19:59:42 | 000,016,732 | ---- | C] () -- C:\WINDOWS\System32\popfil.dll
[2007/02/05 19:59:42 | 000,014,264 | ---- | C] () -- C:\WINDOWS\System32\tafil.dll
[2007/02/05 19:59:42 | 000,012,502 | ---- | C] () -- C:\WINDOWS\System32\psyfil.dll
[2007/02/05 19:59:42 | 000,012,114 | ---- | C] () -- C:\WINDOWS\System32\sporfil.dll
[2007/02/05 19:59:42 | 000,009,636 | ---- | C] () -- C:\WINDOWS\System32\gnfil.dll
[2007/02/05 19:59:42 | 000,008,652 | ---- | C] () -- C:\WINDOWS\System32\jbfil.dll
[2007/02/05 19:59:42 | 000,007,582 | ---- | C] () -- C:\WINDOWS\System32\movfil.dll
[2007/02/05 19:59:42 | 000,007,036 | ---- | C] () -- C:\WINDOWS\System32\pkmon.dll
[2007/02/05 19:59:42 | 000,006,830 | ---- | C] () -- C:\WINDOWS\System32\swfil.dll
[2007/02/05 19:59:42 | 000,001,554 | ---- | C] () -- C:\WINDOWS\System32\tapfil.dll
[2007/02/05 19:59:42 | 000,000,724 | ---- | C] () -- C:\WINDOWS\System32\spmfil.dll
[2007/02/05 19:59:42 | 000,000,670 | ---- | C] () -- C:\WINDOWS\System32\mp3fil.dll
[2007/02/05 19:59:42 | 000,000,540 | ---- | C] () -- C:\WINDOWS\System32\srchfrgn.dll
[2007/02/05 19:59:42 | 000,000,194 | ---- | C] () -- C:\WINDOWS\System32\igefil.dll
[2007/02/05 19:59:42 | 000,000,116 | ---- | C] () -- C:\WINDOWS\System32\nfil.dll
[2007/02/05 19:59:42 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\macfil.dll
[2007/02/05 19:59:42 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\lastupdate.dll
[2007/02/05 19:59:41 | 000,013,112 | ---- | C] () -- C:\WINDOWS\System32\finfil.dll
[2007/02/05 19:59:41 | 000,012,350 | ---- | C] () -- C:\WINDOWS\System32\entfil.dll
[2007/02/05 19:59:41 | 000,011,164 | ---- | C] () -- C:\WINDOWS\System32\fmfil.dll
[2007/02/05 19:59:41 | 000,007,504 | ---- | C] () -- C:\WINDOWS\System32\auctfil.dll
[2007/02/05 19:59:41 | 000,001,816 | ---- | C] () -- C:\WINDOWS\System32\fshrfil.dll
[2007/02/05 19:59:41 | 000,001,790 | ---- | C] () -- C:\WINDOWS\System32\csnews.dll
[2007/02/05 19:59:41 | 000,000,400 | ---- | C] () -- C:\WINDOWS\System32\bsnlst.dll
[2007/02/05 19:59:41 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\bnrfil.dll
[2007/02/05 19:47:33 | 000,000,680 | ---- | C] () -- C:\WINDOWS\wfileu.drv
[2007/02/05 19:47:25 | 000,087,014 | ---- | C] () -- C:\WINDOWS\System32\adwfil.dll
[2007/02/05 19:47:25 | 000,013,034 | ---- | C] () -- C:\WINDOWS\System32\gblfil.dll
[2007/02/05 19:47:25 | 000,010,834 | ---- | C] () -- C:\WINDOWS\System32\chtfil.dll
[2007/02/05 19:47:25 | 000,005,338 | ---- | C] () -- C:\WINDOWS\System32\wfileu.drv
[2007/02/05 19:47:25 | 000,005,180 | ---- | C] () -- C:\WINDOWS\System32\iawfil.dll
[2007/02/05 19:47:25 | 000,004,826 | ---- | C] () -- C:\WINDOWS\System32\vgamfil.dll
[2007/02/05 19:47:25 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\hatfil.dll
[2007/02/05 19:47:25 | 000,003,818 | ---- | C] () -- C:\WINDOWS\System32\viofil.dll
[2007/02/05 19:47:25 | 000,003,444 | ---- | C] () -- C:\WINDOWS\System32\srchin.dll
[2007/02/05 19:47:25 | 000,002,902 | ---- | C] () -- C:\WINDOWS\System32\lgwfil.dll
[2007/02/05 19:47:25 | 000,001,830 | ---- | C] () -- C:\WINDOWS\System32\cultfil.dll
[2007/02/05 19:47:25 | 000,001,352 | ---- | C] () -- C:\WINDOWS\System32\gdwfil.dll
[2007/02/05 19:47:25 | 000,001,100 | ---- | C] () -- C:\WINDOWS\System32\imgfil.dll
[2007/02/05 19:47:25 | 000,000,592 | ---- | C] () -- C:\WINDOWS\System32\snetfil.dll
[2007/02/05 19:47:25 | 000,000,400 | ---- | C] () -- C:\WINDOWS\bsnlst.dll
[2007/02/05 19:47:25 | 000,000,306 | ---- | C] () -- C:\WINDOWS\System32\picsfil.dll
[2007/02/05 19:47:25 | 000,000,258 | ---- | C] () -- C:\WINDOWS\System32\srchout.dll
[2007/02/05 19:47:23 | 000,334,174 | ---- | C] () -- C:\WINDOWS\sqlite3.dll
[2007/02/05 19:36:43 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/11/29 00:32:40 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/11/29 00:27:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/11/29 00:22:22 | 000,000,419 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/11/28 23:56:32 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/11/28 23:55:13 | 000,000,394 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/10 02:56:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 14:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 14:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/10 13:51:16 | 000,533,568 | ---- | C] () -- C:\WINDOWS\System32\msqiiedm.dll
[1997/11/10 16:18:48 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

