1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Problem with dds.scr

Discussion in 'Malware and Virus Removal Archive' started by RinBird, 2010/07/31.

Page 1 of 2
  1. 2010/07/31
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    [Resolved] Problem with dds.scr

    My brother (smithno13) sent me to this site because I have a google redirect virus, and I tried to follow the instructions and run dds.scr. I downloaded it to my desktop and double clicked, unfortunately it seems that another program on my computer has already "claimed" the .scr extension.

    I am a grad student in microbiology and use a program called "RasWin molecular Graphics" to visualize protein structure. When I click dds.scr, the following pops it:
    http://i36.photobucket.com/albums/e4/Rin4Christ/ddsscrerror.jpg
    (I don't know your policy on posting pictures in threads, so I posted a link instead, I'll edit it to an embedded picture if you prefer)

    When I click "run" it tries to open up RasWin, then crashes RasWin, and I am back to square 1.....
     
    RinBird,
    #1
  2. 2010/07/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    ==============================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/07/31
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    log from exe helper:
    exeHelper by Raktor
    Build 20100414
    Run at 22:05:52 on 07/31/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--



    # Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    I have Symantex antivirus installed by the IT guy at work. He said I had full admin privileges on this computer, but when I right click on the icon the option for "enable Auto protect" is checked and grayed so I can't click it. When I open the program and go to Configure/File system autoprotect, again I find a grayed out option for "enable autoprotect."

    Apparently i don't have full admin privileges?
     
    RinBird,
    #3
  5. 2010/07/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Well, the main question here is....
    Do you have a permission to mess around work computer?
     
    broni,
    #4
  6. 2010/07/31
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    Well, from my boss, yes. He bought the computer for me to use, but assuming I graduate, I get to keep it after graduation.

    I can and have brought it to the dept IT guy (same one who installed the anti virus) and he used malwarebytes which found some Trojans, but didn't solve the problem. His next step seems to be wipe and re-install. (last time his solution was that I buy a new hard drive to diagnose what he thought was a software problem- turned out it was the motherboard). It seems to me that this should be solvable through less invasive means.

    I guess I'm not left with much choice but to bring it back to him Monday then, since my hands seem tied... I'll also be talking to my boss about it, because I'm sure it will erk him that I can't get rid of viruses without the IT guy threatening to incinerate my experimental data.... (yes I backed things up, but not what I have done in the last week or so.)
     
    RinBird,
    #5
  7. 2010/07/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yeah, maybe you'll be able to convince them to give you real admin. privileges and we can go from there.

    Let me know.
     
    broni,
    #6
  8. 2010/07/31
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    Thanks for trying to help. I'll try to be back Monday afternoon/evening....
     
    RinBird,
    #7
  9. 2010/07/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem :)
     
    broni,
    #8
  10. 2010/08/03
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    Ok, I had the IT guy take symantec off of my computer temporarily and I have installed McAfee Antivirus Plus for the interim. I plan to put the corporate edition of symantec back on once I get the virus cleared.

    I am currently running a full virus scan on McAfee, and after that I will run the programs you recommended above.

    Symptoms update: google search redirect happens on both firefox and IE. intermittently I lose audio or the ability to connect to the internet, but this is usually resolved by restarting. I have scanned and come back clean using: symantec antivirus, symantec endpoint protection, malware-bytes, Hitman Pro 3.5 ,and SuperAntiSpyware Free Edition (I later uninstalled the last one). I have also received 1 error on windows updates.

    Previously I had a false antivirus install itself and constantly flash warnings at me, but this seems to have gone away, I believe after I ran Hitman Pro.

    Logs to follow.
     
    RinBird,
    #9
  11. 2010/08/03
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    McAfee grabbed exehelper and Rkill as viruses/trojans. Other than that the scan was clean. I guess I am done with them for now anyway? or do they still need to be installed for later scans?
     
    RinBird,
    #10
  12. 2010/08/03
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    I tried to run combofix twice and got the BSOD

    [​IMG]

    [​IMG]

    Next step?
     
    RinBird,
    #11
  13. 2010/08/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    One of the reasons, I hate that program.
    Many malware removal tools, including Combofix, immediately trigger McAfee.

    Judging from your symptoms, you may have a bootkit. Let's see...

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
    broni,
    #12
  14. 2010/08/03
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    Is there another antivirus I should use in the interim instead? (until I go back to the corporate version of norton)


