1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Trojan.Gen (brealizer.class)

Discussion in 'Malware and Virus Removal Archive' started by SarahB, 2010/09/19.

Page 1 of 2
  1. 2010/09/19
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    [Resolved] Trojan.Gen (brealizer.class)

    Hi Broni,

    Yesterday, Norton told me it had found and deleted this virus as titled. Here are the details:

    c:\documents and settings\sarah\application data\sun\java\deployment\cache\6.0\59\1fc6ef3b679b30a7

    On computer as of
    14/09/2010 at 09:31:54
    Last Used:
    18/09/2010 at 12:48:42
    Startup Item: No
    Launched: No

    Very Few Users
    Fewer than 10 users in the Norton Community have used this file.

    High
    This file risk is high.

    Threat Details
    Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

    Origin
    Downloaded from Not Available

    URL Not Available
    UNTESTED

    Source
    1fc6ef3b-679b30a7

    File Actions
    brealizer.class
    [Contained in] c:\documents and settings\sarah\application data\sun\java\deployment\cache\6.0\59\1fc6ef3b-679b30a7
    Deleted

    File Thumbprint:
    Not Available


    I ran Malwarebytes. This found nothing.


    I ran Superantispyware. This found 10 Adware Tracking Cookies. Log below:


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/18/2010 at 07:44 PM

    Application Version : 4.41.1000

    Core Rules Database Version : 5530
    Trace Rules Database Version: 3342

    Scan type : Complete Scan
    Total Scan Time : 00:47:45

    Memory items scanned : 522
    Memory threats detected : 0
    Registry items scanned : 7088
    Registry threats detected : 0
    File items scanned : 37741
    File threats detected : 10

    Adware.Tracking Cookie
    2mdn.net [ C:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\7RLALXTP ]
    atdmt.com [ C:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\7RLALXTP ]
    img-cdn.mediaplex.com [ C:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\7RLALXTP ]
    m.uk.2mdn.net [ C:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\7RLALXTP ]
    m1.2mdn.net [ C:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\7RLALXTP ]
    macromedia.com [ C:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\7RLALXTP ]
    serving-sys.com [ C:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\7RLALXTP ]
    uk.2mdn.net [ C:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\7RLALXTP ]
    atdmt.com [ D:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\CYUZB8FE ]
    oddcast.com [ D:\Documents and Settings\Sarah\Application Data\Macromedia\Flash Player\#SharedObjects\CYUZB8FE ]

    Two strange things have been happening on my PC:
    1. When I try and type in a password nothing happens.
    2. Outlook Express keeps asking me to enter my logon user name and password.

    Should I be worried?

    Here are the dds logs:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Sarah at 10:44:23.68 on 19/09/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2023.1112 [GMT 1:00]

    AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\EPSON\eEBAPI\SAgent2.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
    C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\ASUS\PC Probe II\Probe2.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\Sarah\Desktop\dds(2).scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\IPSBHO.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\17.7.0.12\coIEPlg.dll
    TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [EPSON Stylus Pro 3800] c:\windows\system32\spool\drivers\w32x86\3\e_sai0a8.exe /fu "c:\docume~1\sarah\locals~1\temp\E_SD9.tmp" /EF "HKCU "
    mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
    mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe "
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
    mRun: [Launch PC Probe II] "c:\program files\asus\pc probe ii\Probe2.exe" 1
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\sarah\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logoca~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\profil~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\ProfileReminder.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/B/E/5BE645ED-2F2D-4E4D-9C54-AFB56EFCB312/LegitCheckControl.cab
    DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
    DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169683246062
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
    DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://download.five.tv/Download/Entriq_3_4_0_10_Silent.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {AD6E9B8B-F0CB-49DA-92C0-F94916EEDB0D} = 194.168.4.100 194.168.8.100
    Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\sarah\applic~1\mozilla\firefox\profiles\9rzdtr1d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html|http://www.flashbarstores.co.uk/|http://www.maccinfo.com/cat/|https://partners.domgen.com/Quote/cookiesDisabled
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\documents and settings\sarah\application data\mozilla\plugins\npPxPlay.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-25 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-25 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20100901.003\BHDrvx86.sys [2010-8-31 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-25 501888]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 67656]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-25 116784]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-25 126392]
    R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-2-19 14416]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936]
    R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-20 1251720]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20100917.001\IDSXpx86.sys [2010-9-18 331640]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\virusdefs\20100918.003\NAVENG.SYS [2010-9-18 85424]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\virusdefs\20100918.003\NAVEX15.SYS [2010-9-18 1362608]
    S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2007-2-19 44344]
    S3 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]
    S3 Spyder;ColorVision Spyder2;c:\windows\system32\drivers\SpyderUSB.sys [2006-8-7 12288]
    S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2007-3-18 40060]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-17 04:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2006-06-23 06:48:54 32768 -c--a-r- c:\windows\inf\UpdateUSB.exe
    2001-11-23 04:08:20 712704 -c--a-r- c:\windows\inf\other\AUDIO3D.DLL
    2008-08-20 21:15:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