========== LOP Check ==========

[2007/08/09 08:01:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Disney Imagineering
[2010/08/05 12:26:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Paragon
[2008/12/25 22:50:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCapGamesv1005
[2010/08/05 12:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/03/01 17:46:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/02/07 16:12:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2008/09/28 09:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Winferno
[2009/03/01 17:47:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/10/15 20:11:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Activision
[2010/08/05 12:07:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Auslogics
[2007/12/13 20:07:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\FrimaStudio
[2009/03/01 17:56:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\GlarySoft
[2007/09/03 15:07:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\iWin
[2007/04/08 21:18:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Leadertech
[2010/06/03 21:51:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\My Games
[2010/03/20 12:14:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\SPORE
[2009/03/02 00:04:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\TeamViewer
[2010/08/03 23:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Unity
[2007/03/09 22:04:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\Viewpoint
[2008/09/21 20:25:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ben Olson\Application Data\WeatherBug
[2010/09/29 15:52:50 | 000,000,320 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/08/02 13:09:59 | 000,000,197 | ---- | M] () -- C:\Boot.bak
[2010/09/28 19:07:15 | 000,000,311 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/09/29 20:38:55 | 000,017,791 | ---- | M] () -- C:\ComboFix.txt
[2004/08/10 14:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/05/23 06:39:45 | 000,052,827 | ---- | M] () -- C:\crash.dmp
[2008/05/23 06:39:45 | 000,181,429 | ---- | M] () -- C:\crash.log
[2006/11/28 23:59:34 | 000,006,310 | RH-- | M] () -- C:\dell.sdr
[2007/03/25 16:31:56 | 000,000,010 | ---- | M] () -- C:\error.txt
[2009/07/20 17:46:30 | 000,000,093 | ---- | M] () -- C:\gputest.txt
[2009/03/01 15:00:04 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/10 14:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2006/11/29 00:18:47 | 000,000,831 | -H-- | M] () -- C:\IPH.PH
[2009/11/10 18:07:19 | 000,000,482 | ---- | M] () -- C:\LOG3.log
[2004/08/10 14:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/09/06 12:24:33 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/29 03:32:50 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys
[2009/03/01 17:15:53 | 000,000,101 | ---- | M] () -- C:\reimage.log
[2007/09/24 07:31:10 | 001,265,421 | ---- | M] () -- C:\saida.txt
[2006/11/29 00:28:15 | 000,000,070 | ---- | M] () -- C:\SystemInfo.ini
[2010/01/11 19:46:36 | 000,000,026 | ---- | M] () -- C:\usm.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/08/10 14:03:42 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2004/03/22 16:17:08 | 000,025,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2005/04/12 16:29:32 | 000,802,816 | ---- | M] (Sprout Games, LLC) -- C:\WINDOWS\FeedingFrenzy.scr
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2004/08/10 13:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/10 13:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/10 13:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2008/09/06 12:36:19 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2008/09/06 13:10:25 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Ben Olson\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2004/08/10 14:08:38 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Ben Olson\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >
[2003/04/18 18:57:24 | 000,487,462 | ---- | M] (Big Huge Games, Inc.) -- C:\Documents and Settings\Ben Olson\My Documents\rise.exe

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2004/08/04 06:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\addins\fxsext.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2008/09/06 13:10:25 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Ben Olson\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >
Mall Tycoon 2 Deluxe Uninstaller.exe

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/10/01 06:55:32 | 000,081,920 | -HS- | M] () -- C:\Documents and Settings\Ben Olson\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/13 19:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2004/08/04 02:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2004/08/04 02:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 12:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/13 19:12:28 | 001,695,232 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2004/08/04 02:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2004/08/04 02:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2004/08/04 02:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2004/08/04 02:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/08/04 02:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

========== Alternate Data Streams ==========

@Alternate Data Stream - 155 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:20240A47
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP0F3EA78
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:325064EA
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AF5AC8FA
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:45C3B7CC
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:54D0DA8F
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3CBB9ED6
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:343FF046
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A68A7F4D
< End of report >

Log in or Sign up

Solved Have a virus or something....

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

molsonrn Inactive Thread Starter

molsonrn Inactive Thread Starter

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

molsonrn Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Have a virus or something....

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

molsonrn Inactive Thread Starter

molsonrn Inactive Thread Starter

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

broni Moderator Malware Analyst

molsonrn Inactive Thread Starter

molsonrn Inactive Thread Starter

Share This Page

Useful Searches