    MBRcheck_08.03.10_21.11.09.txt

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 176):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xB85A8000 \WINDOWS\system32\KDCOM.DLL
    0xB84B8000 \WINDOWS\system32\BOOTVID.dll
    0xB7F79000 ACPI.sys
    0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB7F68000 pci.sys
    0xB80A8000 isapnp.sys
    0xB84BC000 compbatt.sys
    0xB84C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xB8670000 pciide.sys
    0xB8328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xB85AC000 intelide.sys
    0xB7F4A000 pcmcia.sys
    0xB80B8000 MountMgr.sys
    0xB7F2B000 ftdisk.sys
    0xB85AE000 dmload.sys
    0xB7F05000 dmio.sys
    0xB8330000 PartMgr.sys
    0xB7EEF000 nvraid.sys
    0xB80C8000 \WINDOWS\system32\drivers\CLASSPNP.SYS
    0xB80D8000 VolSnap.sys
    0xB7ED7000 atapi.sys
    0xB7E19000 iaStor.sys
    0xB80E8000 aic78xx.sys
    0xB7E01000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
    0xB80F8000 aic78u2.sys
    0xB7DE8000 adpu160m.sys
    0xB7DAE000 a320raid.sys
    0xB8108000 aac.sys
    0xB7D77000 aarich.sys
    0xB7D53000 adpu320.sys
    0xB8338000 cercsr6.sys
    0xB7D30000 fasttx2k.sys
    0xB7D17000 symmpi.sys
    0xB8340000 megasas.sys
    0xB7CFD000 nvatabus.sys
    0xB8118000 disk.sys
    0xB7CDD000 fltmgr.sys
    0xB7CCB000 sr.sys
    0xB7C6E000 mfehidk.sys
    0xB85B0000 DLACDBHM.SYS
    0xB7C57000 DRVMCDB.SYS
    0xB8128000 PxHelp20.sys
    0xB7C40000 KSecDD.sys
    0xB7BB3000 Ntfs.sys
    0xB7B86000 NDIS.sys
    0xB8138000 PBADRV.sys
    0xB8148000 ohci1394.sys
    0xB8158000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xB7B6C000 Mup.sys
    0xB8178000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xB86D8000 \SystemRoot\system32\DRIVERS\smsmdm.sys
    0xB714E000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB8198000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB6B57000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB8428000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB6B33000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xB8430000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB6B0B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB69F8000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xB69CD000 \SystemRoot\system32\DRIVERS\b57xp32.sys
    0xB81A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xB69A1000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
    0xB81D8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xB6926000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
    0xB6902000 \SystemRoot\system32\drivers\mfeavfk.sys
    0xB68B7000 \SystemRoot\system32\drivers\mfefirek.sys
    0xB8440000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB8448000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB81E8000 \SystemRoot\system32\DRIVERS\serial.sys
    0xB7166000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xB81F8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB8208000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xB8228000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB6894000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB8450000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xB7162000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB8560000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xB6879000 \SystemRoot\system32\DRIVERS\dne2000.sys
    0xB8238000 \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
    0xB87C4000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xB6854000 \SystemRoot\system32\DRIVERS\mfendisk.sys
    0xB82A8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB8568000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB67D3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xB82B8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xB82C8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB8460000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB67C2000 \SystemRoot\system32\DRIVERS\psched.sys
    0xB82D8000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xB8468000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xB8470000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB6792000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xB82E8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xB6769000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0xB6752000 \SystemRoot\system32\DRIVERS\iscsiprt.sys
    0xB8608000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB66F4000 \SystemRoot\system32\DRIVERS\update.sys
    0xB857C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xB82F8000 \SystemRoot\system32\DRIVERS\omci.sys
    0xB8478000 \SystemRoot\system32\DRIVERS\WaveFDE.sys
    0xB8308000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB8318000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xB8612000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB5286000 \SystemRoot\system32\drivers\sthda.sys
    0xB5262000 \SystemRoot\system32\drivers\portcls.sys
    0xB720A000 \SystemRoot\system32\drivers\drmk.sys
    0xB524A000 \SystemRoot\system32\drivers\dxec01.sys
    0xB5216000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
    0xB5124000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xB5071000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xB8480000 \SystemRoot\System32\Drivers\Modem.SYS
    0xB8616000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB879B000 \SystemRoot\System32\Drivers\Null.SYS
    0xB8618000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB84A8000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
    0xB84B0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB8350000 \SystemRoot\System32\drivers\vga.sys
    0xB861A000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB861C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB8370000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB8378000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB7B2C000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB5016000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB4FBD000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB4FAA000 \SystemRoot\system32\drivers\mfetdi2k.sys
    0xB71DA000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB4F82000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB4F60000 \SystemRoot\System32\drivers\afd.sys
    0xB71CA000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB4F35000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB71BA000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xB4E9D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xB71AA000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB719A000 \SystemRoot\System32\Drivers\oz776.sys
    0xB6802000 \SystemRoot\System32\Drivers\SMCLIB.SYS
    0xB67FE000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
    0xAFA07000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAFA95000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB19D1000 \SystemRoot\System32\watchdog.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xB8793000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xAB6F8000 \SystemRoot\system32\DRIVERS\WavxDMgr.sys
    0xB1B2E000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
    0xB86D9000 \SystemRoot\System32\Drivers\DLADResM.SYS
    0xAB6DF000 \SystemRoot\System32\Drivers\DLAIFS_M.SYS
    0xB19D9000 \SystemRoot\System32\Drivers\DLAOPIOM.SYS
    0xB0AC7000 \SystemRoot\System32\Drivers\DLAPoolM.SYS
    0xB19C9000 \SystemRoot\System32\Drivers\DLABMFSM.SYS
    0xB19C1000 \SystemRoot\System32\Drivers\DLABOIOM.SYS
    0xAB6C9000 \SystemRoot\System32\Drivers\DLAUDFAM.SYS
    0xAB6B2000 \SystemRoot\System32\Drivers\DLAUDF_M.SYS
    0xAFBCA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xAB60D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xAB510000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
    0xAB466000 \??\C:\WINDOWS\system32\drivers\hardlock.sys
    0xAB442000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xAB3C3000 \SystemRoot\system32\DRIVERS\srv.sys
    0xAB63E000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xAE745000 \SystemRoot\system32\DRIVERS\NwmSleepless.sys
    0xAB21E000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB4A7D000 \SystemRoot\system32\drivers\sysaudio.sys
    0xAAE74000 \SystemRoot\system32\drivers\cfwids.sys
    0xB2186000 \SystemRoot\System32\Drivers\TDTCP.SYS
    0xAAC89000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0xAA68E000 \SystemRoot\system32\drivers\mfeapfk.sys
    0xAACE4000 \SystemRoot\system32\drivers\mfebopk.sys
    0xAA1F0000 \SystemRoot\System32\Drivers\HTTP.sys
    0xAA317000 \SystemRoot\system32\drivers\NPF.sys
    0xA84A7000 \??\C:\WINDOWS\system32\CCM\prepdrv.sys
    0xA67E9000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 70):
    0 System Idle Process
    4 System
    1960 C:\WINDOWS\system32\smss.exe
    2016 csrss.exe
    116 C:\WINDOWS\system32\winlogon.exe
    260 C:\WINDOWS\system32\services.exe
    264 C:\WINDOWS\system32\lsass.exe
    484 C:\WINDOWS\system32\svchost.exe
    580 svchost.exe
    644 C:\WINDOWS\system32\svchost.exe
    780 svchost.exe
    924 svchost.exe
    1160 C:\WINDOWS\system32\WLTRYSVC.EXE
    1188 C:\WINDOWS\system32\BCMWLTRY.EXE
    1196 C:\WINDOWS\system32\iscsiexe.exe
    1300 C:\WINDOWS\system32\spoolsv.exe
    1364 scardsvr.exe
    1032 svchost.exe
    1484 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1536 C:\Program Files\JHSecure\VPN Client\cvpnd.exe
    1588 C:\Program Files\Drobo\Drobo Dashboard\Support\DDService.exe
    1620 C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    1792 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    1848 C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
    1880 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    1928 C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    1968 C:\WINDOWS\system32\nvsvc32.exe
    544 C:\WINDOWS\system32\svchost.exe
    796 C:\WINDOWS\system32\stacsv.exe
    1148 C:\WINDOWS\system32\svchost.exe
    1252 tcsd_win32.exe
    944 C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    1648 C:\Program Files\Viewpoint\Common\ViewpointService.exe
    1764 C:\Program Files\1E\WakeUp\Agent\WakeUpAgt.exe
    2004 C:\WINDOWS\system32\dllhost.exe
    2088 C:\WINDOWS\system32\searchindexer.exe
    2132 C:\WINDOWS\system32\CCM\CcmExec.exe
    2172 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
    2212 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
    2560 wmiprvse.exe
    2764 C:\WINDOWS\system32\dllhost.exe
    2996 wmiprvse.exe
    3224 msdtc.exe
    3392 wmiprvse.exe
    3684 C:\WINDOWS\explorer.exe
    3772 C:\Program Files\1E\NightWatchman50\NwmCli.exe
    704 C:\WINDOWS\system32\rundll32.exe
    532 C:\WINDOWS\system32\rundll32.exe
    756 C:\WINDOWS\system32\KADxMain.exe
    1060 C:\WINDOWS\system32\WLTRAY.EXE
    1108 C:\WINDOWS\system32\LVCOMSX.EXE
    1116 C:\Program Files\iTunes\iTunesHelper.exe
    1136 C:\Program Files\McAfee.com\Agent\mcagent.exe
    1632 C:\WINDOWS\Temp\_ex-08.exe
    1736 C:\WINDOWS\system32\ctfmon.exe
    2068 C:\Program Files\AWS\WeatherBug\Weather.exe
    2248 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
    2728 C:\Program Files\Digital Line Detect\DLG.exe
    3556 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    3508 C:\Program Files\Southwest Airlines\Ding\Ding.exe
    3716 C:\WINDOWS\system32\rundll32.exe
    5272 C:\Program Files\AIM\aim .exe
    5556 C:\Program Files\iPod\bin\iPodService.exe
    3496 wmiprvse.exe
    6020 C:\WINDOWS\system32\taskmgr.exe
    5168 C:\Program Files\Mozilla Firefox\firefox.exe
    5032 C:\Program Files\Mozilla Firefox\plugin-container.exe
    5248 C:\WINDOWS\system32\searchprotocolhost.exe
    6096 searchfilterhost.exe
    528 C:\Documents and Settings\elalime\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0855a200 (NTFS)

    PhysicalDrive0 Model Number: ST9160823ASG, Rev: 3.ADD

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
    RinBird,
    #13
  15. 2010/08/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    MBRCheck log looks fine.

    Absolutely, uninstall McAfee, using this tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

    Since running Combofix requires any AV program to be shut down, don't install anything yet.
    Make sure though, that Windows firewall is ON.

    When we get through with Combofix, you can install ONE of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html


    Now, when you're done with McAfee, try to run again our triplets: rKill, exehelper and Combo.
    If normal mode doesn't work, try safe mode.
     
    broni,
    #14
  16. 2010/08/03
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    Combofix locked the first time I ran it, so there are 2 logs for exehelper

    exehelper logs:
    exeHelper by Raktor
    Build 20100414
    Run at 21:57:37 on 08/03/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Killed process _ex-08.exe
    Checking for bad files...
    Deleting file C:\WINDOWS\temp\_ex-08.exe
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 23:09:48 on 08/03/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--




    Combofix log:
    ComboFix 10-08-03.02 - elalime 08/03/2010 23:13:26.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1388 [GMT -4:00]
    Running from: c:\documents and settings\elalime\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\elalime\LOCALS~1\Temp\tmp1.tmp
    c:\docume~1\elalime\LOCALS~1\Temp\tmp2.tmp
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\NetworkService\Local Settings\Application Data\292556794.exe
    c:\documents and settings\NetworkService\Start Menu\Programs\Security Tool.lnk
    c:\program files\AnVi
    c:\program files\AnVi\about.ico
    c:\program files\AnVi\activate.ico
    c:\program files\AnVi\avt.db
    c:\program files\AnVi\buy.ico
    c:\program files\AnVi\help.ico
    c:\program files\AnVi\scan.ico
    c:\program files\AnVi\settings.ico
    c:\program files\AnVi\splash.mp3
    c:\program files\AnVi\update.ico
    c:\program files\AnVi\virus.mp3
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\st325602.dll
    c:\windows\system32\wpcap.dll

    ----- BITS: Possible infected sites -----

    hxxp://MDHY0PSCCM01.SPH.AD.JHSPH.EDU:80
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_NPF
    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
    .