    ============= FINISH: 10:45:01.48 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 19/01/2007 12:29:23
    System Uptime: 19/09/2010 10:32:27 (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P5B-VM
    Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | LGA 775 | 2133/266mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 186 GiB total, 152.96 GiB free.
    D: is FIXED (NTFS) - 112 GiB total, 104.088 GiB free.
    E: is CDROM ()
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\E03B2C11D800
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\E03B2C11D800
    Service: NIC1394

    ==== System Restore Points ===================

    RP249: 21/06/2010 10:20:32 - System Checkpoint
    RP250: 22/06/2010 22:19:45 - System Checkpoint
    RP251: 22/06/2010 22:36:18 - Software Distribution Service 3.0
    RP252: 24/06/2010 09:36:42 - System Checkpoint
    RP253: 25/06/2010 10:17:25 - System Checkpoint
    RP254: 27/06/2010 10:34:36 - System Checkpoint
    RP255: 28/06/2010 11:42:07 - System Checkpoint
    RP256: 30/06/2010 09:43:42 - System Checkpoint
    RP257: 01/07/2010 10:30:37 - System Checkpoint
    RP258: 02/07/2010 11:13:26 - System Checkpoint
    RP259: 03/07/2010 17:51:50 - System Checkpoint
    RP260: 04/07/2010 17:56:05 - System Checkpoint
    RP261: 06/07/2010 08:00:54 - System Checkpoint
    RP262: 07/07/2010 10:36:06 - System Checkpoint
    RP263: 08/07/2010 11:38:04 - System Checkpoint
    RP264: 09/07/2010 12:29:32 - System Checkpoint
    RP265: 11/07/2010 10:44:53 - System Checkpoint
    RP266: 12/07/2010 12:25:26 - System Checkpoint
    RP267: 14/07/2010 10:40:03 - System Checkpoint
    RP268: 14/07/2010 11:08:05 - Software Distribution Service 3.0
    RP269: 15/07/2010 12:07:40 - System Checkpoint
    RP270: 16/07/2010 12:10:15 - System Checkpoint
    RP271: 18/07/2010 09:57:42 - System Checkpoint
    RP272: 20/07/2010 10:49:30 - System Checkpoint
    RP273: 21/07/2010 11:44:27 - System Checkpoint
    RP274: 22/07/2010 07:11:56 - Installed Rapport
    RP275: 23/07/2010 10:10:01 - System Checkpoint
    RP276: 24/07/2010 11:03:17 - System Checkpoint
    RP277: 25/07/2010 14:37:37 - System Checkpoint
    RP278: 26/07/2010 21:07:15 - System Checkpoint
    RP279: 28/07/2010 11:34:08 - System Checkpoint
    RP280: 29/07/2010 12:00:31 - System Checkpoint
    RP281: 30/07/2010 12:06:55 - System Checkpoint
    RP282: 01/08/2010 10:15:59 - System Checkpoint
    RP283: 02/08/2010 10:17:22 - System Checkpoint
    RP284: 03/08/2010 09:21:22 - Software Distribution Service 3.0
    RP285: 04/08/2010 10:32:54 - System Checkpoint
    RP286: 05/08/2010 10:48:14 - System Checkpoint
    RP287: 06/08/2010 11:09:17 - System Checkpoint
    RP288: 08/08/2010 12:29:49 - System Checkpoint
    RP289: 09/08/2010 13:12:43 - System Checkpoint
    RP290: 11/08/2010 11:19:10 - System Checkpoint
    RP291: 12/08/2010 10:57:11 - Software Distribution Service 3.0
    RP292: 12/08/2010 22:58:07 - Software Distribution Service 3.0
    RP293: 14/08/2010 07:25:23 - System Checkpoint
    RP294: 14/08/2010 08:10:39 - Installed Java(TM) 6 Update 21
    RP295: 15/08/2010 10:39:00 - System Checkpoint
    RP296: 16/08/2010 11:15:20 - System Checkpoint
    RP297: 18/08/2010 11:43:58 - System Checkpoint
    RP298: 19/08/2010 12:36:59 - System Checkpoint
    RP299: 20/08/2010 13:04:07 - System Checkpoint
    RP300: 22/08/2010 08:04:27 - System Checkpoint
    RP301: 23/08/2010 11:01:17 - System Checkpoint
    RP302: 24/08/2010 22:11:45 - System Checkpoint
    RP303: 26/08/2010 08:54:34 - System Checkpoint
    RP304: 27/08/2010 10:51:45 - System Checkpoint
    RP305: 28/08/2010 15:59:53 - System Checkpoint
    RP306: 29/08/2010 16:53:36 - System Checkpoint
    RP307: 30/08/2010 22:47:49 - System Checkpoint
    RP308: 01/09/2010 11:00:53 - System Checkpoint
    RP309: 03/09/2010 10:49:33 - System Checkpoint
    RP310: 04/09/2010 09:49:56 - Software Distribution Service 3.0
    RP311: 05/09/2010 10:25:15 - System Checkpoint
    RP312: 06/09/2010 10:48:36 - System Checkpoint
    RP313: 07/09/2010 11:22:49 - System Checkpoint
    RP314: 08/09/2010 18:33:00 - System Checkpoint
    RP315: 10/09/2010 09:50:53 - System Checkpoint
    RP316: 11/09/2010 11:00:59 - System Checkpoint
    RP317: 12/09/2010 11:15:19 - System Checkpoint
    RP318: 13/09/2010 12:04:15 - System Checkpoint
    RP319: 14/09/2010 12:42:16 - System Checkpoint
    RP320: 15/09/2010 09:00:31 - Software Distribution Service 3.0
    RP321: 16/09/2010 10:55:22 - System Checkpoint
    RP322: 17/09/2010 11:24:47 - System Checkpoint
    RP323: 18/09/2010 12:10:33 - System Checkpoint

    ==== Installed Programs ======================

    ABBYY FineReader 5.0 Sprint
    ABBYY FineReader 6.0
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge 1.0
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Common File Installer
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Download Manager
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Center 1.0
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS2
    Adobe Photoshop CS3
    Adobe Photoshop Lightroom
    Adobe Reader 9.3.4
    Adobe Setup
    Adobe Stock Photos 1.0
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    ArcSoft PhotoImpression
    C-Media 3D Audio
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon G.726 WMP-Decoder
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities EOS Utility
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture DC
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Citrix Presentation Server Client
    Compatibility Pack for the 2007 Office system
    Critical Update for Windows Media Player 11 (KB959772)
    Entriq MediaSphere 3.4.0.10
    EPSON LFP Remote Panel
    EPSON Photo Print
    EPSON Printer Software
    Epson Stylus Pro 3880 Printer Uninstall
    ESPR3800 User’s Guide
    Eye-One Diagnostics
    Eye-One Match 3.6.2
    Eye-One Share
    Google Earth
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    i1ColorPoint 1.0
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 21
    JMB36X Raid Configurer
    LiveUpdate (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Color Control Panel Applet for Windows XP
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint 5.5
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works 6-9 Converter
    Mozilla Firefox (3.6)
    Nero OEM
    Nikon Scan
    Norton Internet Security
    NVIDIA Drivers
    PC Probe II
    PDF Settings
    Photodex Presenter
    Photomatix Pro version 3.1.3
    Photomatix Pro version 3.2.8
    Rapport
    RawShooter essentials 2005
    RawShooter premium 2006
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SI Pro 1.1.1
    SoundMAX
    SpeedFan (remove only)
    SpeedTouch USB Software
    Spelling Dictionaries Support For Adobe Reader 9
    SpywareBlaster 4.4
    SpywareGuard v2.2
    SUPERAntiSpyware Professional
    Symantec KB-DocID:2003093015493306
    Symantec Technical Support Web Controls
    Tone Mapping Plug-In 2.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows 7 Upgrade Advisor
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live installer
    Windows Live Mail
    Windows Live OneCare safety scanner
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Search 4.0
    Windows XP Service Pack 3
    WOT for Internet Explorer

    ==== Event Viewer Messages From Past Week ========

    14/09/2010 08:38:56, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    14/09/2010 08:38:56, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

    ==== End Of File ===========================

    Many thanks in anticipation!
    Sarah
     
    SarahB,
    #1
  2. 2010/09/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    ==============================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/09/20
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    Broni,
    Thanks for your help. However.................

    :( I can't get GMER to run any way you suggest. The scan starts but will not complete without freezing or rebooting the PC.

    What do you suggest?

    Should I still run MBRCheck?

    Sarah
     
    SarahB,
    #3
  5. 2010/09/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Proceed with MBRCheck.
     
    broni,
    #4
  6. 2010/09/20
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    OK. Here's the MBRCheck log:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003d