    2010-08-02 20:14 . 2010-08-02 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-08-02 19:09 . 2010-08-02 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Wave Systems Corp
    2010-08-02 14:51 . 2010-08-02 14:51 -------- d-----w- c:\documents and settings\elalime\Local Settings\Application Data\NTRU Cryptosystems
    2010-08-02 14:24 . 2010-08-02 14:24 -------- d-----w- c:\documents and settings\kmilman.mmi\Application Data\Apple Computer
    2010-08-02 14:23 . 2010-08-02 14:23 -------- d-----w- c:\documents and settings\kmilman.mmi\Local Settings\Application Data\Apple Computer
    2010-08-02 14:23 . 2010-08-02 14:23 -------- d-----w- c:\documents and settings\kmilman.mmi\Local Settings\Application Data\Drobo
    2010-08-02 14:23 . 2010-08-02 14:23 -------- d-----w- c:\documents and settings\kmilman.mmi\Local Settings\Application Data\Identities
    2010-08-02 14:23 . 2010-08-02 14:23 -------- d-----w- c:\documents and settings\kmilman.mmi\Application Data\Windows Desktop Search
    2010-08-01 17:38 . 2010-08-01 17:38 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-08-01 03:05 . 2010-08-03 13:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-08-01 03:04 . 2010-08-01 03:04 133440 ----a-w- c:\windows\system32\LnkProtect.dll
    2010-08-01 03:02 . 2010-08-01 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-08-01 03:02 . 2010-08-01 03:02 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-08-01 02:48 . 2010-08-01 03:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Desktop Security
    2010-07-30 17:43 . 2010-07-30 17:43 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2010-07-30 17:43 . 2010-07-30 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2010-07-30 17:43 . 2010-07-30 17:43 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Malwarebytes
    2010-07-30 17:42 . 2010-07-30 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Drobo
    2010-07-30 17:42 . 2010-07-30 17:42 0 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\WavXMapDrive.bat
    2010-07-30 17:42 . 2010-07-30 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
    2010-07-30 17:42 . 2010-07-30 17:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Windows Desktop Search
    2010-07-30 17:20 . 2010-07-30 17:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Drobo
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-07-30 17:18 . 2010-07-30 17:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\1E
    2010-07-30 17:04 . 2010-07-30 17:04 -------- d-----w- c:\documents and settings\elalime\Application Data\Malwarebytes
    2010-07-30 17:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-30 17:04 . 2010-07-31 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-30 17:04 . 2010-07-30 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-30 17:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-30 01:38 . 2010-07-30 01:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\wevobmjpf
    2010-07-30 01:37 . 2010-07-30 01:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
    2010-07-30 01:36 . 2010-07-30 01:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-26 23:08 . 2010-07-26 23:08 664 ----a-w- c:\windows\system32\d3d9caps.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-03 18:42 . 2008-06-09 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-08-03 18:36 . 2008-06-09 18:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-08-03 18:36 . 2008-06-09 18:34 -------- d-----w- c:\program files\Symantec
    2010-08-03 18:36 . 2008-06-09 18:34 -------- d-----w- c:\program files\Symantec AntiVirus
    2010-08-02 14:51 . 2008-06-04 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Wave Systems Corp
    2010-08-02 14:23 . 2008-06-04 16:27 210701 ----a-w- c:\windows\system32\nvModes.dat
    2010-08-01 22:42 . 2010-04-06 20:10 -------- d-----w- c:\program files\iTunes
    2010-08-01 02:48 . 2010-08-01 02:48 2704384 ----a-w- c:\documents and settings\NetworkService\Application Data\Desktop Security\securityhelper.exe
    2010-07-31 20:35 . 2010-04-06 20:05 -------- d-----w- c:\program files\QuickTime
    2010-07-31 20:26 . 2010-05-13 14:21 -------- d-----w- c:\program files\AIM
    2010-07-31 19:56 . 2008-09-14 22:03 -------- d-----w- c:\program files\DellTPad
    2010-07-31 19:51 . 2008-06-04 16:34 -------- d-----w- c:\program files\Wave Systems Corp
    2010-07-31 19:45 . 2008-06-11 17:54 0 ----a-w- c:\documents and settings\elalime\Local Settings\Application Data\WavXMapDrive.bat
    2010-07-30 19:56 . 2010-07-30 17:43 112 ----a-w- c:\documents and settings\All Users\Application Data\sn07R4.dat
    2010-07-30 17:19 . 2008-06-09 19:16 0 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\WavXMapDrive.bat
    2010-07-29 19:08 . 2008-06-12 00:54 -------- d-----w- c:\program files\RefViz
    2010-07-29 19:07 . 2008-06-12 00:54 -------- d--h--w- c:\program files\Zero G Registry
    2010-07-29 18:57 . 2009-01-14 02:24 -------- d-----w- c:\documents and settings\elalime\Application Data\Amazon
    2010-07-28 13:30 . 2008-06-23 21:22 -------- d-----w- c:\documents and settings\elalime\Application Data\WeatherBug
    2010-07-28 03:06 . 2010-02-22 20:37 -------- d-----w- c:\program files\MyDefrag v4.2.8
    2010-07-16 15:54 . 2009-08-28 15:07 -------- d-----w- c:\documents and settings\elalime\Application Data\U3
    2010-07-06 15:24 . 2008-06-11 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-29 18:59 . 2010-06-08 00:38 439816 ----a-w- c:\documents and settings\elalime\Application Data\Real\Update\setup3.10\setup.exe
    2010-06-16 18:26 . 2010-06-16 18:26 89600 ----a-w- c:\windows\system32\atl71.dll
    2010-06-09 19:07 . 2010-05-12 19:54 -------- d-----w- c:\program files\Steam
    2010-06-09 02:29 . 2010-06-09 02:29 -------- d-----w- c:\program files\Drobo
    2010-06-08 17:36 . 2008-02-28 01:45 -------- d-----w- c:\program files\Dell
    2010-06-08 17:30 . 2010-06-08 17:26 -------- d-----w- c:\program files\1E
    2010-06-08 17:26 . 2010-06-08 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\1E
    2010-05-22 22:06 . 2010-05-22 22:06 666112 ----a-w- c:\documents and settings\elalime\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1004220-0-main.dll
    .
    Code:
    <pre>
c:\program files\AIM\aim      .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM                                .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\DellTPad\Apoint .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Logitech\Video\ISStart .exe
c:\program files\Logitech\Video\LogiTray .exe
c:\program files\Logitech\Video\ManifestEngine .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\Sigmatel\C-Major Audio\WDM\stsystra .exe
c:\program files\Wave Systems Corp\SecureUpgrade .exe
c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr .exe
</pre>
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe -scheduler" [X]
    "Weather "= "c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "c:\program files\QuickTime\qttask .exe -atboottime" [X]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-03-11 13594624]
    "nwiz "= "nwiz.exe" [2009-03-11 1657376]
    "NVHotkey "= "nvHotkey.dll" [2009-03-11 90112]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-03-11 86016]
    "KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
    "LVCOMSX "= "c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
    "igvtm "= "c:\program files\iGive_Toolbar\igvtt.exe" [N/A]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "292556794 "= "c:\docume~1\NETWOR~1\LOCALS~1\APPLIC~1\292556794.exe" [N/A]

    c:\documents and settings\elalime\Start Menu\Programs\Computer tools\Startup\
    DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-4 50688]
    Drobo Dashboard.lnk - c:\program files\Drobo\Drobo Dashboard\DroboDashboard.exe [2010-3-19 3395584]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
    2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122500139-1198148142-3152560411-22569\Scripts\Logon\0\0]
    "Script "=JHSPHShares v28.vbs

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
    backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^JHSecure VPN Client.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\JHSecure VPN Client.lnk
    backup=c:\windows\pss\JHSecure VPN Client.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    c:\program files\AIM6\aim6.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    c:\program files\Messenger\msmsgs.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    c:\program files\QuickTime\qttask.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2008-06-03 19:08 21718312 -c--a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [N/A]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe "=
    "c:\\Documents and Settings\\elalime\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe "=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=
    "c:\\WINDOWS\\system32\\iscsiexe.exe "=
    "c:\\Program Files\\Drobo\\Drobo Dashboard\\Support\\DDService.exe "=
    "c:\\Program Files\\AIM\\aim .exe "=

    R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [12/10/2006 7:16 PM 218112]
    R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/10/2006 7:16 PM 48140]
    R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [12/10/2006 7:16 PM 204800]
    R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [12/10/2006 7:17 PM 19200]
    R2 DDService;Drobo Dashboard Service;c:\program files\Drobo\Drobo Dashboard\Support\DDService.exe [3/19/2010 1:10 PM 704512]
    R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [11/13/2008 10:09 PM 103480]
    R2 NightWatchman50;NightWatchman50;c:\program files\1E\NightWatchman50\NwmSvc.exe [5/27/2009 4:31 PM 1003864]
    R2 NwmSleepless;NwmSleepless;c:\windows\system32\drivers\NwmSleepless.sys [6/22/2010 1:08 PM 42488]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/17/2009 12:14 PM 24652]
    R2 WakeUpAgt;1E WakeUp Agent;c:\program files\1E\WakeUp\Agent\WakeUpAgt.exe [6/4/2009 12:41 PM 275792]
    R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [12/5/2004 6:41 PM 5120]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]
    R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [11/13/2008 10:09 PM 158264]
    S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
    S2 gupdate;Google Update Service (gupdate); "c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/21/2009 8:03 PM 717296]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-09-01 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4245615820.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://baltimore.craigslist.org/zip/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: iGive Toolbar - file://c:\documents and settings\elalime\Application Data\iGive_Toolbar\igvtt\igvtC5.htm
    DPF: Shopping.Probe - Install via ShoppingProbe.msi
    FF - ProfilePath - c:\documents and settings\elalime\Application Data\Mozilla\Firefox\Profiles\8d2z5o7b.default\
    FF - plugin: c:\documents and settings\elalime\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\elalime\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .
    .
    ------- File Associations -------
    .
    .scr=RasWin.Script
    .
    - - - - ORPHANS REMOVED - - - -