    Kernel Drivers (total 143):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0B8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA330000 PartMgr.sys
    0xB9F38000 nvraid.sys
    0xBA0C8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xBA0D8000 VolSnap.sys
    0xB9F20000 atapi.sys
    0xB9F0C000 nvatabus.sys
    0xBA0E8000 jraid.sys
    0xB9EF4000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xBA0F8000 disk.sys
    0xB9ED4000 fltmgr.sys
    0xB9E7E000 SYMDS.SYS
    0xB9E6C000 sr.sys
    0xB9E3F000 SYMEFA.SYS
    0xBA338000 PxHelp20.sys
    0xB9E28000 KSecDD.sys
    0xB9D9B000 Ntfs.sys
    0xB9D6E000 NDIS.sys
    0xBA5AC000 speedfan.sys
    0xBA108000 ohci1394.sys
    0xBA118000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA340000 nv_agp.sys
    0xB9D54000 Mup.sys
    0xBA5AE000 JGOGO.sys
    0xBA671000 giveio.sys
    0xB9823000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB941F000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xB940B000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xBA430000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB93E7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA438000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB93BF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB9813000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA440000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xBA5E2000 \SystemRoot\system32\DRIVERS\ASACPI.sys
    0xB9803000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA448000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA742000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA450000 \SystemRoot\system32\DRIVERS\rasirda.sys
    0xBA458000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xBA178000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA594000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB93A8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB9397000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA1A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA460000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA468000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xBA1B8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA470000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA5E4000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB9374000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB9316000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA59C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA1C8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA1F8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5E6000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xA903F000 \SystemRoot\system32\drivers\ADIHdAud.sys
    0xA901B000 \SystemRoot\system32\drivers\portcls.sys
    0xBA208000 \SystemRoot\system32\drivers\drmk.sys
    0xA9004000 \SystemRoot\system32\drivers\AEAudio.sys
    0xA8FA4000 \SystemRoot\system32\drivers\Senfilt.sys
    0xBA478000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xA719E000 \SystemRoot\System32\Drivers\NIS\1107000.00C\SRTSP.SYS
    0xA717F000 \SystemRoot\system32\drivers\NIS\1107000.00C\Ironx86.SYS
    0xBA248000 \SystemRoot\system32\drivers\NIS\1107000.00C\SRTSPX.SYS
    0xA7033000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100920.002\NAVEX15.SYS
    0xA700E000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xA6FFA000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100920.002\NAVENG.SYS
    0xBA5FE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA71F000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA600000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA490000 \SystemRoot\System32\drivers\vga.sys
    0xBA602000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA604000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA4A0000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA560000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA6FC7000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA6F6E000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA6F48000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xA6EF1000 \SystemRoot\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS
    0xBA258000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xA6E9C000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100917.001\IDSxpx86.sys
    0xA6E74000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA6E52000 \SystemRoot\System32\drivers\afd.sys
    0xBA268000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xA6E30000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xBA4A8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xA6E05000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA6DDD000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    0xA6D6D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA2B8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA6D0F000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xA6CF2000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xA6C4B000 \SystemRoot\system32\drivers\NIS\1107000.00C\ccHPx86.sys
    0xA6B9F000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys
    0xBA606000 \SystemRoot\system32\drivers\AsIO.sys
    0xBA390000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xBA2D8000 \SystemRoot\system32\DRIVERS\alcaudsl.sys
    0xBA60A000 \SystemRoot\system32\DRIVERS\alcawh.sys
    0xBA7AD000 \SystemRoot\system32\DRIVERS\alcacr.sys
    0xBA2E8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBA2F8000 \SystemRoot\system32\DRIVERS\alcan5wn.sys
    0xBA5A0000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xBA308000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xBA398000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xB9D20000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xBA3A0000 \SystemRoot\system32\DRIVERS\point32.sys
    0xA6ABF000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA612000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA7209000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA3A8000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA6C3000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF022000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF049000 \SystemRoot\System32\igxpdv32.DLL
    0xBF186000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA6879000 \SystemRoot\system32\DRIVERS\irda.sys
    0xA699F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA666C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA6498000 \??\C:\WINDOWS\system32\drivers\pdihwctl.sys
    0xBA420000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
    0xA61C0000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xA5D9A000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA67D1000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA42C3000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 48):
    0 System Idle Process
    4 System
    408 C:\WINDOWS\system32\smss.exe
    480 csrss.exe
    504 C:\WINDOWS\system32\winlogon.exe
    548 C:\WINDOWS\system32\services.exe
    560 C:\WINDOWS\system32\lsass.exe
    720 C:\WINDOWS\system32\svchost.exe
    804 svchost.exe
    844 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    872 C:\WINDOWS\system32\svchost.exe
    948 svchost.exe
    996 svchost.exe
    1196 C:\WINDOWS\system32\spoolsv.exe
    1272 svchost.exe
    1316 C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
    1484 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    1516 C:\Program Files\Bonjour\mDNSResponder.exe
    1528 C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    1568 C:\Program Files\Common Files\EPSON\eEBAPI\SAgent2.exe
    1600 C:\Program Files\Java\jre6\bin\jqs.exe
    1648 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    1664 C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
    1752 C:\WINDOWS\system32\svchost.exe
    1780 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    1808 C:\WINDOWS\system32\searchindexer.exe
    2016 C:\Program Files\Canon\CAL\CALMAIN.exe
    2076 alg.exe
    2336 C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
    2440 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    3392 C:\WINDOWS\explorer.exe
    3656 C:\WINDOWS\system32\nvraidservice.exe
    3680 C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
    3688 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    3712 C:\WINDOWS\system32\hkcmd.exe
    3720 wmiprvse.exe
    3732 C:\Program Files\Analog Devices\Core\smax4pnp.exe
    3812 C:\Program Files\ASUS\PC Probe II\Probe2.exe
    3896 C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    3972 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    4000 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    4008 C:\WINDOWS\system32\ctfmon.exe
    2564 C:\Program Files\SpywareGuard\sgmain.exe
    2840 C:\Program Files\SpywareGuard\sgbhp.exe
    3172 wmiprvse.exe
    3476 C:\WINDOWS\system32\searchprotocolhost.exe
    148 searchfilterhost.exe
    3056 C:\Documents and Settings\Sarah\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3200820AS, Rev: 3.AAE
    PhysicalDrive1 Model Number: ST3120022A, Rev: 3.54

    Size Device Name MBR Status
    --------------------------------------------
    186 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    111 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
    SarahB,
    #5
  7. 2010/09/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks good :)

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #6
  8. 2010/09/21
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    OK Here's the Combofix log:

    ComboFix 10-09-20.03 - Sarah 21/09/2010 8:31.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2023.1277 [GMT 1:00]
    Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
    AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Sarah\Recent\Thumbs.db
    c:\windows\AutoRun.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))
    .

    2010-09-20 21:29 . 2010-09-20 21:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-21 07:27 . 2009-08-14 10:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-09-21 07:24 . 2009-08-14 10:47 -------- d-----w- c:\program files\SpywareBlaster
    2010-09-16 17:44 . 2009-08-14 11:26 -------- d-----w- c:\program files\SpywareGuard
    2010-09-05 08:11 . 2008-04-11 17:05 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-08-23 08:10 . 2008-01-17 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 20:37 . 2009-08-14 09:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-08-14 07:11 . 2010-08-14 07:11 -------- d-----w- c:\program files\Common Files\Java
    2010-08-14 07:11 . 2010-08-14 07:11 503808 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7feb7da5-n\msvcp71.dll
    2010-08-14 07:11 . 2010-08-14 07:11 499712 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7feb7da5-n\jmc.dll
    2010-08-14 07:11 . 2010-08-14 07:11 348160 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7feb7da5-n\msvcr71.dll
    2010-08-14 07:11 . 2010-08-14 07:11 61440 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6dc16738-n\decora-sse.dll
    2010-08-14 07:11 . 2010-08-14 07:11 12800 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6dc16738-n\decora-d3d.dll
    2010-08-14 07:11 . 2009-08-13 07:47 -------- d-----w- c:\program files\Java
    2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2009-04-16 07:59 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-17 04:00 . 2010-05-10 11:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
    2010-06-30 13:04 . 2010-06-30 13:04 503808 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-68aa693e-n\msvcp71.dll
    2010-06-30 13:04 . 2010-06-30 13:04 499712 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-68aa693e-n\jmc.dll
    2010-06-30 13:04 . 2010-06-30 13:04 348160 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-68aa693e-n\msvcr71.dll
    2010-06-30 13:04 . 2010-06-30 13:04 61440 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-391e59af-n\decora-sse.dll
    2010-06-30 13:04 . 2010-06-30 13:04 12800 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-391e59af-n\decora-d3d.dll
    2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2008-02-07 21:46 . 2008-02-07 21:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2008-02-07 21:46 . 2008-02-07 21:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2008-02-07 21:46 . 2008-02-07 21:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2008-02-07 21:46 . 2008-02-07 21:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2008-02-07 21:46 . 2008-02-07 21:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2008-02-07 21:46 . 2008-02-07 21:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2008-02-07 21:46 . 2008-02-07 21:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2007-03-16 17:27 . 2007-03-16 17:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
    2007-03-16 17:27 . 2007-03-16 17:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
    2007-03-16 17:27 . 2007-03-16 17:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
    2007-07-20 12:47 . 2007-07-20 12:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2008-02-07 21:46 . 2008-02-07 21:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-16 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVRaidService "= "c:\windows\system32\nvraidservice.exe" [2004-06-11 83968]
    "SpeedTouch USB Diagnostics "= "c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
    "IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
    "SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
    "JMB36X Configure "= "c:\windows\system32\JMRaidTool.exe" [2006-07-12 352256]
    "Launch PC Probe II "= "c:\program files\ASUS\PC Probe II\Probe2.exe" [2006-07-28 2129408]
    "Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Sarah\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-4-7 135680]
    Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2008-1-30 708608]
    ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2008-1-30 954368]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-19 08:34 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2007-02-06 16:30 61440 ----a-r- c:\program files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2004-07-26 19:14 1867776 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\WINDOWS\\system32\\sessmgr.exe "=