    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    Notify-NavLogon - (no file)
    AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe
    AddRemove-unigvt - c:\program files\iGive_Toolbar\igvtt.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-03 23:22
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(1412)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\biolsp.dll

    - - - - - - - > 'explorer.exe'(2192)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nview.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\LnkProtect.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\windows\System32\SCardSvr.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\JHSecure\VPN Client\cvpnd.exe
    c:\program files\Juniper Networks\Common Files\dsNcService.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\StacSV.exe
    c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\windows\system32\msiexec.exe
    c:\windows\system32\msdtc.exe
    c:\program files\1E\NightWatchman50\NWMCLI.EXE
    c:\windows\system32\rundll32.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-03 23:29:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-04 03:29

    Pre-Run: 1,786,568,704 bytes free
    Post-Run: 2,476,077,056 bytes free

    - - End Of File - - 7E2A8BA802FD075953062DD50433832F

    At the moment, google searches don't seem to be redirecting. I'll install an antivirus and check again in the morning. Thanks!
     
    Last edited: 2010/08/03
    RinBird,
    #15
  17. 2010/08/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ( "drive-by-install ") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    ===============================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\documents and settings\elalime\Local Settings\Application Data\WavXMapDrive.bat
c:\documents and settings\All Users\Application Data\sn07R4.dat
c:\documents and settings\Administrator\Local Settings\Application Data\WavXMapDrive.bat
c:\docume~1\NETWOR~1\LOCALS~1\APPLIC~1\292556794.exe


Folder::
c:\documents and settings\NetworkService\Application Data\Desktop Security
c:\documents and settings\NetworkService\Local Settings\Application Data\wevobmjpf
c:\documents and settings\All Users\Application Data\Symantec
c:\program files\Common Files\Symantec Shared
c:\program files\Symantec
c:\program files\Symantec AntiVirus

RenV::
c:\program files\AIM\aim      .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\InstallShield\UpdateService\ISUSPM                                .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Symantec Shared\ccApp .exe
c:\program files\DellTPad\Apoint .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Logitech\Video\ISStart .exe
c:\program files\Logitech\Video\LogiTray .exe
c:\program files\Logitech\Video\ManifestEngine .exe
c:\program files\Malwarebytes' Anti-Malware\mbam  .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\Sigmatel\C-Major Audio\WDM\stsystra .exe
c:\program files\Wave Systems Corp\SecureUpgrade .exe
c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr .exe


Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
 "292556794 "=-

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #16
  18. 2010/08/04
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    Thanks Broni.

    I deleted Viewpoint media player (didn't have the other 2).

    Still no sign of redirect activity or other virus symptoms, so that looks good.

    Here is the log from Combofix with CFScript.txt

    ComboFix 10-08-03.02 - elalime 08/04/2010 10:19:12.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1645 [GMT -4:00]
    Running from: c:\documents and settings\elalime\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\elalime\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\docume~1\NETWOR~1\LOCALS~1\APPLIC~1\292556794.exe "
    "c:\documents and settings\Administrator\Local Settings\Application Data\WavXMapDrive.bat "
    "c:\documents and settings\All Users\Application Data\sn07R4.dat "
    "c:\documents and settings\elalime\Local Settings\Application Data\WavXMapDrive.bat "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\elalime\LOCALS~1\Temp\tmp1.tmp
    c:\documents and settings\Administrator\Local Settings\Application Data\WavXMapDrive.bat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\All Users\Application Data\sn07R4.dat
    c:\documents and settings\All Users\Application Data\Symantec
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\1.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\1.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\10.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\10.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\3.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\3.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\4.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\4.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\5.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\5.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\6.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\6.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\7.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\7.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\8.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\8.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\9.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\9.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Configuration.Log.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1257995028jtun_the_scd.zip.full.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$20microdefs25$20savcorp10_microdefsb.curdefs_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$20microdefs25$20savcorp10_microdefsb.error_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$20microdefs25$20savcorp10_microdefsb.may_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$20microdefs25$20savcorp10_microdefsb.nov_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\avenge$20microdefs25$20savcorp10_microdefsb.old_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\decomposer_1.0.0_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\minitri.flg
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\sesc$20submission$20control$20data_11.0_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\sesc$20virus$20definitions$20win32$20v11_microdefsb.curdefs_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\sesc$20virus$20definitions$20win32$20v11_microdefsb.jul_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\sesc$20virus$20definitions$20win32$20v11_microdefsb.mar_symalllanguages_livetri.zip
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LUInstall.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LastGood.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
    c:\documents and settings\elalime\Local Settings\Application Data\WavXMapDrive.bat
    c:\documents and settings\NetworkService\Application Data\Desktop Security
    c:\documents and settings\NetworkService\Application Data\Desktop Security\securityhelper.exe
    c:\documents and settings\NetworkService\Local Settings\Application Data\wevobmjpf
    c:\program files\Common Files\Symantec Shared
    c:\program files\Common Files\Symantec Shared\ccApp.exe
    c:\program files\Common Files\Symantec Shared\Help\LUALL.CHM
    c:\program files\Common Files\Symantec Shared\HWID\sephwid.xml
    c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.grd
    c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.sig
    c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.spm
    c:\program files\Common Files\Symantec Shared\VirusDefs\Cat.DB
    c:\program files\Common Files\Symantec Shared\VirusDefs\umcat_01.db
    c:\program files\Symantec AntiVirus
    c:\program files\Symantec
    c:\program files\Symantec\LiveUpdate\1.Settings.Default.LiveUpdate
    c:\program files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    c:\program files\Symantec\LiveUpdate\ALUNOTIFYRES.DLL
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvcRes.dll
    c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
    c:\program files\Symantec\LiveUpdate\AUPDATERES.DLL
    c:\program files\Symantec\LiveUpdate\LSETUP.EXE
    c:\program files\Symantec\LiveUpdate\LUALL.EXE
    c:\program files\Symantec\LiveUpdate\LUALLRES.DLL
    c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
    c:\program files\Symantec\LiveUpdate\LUCheck.exe
    c:\program files\Symantec\LiveUpdate\LuComServer_3_3.EXE
    c:\program files\Symantec\LiveUpdate\LuConfig.EXE
    c:\program files\Symantec\LiveUpdate\ludirloc.dat
    c:\program files\Symantec\LiveUpdate\LUINFO.INF
    c:\program files\Symantec\LiveUpdate\LUInit.exe
    c:\program files\Symantec\LiveUpdate\LUInit.ini
    c:\program files\Symantec\LiveUpdate\LUINSDLL.DLL
    c:\program files\Symantec\LiveUpdate\LuInsRes.dll
    c:\program files\Symantec\LiveUpdate\LuPreCon.DLL
    c:\program files\Symantec\LiveUpdate\LuResult.txt
    c:\program files\Symantec\LiveUpdate\MFC71.DLL
    c:\program files\Symantec\LiveUpdate\MSVCP71.DLL
    c:\program files\Symantec\LiveUpdate\MSVCR71.DLL
    c:\program files\Symantec\LiveUpdate\NetDetectController_3_3.DLL
    c:\program files\Symantec\LiveUpdate\NotifyHA.exe
    c:\program files\Symantec\LiveUpdate\ProductRegCom_3_3.DLL
    c:\program files\Symantec\LiveUpdate\PSLuComServer_3_3.DLL
    c:\program files\Symantec\LiveUpdate\PSProductRegCom_3_3.DLL
    c:\program files\Symantec\LiveUpdate\PSProductRegCom64_3_3.DLL
    c:\program files\Symantec\LiveUpdate\README.TXT
    c:\program files\Symantec\LiveUpdate\ResLuComServer_3_1.DLL
    c:\program files\Symantec\LiveUpdate\ResLuComServer_3_3.DLL
    c:\program files\Symantec\LiveUpdate\S32LIVE1.DLL
    c:\program files\Symantec\LiveUpdate\S32LUCP1RES.DLL
    c:\program files\Symantec\LiveUpdate\S32LUCP2.CPL
    c:\program files\Symantec\LiveUpdate\S32LUIS1.DLL
    c:\program files\Symantec\LiveUpdate\S32LUWI1.DLL
    c:\program files\Symantec\LiveUpdate\Settings.Default.LiveUpdate
    c:\program files\Symantec\LiveUpdate\SETUPRES.DLL
    c:\program files\Symantec\LiveUpdate\SymantecRootInstaller.exe
    c:\program files\Symantec\LiveUpdate\SymantecRootInstaller.log
    c:\program files\Symantec\LiveUpdate\SymantecRootInstallerRes.dll
    c:\program files\Symantec\LiveUpdate\UNRAR.DLL

    ----- BITS: Possible infected sites -----

    hxxp://MDHY0PSCCM01.SPH.AD.JHSPH.EDU:80
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
    .