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\symds.sys [25/05/2010 09:38 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\symefa.sys [25/05/2010 09:38 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [31/08/2010 23:57 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\cchpx86.sys [25/05/2010 09:38 501888]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/08/2009 16:06 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 67656]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\ironx86.sys [25/05/2010 09:38 116784]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe [25/05/2010 09:37 126392]
    R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [19/02/2007 15:42 14416]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [01/07/2010 12:07 840936]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/05/2010 21:34 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100920.001\IDSXpx86.sys [21/09/2010 08:16 331640]
    S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [19/02/2007 15:42 44344]
    S3 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 12872]
    S3 Spyder;ColorVision Spyder2;c:\windows\system32\drivers\SpyderUSB.sys [07/08/2006 20:28 12288]
    S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [18/03/2007 14:04 40060]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-19 c:\windows\Tasks\Norton Internet Security - Sarah - Full System Scan.job
    - c:\program files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\navw32.exe [2010-05-25 05:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
    FF - ProfilePath - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\9rzdtr1d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html|http://www.flashbarstores.co.uk/|ht...on/F/keyword/mesh+ironing+board/product/22756
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: c:\documents and settings\Sarah\Application Data\Mozilla\plugins\npPxPlay.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    AddRemove-HijackThis - c:\documents and settings\Sarah\Desktop\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-21 08:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath "= "\ "c:\program files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \ "NIS\" /m \ "c:\program files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(504)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\documents and settings\Sarah\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    c:\documents and settings\Sarah\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    c:\documents and settings\Sarah\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    .
    Completion time: 2010-09-21 08:37:19
    ComboFix-quarantined-files.txt 2010-09-21 07:37

    Pre-Run: 164,112,121,856 bytes free
    Post-Run: 164,069,113,856 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - AE5D86BAF538D82BFB56D011D3D1E661
     
    SarahB,
    #7
  9. 2010/09/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Nothing major there....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
 "DisableMonitoring "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
 "DisableMonitoring "=-

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #8
  10. 2010/09/21
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    Thanks Broni. I do appreciate your very clear and easy to follow instructions.

    Here's the latest Combofix log.

    ComboFix 10-09-20.03 - Sarah 21/09/2010 22:09:07.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2023.1216 [GMT 1:00]
    Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Sarah\Desktop\CFScript.txt
    AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))
    .

    2010-09-20 21:29 . 2010-09-20 21:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-21 21:01 . 2009-08-14 10:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-09-21 07:24 . 2009-08-14 10:47 -------- d-----w- c:\program files\SpywareBlaster
    2010-09-16 17:44 . 2009-08-14 11:26 -------- d-----w- c:\program files\SpywareGuard
    2010-09-05 08:11 . 2008-04-11 17:05 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-08-23 08:10 . 2008-01-17 10:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 20:37 . 2009-08-14 09:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-08-14 07:11 . 2010-08-14 07:11 -------- d-----w- c:\program files\Common Files\Java
    2010-08-14 07:11 . 2010-08-14 07:11 503808 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7feb7da5-n\msvcp71.dll
    2010-08-14 07:11 . 2010-08-14 07:11 499712 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7feb7da5-n\jmc.dll
    2010-08-14 07:11 . 2010-08-14 07:11 348160 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7feb7da5-n\msvcr71.dll
    2010-08-14 07:11 . 2010-08-14 07:11 61440 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6dc16738-n\decora-sse.dll
    2010-08-14 07:11 . 2010-08-14 07:11 12800 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6dc16738-n\decora-d3d.dll
    2010-08-14 07:11 . 2009-08-13 07:47 -------- d-----w- c:\program files\Java
    2010-07-22 15:49 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57 . 2009-04-16 07:59 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-17 04:00 . 2010-05-10 11:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
    2010-06-30 13:04 . 2010-06-30 13:04 503808 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-68aa693e-n\msvcp71.dll
    2010-06-30 13:04 . 2010-06-30 13:04 499712 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-68aa693e-n\jmc.dll
    2010-06-30 13:04 . 2010-06-30 13:04 348160 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-68aa693e-n\msvcr71.dll
    2010-06-30 13:04 . 2010-06-30 13:04 61440 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-391e59af-n\decora-sse.dll
    2010-06-30 13:04 . 2010-06-30 13:04 12800 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-391e59af-n\decora-d3d.dll
    2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2008-02-07 21:46 . 2008-02-07 21:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2008-02-07 21:46 . 2008-02-07 21:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2008-02-07 21:46 . 2008-02-07 21:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2008-02-07 21:46 . 2008-02-07 21:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2008-02-07 21:46 . 2008-02-07 21:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2008-02-07 21:46 . 2008-02-07 21:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2008-02-07 21:46 . 2008-02-07 21:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2007-03-16 17:27 . 2007-03-16 17:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
    2007-03-16 17:27 . 2007-03-16 17:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
    2007-03-16 17:27 . 2007-03-16 17:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
    2007-07-20 12:47 . 2007-07-20 12:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2008-02-07 21:46 . 2008-02-07 21:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-09-21_07.35.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-09-21 20:55 . 2010-04-22 02:29 43696 c:\windows\system32\drivers\NIS\1108000.005\srtspx.sys
    + 2010-09-21 20:55 . 2010-05-06 04:01 339504 c:\windows\system32\drivers\NIS\1108000.005\symtdiv.sys
    + 2010-09-21 20:55 . 2010-05-06 04:01 361904 c:\windows\system32\drivers\NIS\1108000.005\symtdi.sys
    + 2010-09-21 20:55 . 2010-04-22 03:02 173104 c:\windows\system32\drivers\NIS\1108000.005\symefa.sys
    + 2010-09-21 20:55 . 2009-10-15 03:50 328752 c:\windows\system32\drivers\NIS\1108000.005\symds.sys
    + 2010-09-21 20:55 . 2010-04-22 02:29 325680 c:\windows\system32\drivers\NIS\1108000.005\srtsp.sys
    + 2010-09-21 20:55 . 2010-04-29 05:03 116784 c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys
    + 2010-09-21 20:55 . 2010-02-26 00:22 501888 c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-16 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVRaidService "= "c:\windows\system32\nvraidservice.exe" [2004-06-11 83968]
    "SpeedTouch USB Diagnostics "= "c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
    "IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
    "SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
    "JMB36X Configure "= "c:\windows\system32\JMRaidTool.exe" [2006-07-12 352256]
    "Launch PC Probe II "= "c:\program files\ASUS\PC Probe II\Probe2.exe" [2006-07-28 2129408]
    "Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Sarah\Start Menu\Programs\Startup\
    SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-4-7 135680]
    Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2008-1-30 708608]
    ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2008-1-30 954368]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-19 08:34 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    2007-02-06 16:30 61440 ----a-r- c:\program files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
    2004-07-26 19:14 1867776 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\WINDOWS\\system32\\sessmgr.exe "=