    2010-08-04 03:55 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-04 03:55 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-04 03:55 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-04 03:55 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-04 03:55 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-08-04 03:55 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-08-04 03:55 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-04 03:54 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-04 03:54 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-04 03:54 . 2010-08-04 03:54 -------- d-----w- c:\program files\Alwil Software
    2010-08-04 03:54 . 2010-08-04 03:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-08-02 20:14 . 2010-08-02 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-08-02 19:09 . 2010-08-02 19:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Wave Systems Corp
    2010-08-02 14:51 . 2010-08-02 14:51 -------- d-----w- c:\documents and settings\elalime\Local Settings\Application Data\NTRU Cryptosystems
    2010-08-02 14:24 . 2010-08-02 14:24 -------- d-----w- c:\documents and settings\kmilman.mmi\Application Data\Apple Computer
    2010-08-02 14:23 . 2010-08-02 14:23 -------- d-----w- c:\documents and settings\kmilman.mmi\Local Settings\Application Data\Apple Computer
    2010-08-02 14:23 . 2010-08-02 14:23 -------- d-----w- c:\documents and settings\kmilman.mmi\Local Settings\Application Data\Drobo
    2010-08-02 14:23 . 2010-08-02 14:23 -------- d-----w- c:\documents and settings\kmilman.mmi\Local Settings\Application Data\Identities
    2010-08-02 14:23 . 2010-08-02 14:23 -------- d-----w- c:\documents and settings\kmilman.mmi\Application Data\Windows Desktop Search
    2010-08-01 17:38 . 2010-08-01 17:38 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-08-01 03:05 . 2010-08-03 13:28 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-08-01 03:04 . 2010-08-01 03:04 133440 ----a-w- c:\windows\system32\LnkProtect.dll
    2010-08-01 03:02 . 2010-08-01 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-08-01 03:02 . 2010-08-01 03:02 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-07-30 17:43 . 2010-07-30 17:43 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2010-07-30 17:43 . 2010-07-30 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2010-07-30 17:43 . 2010-07-30 17:43 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Malwarebytes
    2010-07-30 17:42 . 2010-07-30 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Drobo
    2010-07-30 17:42 . 2010-07-30 17:42 0 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\WavXMapDrive.bat
    2010-07-30 17:42 . 2010-07-30 17:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
    2010-07-30 17:42 . 2010-07-30 17:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Windows Desktop Search
    2010-07-30 17:20 . 2010-07-30 17:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Drobo
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
    2010-07-30 17:19 . 2010-07-30 17:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-07-30 17:18 . 2010-07-30 17:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\1E
    2010-07-30 17:04 . 2010-07-30 17:04 -------- d-----w- c:\documents and settings\elalime\Application Data\Malwarebytes
    2010-07-30 17:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-30 17:04 . 2010-08-04 14:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-30 17:04 . 2010-07-30 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-30 17:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-30 01:37 . 2010-07-30 01:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
    2010-07-30 01:36 . 2010-07-30 01:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-26 23:08 . 2010-07-26 23:08 664 ----a-w- c:\windows\system32\d3d9caps.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-04 14:19 . 2008-06-04 16:34 -------- d-----w- c:\program files\Wave Systems Corp
    2010-08-04 14:19 . 2010-05-13 14:21 -------- d-----w- c:\program files\AIM
    2010-08-04 14:19 . 2010-04-06 20:10 -------- d-----w- c:\program files\iTunes
    2010-08-04 14:19 . 2010-04-06 20:05 -------- d-----w- c:\program files\QuickTime
    2010-08-04 14:19 . 2008-09-14 22:03 -------- d-----w- c:\program files\DellTPad
    2010-08-04 14:10 . 2008-06-11 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-08-02 14:51 . 2008-06-04 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Wave Systems Corp
    2010-08-02 14:23 . 2008-06-04 16:27 210701 ----a-w- c:\windows\system32\nvModes.dat
    2010-07-29 19:08 . 2008-06-12 00:54 -------- d-----w- c:\program files\RefViz
    2010-07-29 19:07 . 2008-06-12 00:54 -------- d--h--w- c:\program files\Zero G Registry
    2010-07-29 18:57 . 2009-01-14 02:24 -------- d-----w- c:\documents and settings\elalime\Application Data\Amazon
    2010-07-28 13:30 . 2008-06-23 21:22 -------- d-----w- c:\documents and settings\elalime\Application Data\WeatherBug
    2010-07-28 03:06 . 2010-02-22 20:37 -------- d-----w- c:\program files\MyDefrag v4.2.8
    2010-07-16 15:54 . 2009-08-28 15:07 -------- d-----w- c:\documents and settings\elalime\Application Data\U3
    2010-07-06 15:24 . 2008-06-11 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-29 18:59 . 2010-06-08 00:38 439816 ----a-w- c:\documents and settings\elalime\Application Data\Real\Update\setup3.10\setup.exe
    2010-06-16 18:26 . 2010-06-16 18:26 89600 ----a-w- c:\windows\system32\atl71.dll
    2010-06-09 19:07 . 2010-05-12 19:54 -------- d-----w- c:\program files\Steam
    2010-06-09 02:29 . 2010-06-09 02:29 -------- d-----w- c:\program files\Drobo
    2010-06-08 17:36 . 2008-02-28 01:45 -------- d-----w- c:\program files\Dell
    2010-06-08 17:30 . 2010-06-08 17:26 -------- d-----w- c:\program files\1E
    2010-06-08 17:26 . 2010-06-08 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\1E
    2010-05-22 22:06 . 2010-05-22 22:06 666112 ----a-w- c:\documents and settings\elalime\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1004220-0-main.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM .exe -scheduler" [X]
    "Weather "= "c:\program files\AWS\WeatherBug\Weather.exe" [2006-04-07 1343488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "c:\program files\QuickTime\qttask .exe -atboottime" [X]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-03-11 13594624]
    "nwiz "= "nwiz.exe" [2009-03-11 1657376]
    "NVHotkey "= "nvHotkey.dll" [2009-03-11 90112]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-03-11 86016]
    "KADxMain "= "c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
    "Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
    "LVCOMSX "= "c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "avast5 "= "c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

    c:\documents and settings\elalime\Start Menu\Programs\Computer tools\Startup\
    DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-4 50688]
    Drobo Dashboard.lnk - c:\program files\Drobo\Drobo Dashboard\DroboDashboard.exe [2010-3-19 3395584]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
    2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2122500139-1198148142-3152560411-22569\Scripts\Logon\0\0]
    "Script "=JHSPHShares v28.vbs

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
    backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^JHSecure VPN Client.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\JHSecure VPN Client.lnk
    backup=c:\windows\pss\JHSecure VPN Client.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2008-06-03 19:08 21718312 -c--a-r- c:\program files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2008-10-04 20:39 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe "=
    "c:\\Documents and Settings\\elalime\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe "=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=
    "c:\\WINDOWS\\system32\\iscsiexe.exe "=
    "c:\\Program Files\\Drobo\\Drobo Dashboard\\Support\\DDService.exe "=

    R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [12/10/2006 7:16 PM 218112]
    R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [12/10/2006 7:16 PM 48140]
    R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [12/10/2006 7:16 PM 204800]
    R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [12/10/2006 7:17 PM 19200]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/3/2010 11:55 PM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/3/2010 11:55 PM 17744]
    R2 DDService;Drobo Dashboard Service;c:\program files\Drobo\Drobo Dashboard\Support\DDService.exe [3/19/2010 1:10 PM 704512]
    R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [11/13/2008 10:09 PM 103480]
    R2 NightWatchman50;NightWatchman50;c:\program files\1E\NightWatchman50\NwmSvc.exe [5/27/2009 4:31 PM 1003864]
    R2 NwmSleepless;NwmSleepless;c:\windows\system32\drivers\NwmSleepless.sys [6/22/2010 1:08 PM 42488]
    R2 WakeUpAgt;1E WakeUp Agent;c:\program files\1E\WakeUp\Agent\WakeUpAgt.exe [6/4/2009 12:41 PM 275792]
    R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [12/5/2004 6:41 PM 5120]
    R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]
    R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [11/13/2008 10:09 PM 158264]
    S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
    S2 gupdate;Google Update Service (gupdate); "c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/21/2009 8:03 PM 717296]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-09-01 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4245615820.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://baltimore.craigslist.org/zip/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: iGive Toolbar - file://c:\documents and settings\elalime\Application Data\iGive_Toolbar\igvtt\igvtC5.htm
    DPF: Shopping.Probe - Install via ShoppingProbe.msi
    FF - ProfilePath - c:\documents and settings\elalime\Application Data\Mozilla\Firefox\Profiles\8d2z5o7b.default\
    FF - plugin: c:\documents and settings\elalime\Application Data\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\documents and settings\elalime\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-igvtm - c:\program files\iGive_Toolbar\igvtt.exe
    MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
    MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
    MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-04 10:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(1412)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\biolsp.dll
    .
    Completion time: 2010-08-04 10:29:11
    ComboFix-quarantined-files.txt 2010-08-04 14:29
    ComboFix2.txt 2010-08-04 03:29

    Pre-Run: 2,401,017,856 bytes free
    Post-Run: 2,377,043,968 bytes free

    - - End Of File - - 731CD88849E0D4034A13BFD72C9DC7B6
     
    RinBird,
    #17
  19. 2010/08/04
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good news :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ===============================================================

    Now, you can safely install Avast, or Avira.
    After installation, run full scan.
    Let me know, if anything was found.

    ================================================================

    Download Malwarebytes' Anti-Malware (aka MBAM): http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #18
  20. 2010/08/05
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    I downloaded avast and the full computer scan came up clean.

    I already had malwarebytes, and the first scan found 1 problem:

    alwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4393

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    8/5/2010 12:02:56 PM
    mbam-log-2010-08-05 (12-02-56).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 241652
    Time elapsed: 41 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\AnVi (Rogue.AnVi) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    A second scan after reset was clean:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4395

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    8/5/2010 3:55:35 PM
    mbam-log-2010-08-05 (15-55-35).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 241377
    Time elapsed: 1 hour(s), 19 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    continuing on next post
     
    RinBird,
    #19
  21. 2010/08/05
    RinBird

    RinBird Inactive Thread Starter

    Joined:
    2010/07/31
    Messages:
    23
    Likes Received:
    0
    OTL.txt:

    OTL logfile created on: 8/5/2010 5:16:21 PM - Run 1
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\elalime\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
    3.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
    Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 148.92 Gb Total Space | 3.24 Gb Free Space | 2.17% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: MMI-6VZBFG1
    Current User Name: elalime
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/08/05 17:15:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\elalime\Desktop\OTL.exe
    PRC - [2010/07/29 18:53:13 | 000,275,792 | ---- | M] (1E) -- C:\Program Files\1E\WakeUp\Agent\WakeUpAgt.exe
    PRC - [2010/06/28 16:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2010/06/22 13:09:05 | 001,003,864 | ---- | M] (1E) -- C:\Program Files\1E\NightWatchman50\NwmSvc.exe
    PRC - [2010/06/22 13:09:05 | 000,272,728 | ---- | M] (1E) -- C:\Program Files\1E\NightWatchman50\NwmCli.exe
    PRC - [2010/03/19 13:10:58 | 000,704,512 | ---- | M] (Data Robotics, Inc.) -- C:\Program Files\Drobo\Drobo Dashboard\Support\DDService.exe
    PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    PRC - [2009/03/26 22:58:08 | 000,431,472 | ---- | M] (Juniper Networks) -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    PRC - [2008/11/13 22:09:06 | 000,103,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iscsiexe.exe
    PRC - [2008/05/26 22:19:14 | 000,123,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    PRC - [2008/05/20 04:00:00 | 000,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/02/22 13:40:20 | 000,475,136 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    PRC - [2007/12/05 20:24:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\stacsv.exe
    PRC - [2007/11/08 23:50:10 | 001,552,384 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    PRC - [2007/09/07 18:29:04 | 000,737,280 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
    PRC - [2006/11/03 19:02:14 | 000,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
    PRC - [2006/11/02 15:05:50 | 000,282,624 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\system32\KADxMain.exe
    PRC - [2005/11/04 11:21:28 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\JHSecure\VPN Client\cvpnd.exe
    PRC - [2005/07/19 18:32:18 | 000,221,184 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\LVCOMSX.EXE


    ========== Modules (SafeList) ==========

    MOD - [2010/08/05 17:15:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\elalime\Desktop\OTL.exe
    MOD - [2009/03/11 14:04:00 | 001,503,232 | ---- | M] () -- C:\WINDOWS\system32\nview.dll
    MOD - [2009/03/11 14:04:00 | 000,081,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvwddi.dll
    MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE -- (LiveUpdate)
    SRV - File not found [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
    SRV - [2010/07/29 18:53:13 | 000,275,792 | ---- | M] (1E) [Auto | Running] -- C:\Program Files\1E\WakeUp\Agent\WakeUpAgt.exe -- (WakeUpAgt)
    SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/06/22 13:09:05 | 001,003,864 | ---- | M] (1E) [Auto | Running] -- C:\Program Files\1E\NightWatchman50\NwmSvc.exe -- (NightWatchman50)
    SRV - [2010/03/19 13:10:58 | 000,704,512 | ---- | M] (Data Robotics, Inc.) [Auto | Running] -- C:\Program Files\Drobo\Drobo Dashboard\Support\DDService.exe -- (DDService)
    SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2009/03/26 22:58:08 | 000,431,472 | ---- | M] (Juniper Networks) [Auto | Running] -- C:\Program Files\Juniper Networks\Common Files\dsNcService.exe -- (dsNcService)
    SRV - [2008/11/13 22:09:06 | 000,103,480 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iscsiexe.exe -- (MSiSCSI)
    SRV - [2008/05/20 04:00:00 | 000,757,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
    SRV - [2008/05/20 04:00:00 | 000,249,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
    SRV - [2008/02/22 13:40:20 | 000,475,136 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
    SRV - [2007/12/05 20:24:44 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
    SRV - [2007/11/08 23:50:10 | 001,552,384 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
    SRV - [2007/09/13 15:31:44 | 000,192,512 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe -- (WaveEnrollmentService)
    SRV - [2007/09/07 18:29:04 | 000,737,280 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe -- (TdmService)
    SRV - [2007/08/31 18:39:18 | 000,486,400 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
    SRV - [2005/11/04 11:21:28 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\JHSecure\VPN Client\cvpnd.exe -- (CVPND)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\vmscsi.sys -- (vmscsi)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\elalime\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/06/28 16:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2010/06/28 16:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2010/06/28 16:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2010/06/28 16:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2010/06/28 16:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/06/28 16:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2009/05/27 16:32:00 | 000,042,488 | ---- | M] (1E) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\NwmSleepless.sys -- (NwmSleepless)
    DRV - [2009/03/11 14:04:00 | 006,251,168 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
    DRV - [2009/01/21 20:03:41 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
    DRV - [2008/08/28 19:18:38 | 000,023,552 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dsNcAdpt.sys -- (dsNcAdpt)
    DRV - [2008/08/21 06:38:10 | 000,020,480 | ---- | M] (Dell Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
    DRV - [2008/05/20 04:00:00 | 000,023,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
    DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
    DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2008/04/08 17:27:04 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
    DRV - [2007/12/19 19:25:40 | 000,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
    DRV - [2007/12/19 19:25:40 | 000,089,344 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvraid.sys -- (nvraid) NVIDIA nForce(tm)
    DRV - [2007/12/05 20:24:44 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
    DRV - [2007/12/02 21:26:22 | 000,989,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
    DRV - [2007/12/02 21:26:20 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2007/12/02 21:26:20 | 000,211,200 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
    DRV - [2007/11/28 19:18:24 | 000,062,208 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
    DRV - [2007/10/09 07:17:42 | 001,123,328 | ---- | M] (Broadcom Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
    DRV - [2007/09/10 10:55:00 | 000,161,280 | ---- | M] (Wave Systems Corp.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\WavxDMgr.sys -- (WavxDMgr)
    DRV - [2007/09/07 10:57:14 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\PBADRV.sys -- (PBADRV)
    DRV - [2007/09/07 02:10:42 | 000,019,200 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\megasas.sys -- (megasas)
    DRV - [2007/09/07 01:18:46 | 000,100,096 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\symmpi.sys -- (Symmpi)
    DRV - [2007/09/06 10:18:40 | 000,018,176 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WaveFDE.sys -- (WaveFDE)
    DRV - [2007/07/23 16:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
    DRV - [2007/07/23 16:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
    DRV - [2007/07/23 16:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
    DRV - [2007/07/23 16:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
    DRV - [2007/07/23 16:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
    DRV - [2007/07/23 16:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
    DRV - [2007/07/23 16:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
    DRV - [2007/07/23 16:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
    DRV - [2007/07/23 15:55:44 | 000,099,808 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
    DRV - [2007/07/23 15:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
    DRV - [2007/07/23 15:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
    DRV - [2007/07/23 15:43:42 | 000,052,000 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
    DRV - [2007/06/25 18:53:10 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2007/04/16 23:45:42 | 000,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
    DRV - [2007/03/13 02:26:06 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
    DRV - [2006/11/22 10:01:48 | 000,693,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)
    DRV - [2006/11/02 13:32:32 | 000,097,536 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dxec01.sys -- (DXEC01)
    DRV - [2005/11/04 11:20:40 | 000,303,735 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2005/08/12 17:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
    DRV - [2005/06/29 20:50:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2005/05/27 10:32:52 | 001,317,152 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvcm.sys -- (QCMerced)
    DRV - [2005/05/27 10:31:28 | 000,022,016 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
    DRV - [2005/05/17 20:12:40 | 000,204,800 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aarich.sys -- (aarich)
    DRV - [2005/05/17 05:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005/02/17 22:05:16 | 000,218,112 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\a320raid.sys -- (a320raid)
    DRV - [2005/01/26 07:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
    DRV - [2004/04/07 16:14:30 | 000,048,140 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\aac.sys -- (aac)
    DRV - [2004/02/17 14:38:30 | 000,132,608 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\adpu320.sys -- (adpu320)
    DRV - [2003/04/28 10:15:38 | 000,140,544 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://baltimore.craigslist.org/zip/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/03 21:49:14 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/02 16:11:24 | 000,000,000 | ---D | M]

    [2010/08/02 17:22:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Mozilla\Extensions
    [2010/08/04 18:28:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Mozilla\Firefox\Profiles\8d2z5o7b.default\extensions
    [2010/08/02 17:50:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\elalime\Application Data\Mozilla\Firefox\Profiles\8d2z5o7b.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/08/02 16:11:24 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

    O1 HOSTS File: ([2010/08/04 10:27:18 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (iGive Toolbar) - {FA73AE1B-4BA9-4E8B-832B-54A287FF1B7F} - C:\Program Files\iGive_Toolbar\igvtb.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
    O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [NVHotkey] C:\WINDOWS\System32\nvhotkey.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
    O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask .exe File not found
    O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe File not found
    O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
    O4 - Startup: C:\Documents and Settings\elalime\Start Menu\Programs\Computer tools\Startup\DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
    O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
    O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
    O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
    O15 - HKCU\..Trusted Domains: jhsph.edu ([]* in Local intranet)
    O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256353087359 (WUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: Shopping.Probe Install via ShoppingProbe.msi (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 162.129.40.11 162.129.40.12
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sph.ad.jhsph.edu
    O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\gemsafe: DllName - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
    O24 - Desktop WallPaper: C:\Documents and Settings\elalime\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\elalime\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/12/05 17:54:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: aux1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: midi1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: midi2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
    Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: mixer1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: mixer2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
    Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
    Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
    Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
    Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: VIDC.IYUV - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
    Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
    Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
    Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
    Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
    Drivers32: VIDC.UYVY - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
    Drivers32: VIDC.YUY2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
    Drivers32: VIDC.YVU9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
    Drivers32: VIDC.YVYU - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
    Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: wave1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: wave2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
    Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

    CREATERESTOREPOINT
    Error starting restore point: System Restore is disabled.
    Error closing restore point: System Restore is disabled.

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/08/05 17:15:11 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\elalime\Desktop\OTL.exe
    [2010/08/03 23:55:16 | 000,017,744 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2010/08/03 23:55:15 | 000,165,456 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2010/08/03 23:55:14 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2010/08/03 23:55:12 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2010/08/03 23:55:10 | 000,100,176 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2010/08/03 23:55:10 | 000,094,544 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2010/08/03 23:55:09 | 000,028,880 | ---- | C] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2010/08/03 23:54:55 | 000,165,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2010/08/03 23:54:55 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
    [2010/08/03 23:54:49 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
    [2010/08/03 23:54:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/08/03 19:32:43 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/08/03 19:24:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/08/02 17:21:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elalime\Application Data\Mozilla
    [2010/08/02 16:14:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    [2010/08/02 15:09:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Wave Systems Corp
    [2010/08/02 10:51:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elalime\Local Settings\Application Data\NTRU Cryptosystems
    [2010/08/02 09:40:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elalime\Desktop\desktop stuff
    [2010/08/02 09:39:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elalime\Desktop\debugging
    [2010/08/01 13:38:15 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
    [2010/07/31 23:04:59 | 000,133,440 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\LnkProtect.dll
    [2010/07/31 23:02:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2010/07/31 23:02:56 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
    [2010/07/30 13:43:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
    [2010/07/30 13:43:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
    [2010/07/30 13:43:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Malwarebytes
    [2010/07/30 13:42:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Drobo
    [2010/07/30 13:42:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
    [2010/07/30 13:42:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Windows Desktop Search
    [2010/07/30 13:41:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
    [2010/07/30 13:04:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elalime\Application Data\Malwarebytes
    [2010/07/30 13:04:24 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/07/30 13:04:22 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/07/30 13:04:22 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/07/30 13:04:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010/07/29 22:33:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
    [2010/07/29 21:37:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
    [2010/07/29 21:36:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2010/07/26 19:08:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2010/07/26 19:06:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010/07/26 19:06:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2010/06/22 13:08:57 | 000,042,488 | ---- | C] (1E) -- C:\WINDOWS\System32\drivers\NwmSleepless.sys
    [2010/06/19 20:09:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elalime\My Documents\Phone
    [2010/06/08 22:29:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elalime\Local Settings\Application Data\Drobo
    [2010/06/08 22:29:17 | 000,000,000 | ---D | C] -- C:\Program Files\Drobo
    [2010/06/08 22:25:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\iSCSI
    [2010/06/08 13:44:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\ms
    [2010/06/08 13:26:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\elalime\Local Settings\Application Data\1E
    [2010/06/08 13:26:39 | 000,000,000 | ---D | C] -- C:\Program Files\1E
    [2010/06/08 13:26:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\1E
    [2010/05/13 10:21:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AIM
    [2010/05/13 10:21:37 | 000,000,000 | ---D | C] -- C:\Program Files\AIM
    [2010/05/12 15:54:23 | 000,000,000 | ---D | C] -- C:\Program Files\Steam
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 90 Days ==========

    [2010/08/05 17:15:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\elalime\Desktop\OTL.exe
    [2010/08/05 17:04:19 | 000,000,463 | ---- | M] () -- C:\WINDOWS\smscfg.ini
    [2010/08/05 17:03:05 | 000,192,798 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
    [2010/08/05 17:03:04 | 000,210,701 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
    [2010/08/05 17:03:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/08/05 17:02:26 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/08/05 17:02:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/08/05 17:02:19 | 2145,349,632 | -HS- | M] () -- C:\hiberfil.sys
    [2010/08/05 17:01:27 | 006,815,744 | -H-- | M] () -- C:\Documents and Settings\elalime\NTUSER.DAT
    [2010/08/05 17:00:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\elalime\ntuser.ini
    [2010/08/05 12:20:52 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\elalime\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes (2).lnk
    [2010/08/05 11:05:06 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/08/04 13:50:34 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\elalime\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
    [2010/08/04 12:27:37 | 000,001,598 | ---- | M] () -- C:\Documents and Settings\elalime\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
    [2010/08/04 10:27:26 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/08/04 10:27:18 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/08/03 23:55:10 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/08/03 19:42:47 | 000,319,677 | ---- | M] () -- C:\Documents and Settings\elalime\Desktop\instructions.jpg
    [2010/08/03 19:32:50 | 000,000,281 | RHS- | M] () -- C:\boot.ini
    [2010/08/03 15:24:10 | 000,001,106 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/08/03 14:37:08 | 000,002,661 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
    [2010/08/03 12:27:53 | 000,022,914 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
    [2010/08/03 10:13:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2010/08/03 09:28:37 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/08/02 16:11:28 | 000,001,626 | ---- | M] () -- C:\Documents and Settings\elalime\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2010/08/02 16:11:28 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2010/08/02 15:23:59 | 000,160,825 | ---- | M] () -- C:\Documents and Settings\elalime\Desktop\bookmarks.html
    [2010/08/02 10:23:37 | 000,210,701 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
    [2010/08/01 18:42:31 | 000,002,341 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
    [2010/08/01 13:38:15 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
    [2010/07/31 23:10:20 | 000,004,016 | ---- | M] () -- C:\WINDOWS\System32\.crusader
    [2010/07/31 23:04:59 | 000,133,440 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\LnkProtect.dll
    [2010/07/29 19:40:31 | 000,022,423 | ---- | M] () -- C:\Documents and Settings\elalime\My Documents\Cell symposium Influenza abstract template el4.docx
    [2010/07/29 18:52:54 | 000,000,270 | ---- | M] () -- C:\WINDOWS\{6D7E19DF-2852-4EA4-9DD2-FBCC6D422EF2}_WiseFW.ini
    [2010/07/29 10:51:50 | 000,022,082 | ---- | M] () -- C:\Documents and Settings\elalime\My Documents\Cell symposium Influenza abstract template el2 AP (2) aa.docx
    [2010/07/27 18:43:12 | 000,013,576 | ---- | M] () -- C:\Documents and Settings\elalime\My Documents\cell influenza abstract 2010 el2.docx
    [2010/07/26 19:08:46 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/07/10 12:23:03 | 000,001,811 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Drobo Dashboard.lnk
    [2010/06/28 16:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
    [2010/06/28 16:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2010/06/28 16:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2010/06/28 16:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2010/06/28 16:33:13 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2010/06/28 16:32:45 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2010/06/28 16:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2010/06/28 16:32:33 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2010/06/28 16:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2010/06/08 22:29:20 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Drobo Dashboard.lnk
    [2010/06/08 22:27:20 | 000,557,528 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/06/08 22:27:20 | 000,478,950 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/06/08 22:27:20 | 000,083,624 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/06/08 22:26:03 | 000,000,447 | ---- | M] () -- C:\Documents and Settings\elalime\Desktop\Microsoft iSCSI Initiator.lnk
    [2010/06/08 13:44:42 | 000,004,764 | ---- | M] () -- C:\WINDOWS\System32\CcmFramework.ini
    [2010/06/08 13:44:42 | 000,000,621 | ---- | M] () -- C:\WINDOWS\System32\CcmFramework.h
    [2010/05/13 10:21:57 | 000,001,295 | -H-- | M] () -- C:\IPH.PH
    [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/08/03 19:32:50 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010/08/03 19:32:46 | 000,260,272 | ---- | C] () -- C:\cmldr
    [2010/08/03 19:19:32 | 000,319,677 | ---- | C] () -- C:\Documents and Settings\elalime\Desktop\instructions.jpg
    [2010/08/03 14:37:07 | 000,002,661 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
    [2010/08/02 16:11:28 | 000,001,626 | ---- | C] () -- C:\Documents and Settings\elalime\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2010/08/02 16:11:28 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2010/08/02 15:23:59 | 000,160,825 | ---- | C] () -- C:\Documents and Settings\elalime\Desktop\bookmarks.html
    [2010/07/31 23:10:20 | 000,004,016 | ---- | C] () -- C:\WINDOWS\System32\.crusader
    [2010/07/31 23:05:36 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
    [2010/07/30 13:42:53 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\WavXMapDrive.bat
    [2010/07/30 13:04:27 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/07/30 12:59:15 | 2145,349,632 | -HS- | C] () -- C:\hiberfil.sys
    [2010/07/29 19:40:31 | 000,022,423 | ---- | C] () -- C:\Documents and Settings\elalime\My Documents\Cell symposium Influenza abstract template el4.docx
    [2010/07/29 18:52:48 | 000,000,270 | ---- | C] () -- C:\WINDOWS\{6D7E19DF-2852-4EA4-9DD2-FBCC6D422EF2}_WiseFW.ini
    [2010/07/29 10:51:50 | 000,022,082 | ---- | C] () -- C:\Documents and Settings\elalime\My Documents\Cell symposium Influenza abstract template el2 AP (2) aa.docx
    [2010/07/27 16:26:17 | 000,013,576 | ---- | C] () -- C:\Documents and Settings\elalime\My Documents\cell influenza abstract 2010 el2.docx
    [2010/07/26 19:08:46 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/07/06 11:22:48 | 001,368,064 | ---- | C] () -- C:\Documents and Settings\elalime\My Documents\BD CBA Add-In.xla
    [2010/06/08 22:29:20 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Drobo Dashboard.lnk
    [2010/06/08 22:29:19 | 000,001,811 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Drobo Dashboard.lnk
    [2010/06/08 22:26:02 | 000,000,447 | ---- | C] () -- C:\Documents and Settings\elalime\Desktop\Microsoft iSCSI Initiator.lnk
    [2010/06/08 13:44:42 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
    [2010/06/08 13:44:42 | 000,000,621 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.h
    [2010/05/13 10:21:49 | 000,001,598 | ---- | C] () -- C:\Documents and Settings\elalime\Application Data\Microsoft\Internet Explorer\Quick Launch\AIM.lnk
    [2008/12/04 22:16:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
    [2008/12/04 22:12:43 | 000,000,025 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
    [2008/12/04 21:59:17 | 000,000,456 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2008/11/28 22:00:38 | 000,009,255 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
    [2008/11/28 22:00:37 | 001,317,152 | ---- | C] () -- C:\WINDOWS\System32\drivers\lvcm.sys
    [2008/11/11 17:12:21 | 000,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2008/11/11 17:12:20 | 000,189,480 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2008/08/13 15:49:48 | 000,000,037 | ---- | C] () -- C:\WINDOWS\Viewer.ini
    [2008/08/10 17:59:52 | 000,000,393 | ---- | C] () -- C:\WINDOWS\smsafari.ini
    [2008/06/11 13:47:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
    [2008/06/04 14:18:44 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
    [2008/06/04 14:18:44 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
    [2008/06/04 14:18:43 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
    [2008/06/04 14:18:43 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
    [2008/06/04 12:40:07 | 000,000,463 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2008/06/04 12:38:32 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
    [2008/06/04 12:38:29 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
    [2008/06/04 12:34:30 | 000,080,368 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
    [2008/06/04 12:34:26 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
    [2008/06/04 12:34:26 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
    [2008/06/04 12:22:50 | 000,000,263 | ---- | C] () -- C:\WINDOWS\WMIInfo.ini
    [2008/06/04 12:22:48 | 000,000,058 | ---- | C] () -- C:\WINDOWS\DISPSET.INI
    [2008/06/04 12:21:23 | 000,000,131 | ---- | C] () -- C:\WINDOWS\ProcessorDetector.ini
    [2008/02/27 22:29:22 | 000,004,032 | ---- | C] () -- C:\WINDOWS\HARDTACK.INI
    [2008/02/27 22:29:09 | 000,000,370 | ---- | C] () -- C:\WINDOWS\IB.ini
    [2008/02/04 18:23:10 | 000,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
    [2008/01/15 03:31:00 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini
    [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2007/09/13 15:42:30 | 000,499,712 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
    [2007/09/13 15:42:30 | 000,471,040 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
    [2007/09/13 15:42:28 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
    [2007/09/13 15:42:28 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
    [2007/09/13 15:42:28 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
    [2007/09/13 15:42:28 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
    [2007/09/13 15:42:26 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
    [2007/09/13 15:42:26 | 000,487,424 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
    [2007/09/13 15:42:26 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
    [2007/09/13 15:42:26 | 000,434,176 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
    [2007/09/13 15:36:24 | 000,438,272 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
    [2007/09/12 16:05:08 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
    [2007/09/12 16:04:46 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
    [2007/09/12 16:04:26 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
    [2007/09/12 16:04:06 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
    [2007/09/12 16:03:44 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
    [2007/09/12 16:03:24 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
    [2007/09/12 16:03:04 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
    [2007/09/12 16:02:44 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
    [2007/09/12 16:02:22 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
    [2007/09/12 16:02:02 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
    [2007/09/10 10:53:26 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
    [2007/06/15 11:19:20 | 000,835,584 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
    [2007/01/12 12:14:56 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\haspds_msi.dll
    [2006/12/10 19:17:01 | 000,004,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\WINIO.SYS
    [2006/08/14 12:02:10 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\xltZlib.dll
    [2006/06/12 09:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\tsp.dll
    [2004/09/10 14:34:00 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
    [2004/09/10 14:34:00 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll

    ========== LOP Check ==========

    [2010/06/08 13:26:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\1E
    [2008/06/11 17:14:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
    [2010/05/13 10:21:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM
    [2010/08/03 23:54:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2008/06/12 15:49:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GraphPad Software
    [2010/07/31 23:10:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
    [2009/03/11 21:33:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Juniper Networks
    [2008/06/04 12:34:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NTRU Cryptosystems
    [2008/12/04 22:00:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
    [2010/08/04 10:10:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2010/08/02 10:51:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wave Systems Corp
    [2010/04/06 16:11:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2010/02/23 15:05:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2008/06/11 17:15:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\acccore
    [2010/07/29 14:57:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Amazon
    [2009/01/28 15:45:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Crayon Physics Deluxe
    [2008/10/14 10:35:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\EndNote
    [2010/04/04 15:52:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Facebook
    [2008/06/12 21:28:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\GARMIN
    [2008/06/12 15:49:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\GraphPad Software
    [2010/02/24 19:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\iGive_Toolbar
    [2009/06/22 17:49:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Juniper Networks
    [2008/09/19 08:45:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Southwest Airlines
    [2008/06/04 12:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Wave Systems Corp
    [2010/07/28 09:30:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\WeatherBug
    [2009/09/25 11:12:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Windows Desktop Search
    [2009/09/29 12:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\elalime\Application Data\Windows Search
    [2009/08/31 22:16:01 | 000,000,346 | ---- | M] () -- C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1245615820.job

    ========== Purity Check ==========



    continuing with the continuations
     
    RinBird,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...