    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [21/09/2010 21:55 328752]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [21/09/2010 21:55 173104]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys [31/08/2010 23:57 692272]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [21/09/2010 21:55 501888]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/08/2009 16:06 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 67656]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [21/09/2010 21:55 116784]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [21/09/2010 21:55 126392]
    R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [19/02/2007 15:42 14416]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [01/07/2010 12:07 840936]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/05/2010 21:34 102448]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100920.001\IDSXpx86.sys [21/09/2010 08:16 331640]
    S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [19/02/2007 15:42 44344]
    S3 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 12872]
    S3 Spyder;ColorVision Spyder2;c:\windows\system32\drivers\SpyderUSB.sys [07/08/2006 20:28 12288]
    S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [18/03/2007 14:04 40060]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-19 c:\windows\Tasks\Norton Internet Security - Sarah - Full System Scan.job
    - c:\program files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\navw32.exe [2010-05-25 05:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
    FF - ProfilePath - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\9rzdtr1d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html|http://www.flashbarstores.co.uk/|ht...on/F/keyword/mesh+ironing+board/product/22756
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\components\coFFPlgn.dll
    FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: c:\documents and settings\Sarah\Application Data\Mozilla\plugins\npPxPlay.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-21 22:27
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
    "ImagePath "= "\ "c:\program files\Norton Internet Security\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \ "NIS\" /m \ "c:\program files\Norton Internet Security\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(504)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\documents and settings\Sarah\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    c:\documents and settings\Sarah\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    c:\documents and settings\Sarah\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

    - - - - - - - > 'explorer.exe'(29012)
    c:\windows\system32\WININET.dll
    c:\program files\Trusteer\Rapport\bin\rooksbas.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-09-21 22:29:32
    ComboFix-quarantined-files.txt 2010-09-21 21:29
    ComboFix2.txt 2010-09-21 07:37

    Pre-Run: 164,002,123,776 bytes free
    Post-Run: 163,974,369,280 bytes free

    - - End Of File - - 6C8B9029D8F039236D9D76594A322275
     
    SarahB,
    #9
  11. 2010/09/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #10
  12. 2010/09/21
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    OTL ran twice as I hit run scan first time instead of quick scan.

    OTL.txt:

    OTL logfile created on: 21/09/2010 22:52:42 - Run 2
    OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Sarah\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free
    5.00 Gb Paging File | 4.00 Gb Available in Paging File | 82.00% Paging File free
    Paging file location(s): [Binary data over 100 bytes]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 186.30 Gb Total Space | 152.71 Gb Free Space | 81.97% Space Free | Partition Type: NTFS
    Drive D: | 111.78 Gb Total Space | 104.09 Gb Free Space | 93.12% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: SMB190107
    Current User Name: Sarah
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/09/21 22:46:25 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
    PRC - [2010/08/16 21:37:33 | 002,403,568 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    PRC - [2010/07/01 12:07:20 | 001,361,128 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    PRC - [2010/07/01 12:07:18 | 000,840,936 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    PRC - [2010/02/26 01:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ccsvchst.exe
    PRC - [2009/07/27 09:14:40 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/02/01 10:18:04 | 001,251,720 | ---- | M] () -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    PRC - [2007/11/28 20:51:10 | 000,583,048 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    PRC - [2007/08/31 11:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
    PRC - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
    PRC - [2006/07/28 18:39:32 | 002,129,408 | ---- | M] () -- C:\Program Files\ASUS\PC Probe II\Probe2.exe
    PRC - [2006/05/01 03:07:44 | 000,843,776 | R--- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
    PRC - [2004/06/11 04:15:18 | 000,083,968 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvraidservice.exe
    PRC - [2004/01/26 12:38:38 | 000,866,816 | ---- | M] (THOMSON Telecom Belgium) -- C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
    PRC - [2003/08/29 19:05:35 | 000,360,448 | ---- | M] () -- C:\Program Files\SpywareGuard\sgmain.exe
    PRC - [2003/08/29 11:14:56 | 000,233,472 | ---- | M] () -- C:\Program Files\SpywareGuard\sgbhp.exe
    PRC - [2001/08/09 02:01:00 | 000,090,112 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\eEBAPI\SAgent2.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/09/21 22:46:25 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
    MOD - [2010/06/07 18:07:08 | 000,541,928 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
    MOD - [2010/05/14 06:35:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\asoehook.dll
    MOD - [2009/07/12 09:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\microsoft.vc90.crt\msvcr90.dll
    MOD - [2009/07/12 09:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\microsoft.vc90.crt\msvcp90.dll
    MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2010/07/01 12:07:18 | 000,840,936 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
    SRV - [2010/02/26 01:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe -- (NIS)
    SRV - [2009/08/07 12:43:04 | 000,045,816 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
    SRV - [2008/11/04 10:33:21 | 000,039,936 | ---- | M] (C-Dilla Ltd) [Auto | Stopped] -- C:\WINDOWS\system32\drivers\CDAC11BA.EXE -- (C-DillaCdaC11BA)
    SRV - [2008/02/01 10:18:04 | 001,251,720 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
    SRV - [2008/01/17 11:07:17 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2007/11/28 20:51:10 | 000,583,048 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe -- (LiveUpdate Notice Service)
    SRV - [2007/10/25 15:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
    SRV - [2007/08/31 11:49:50 | 000,243,064 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
    SRV - [2007/08/23 21:35:22 | 003,192,184 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
    SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
    SRV - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
    SRV - [2001/08/09 02:01:00 | 000,090,112 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\eEBAPI\SAgent2.exe -- (EPSONStatusAgent2)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\NIS\1000000.07D\SYMREDRV.SYS -- (SYMREDRV)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMNDIS.SYS -- (SYMNDIS)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMIDS.SYS -- (SYMIDS)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NIS\1008000.029\SYMFW.SYS -- (SYMFW)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\NIS\1000000.07D\SYMDNS.SYS -- (SYMDNS)
    DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\Sarah\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/08/31 23:57:04 | 000,692,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\BASHDefs\20100901.003\BHDrvx86.sys -- (BHDrvx86)
    DRV - [2010/07/14 10:58:09 | 001,362,608 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100921.003\NAVEX15.SYS -- (NAVEX15)
    DRV - [2010/07/14 10:58:09 | 000,085,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\VirusDefs\20100921.003\NAVENG.SYS -- (NAVENG)
    DRV - [2010/07/01 12:07:30 | 000,166,632 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
    DRV - [2010/07/01 12:07:30 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
    DRV - [2010/05/28 20:33:19 | 000,331,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\Definitions\IPSDefs\20100920.001\IDSXpx86.sys -- (IDSxpx86)
    DRV - [2010/05/27 09:21:05 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2010/05/27 09:21:05 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2010/05/26 19:02:00 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/05/06 05:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SYMTDI.SYS -- (SYMTDI)
    DRV - [2010/04/29 06:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\Ironx86.SYS -- (SymIRON)
    DRV - [2010/04/22 04:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMEFA.SYS -- (SymEFA)
    DRV - [2010/04/22 03:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1107000.00C\SRTSP.SYS -- (SRTSP)
    DRV - [2010/04/22 03:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
    DRV - [2010/04/09 16:34:47 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2010/02/26 01:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\ccHPx86.sys -- (ccHP)
    DRV - [2010/02/22 18:59:46 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
    DRV - [2010/02/22 18:59:45 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - [2009/10/15 04:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMDS.SYS -- (SymDS)
    DRV - [2008/04/13 19:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
    DRV - [2008/04/13 17:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2007/01/20 12:31:40 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
    DRV - [2006/09/24 14:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
    DRV - [2006/08/07 20:28:32 | 000,012,288 | ---- | M] (ColorVision Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SpyderUSB.sys -- (Spyder)
    DRV - [2006/07/21 07:12:16 | 001,095,968 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
    DRV - [2006/07/18 02:51:40 | 000,041,600 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
    DRV - [2006/05/02 10:12:06 | 000,229,376 | R--- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
    DRV - [2006/03/17 11:18:58 | 000,392,960 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
    DRV - [2006/02/07 12:52:58 | 000,006,912 | R--- | M] (JMicron ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\JGOGO.sys -- (JGOGO)
    DRV - [2005/12/22 03:22:18 | 000,005,685 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
    DRV - [2004/08/13 03:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
    DRV - [2004/08/03 23:29:28 | 000,701,440 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2004/07/16 19:12:52 | 000,014,416 | ---- | M] (Portrait Displays, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pdihwctl.sys -- (PDIHWCTL)
    DRV - [2004/06/03 03:40:50 | 000,068,224 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvraid.sys -- (nvraid) NVIDIA NForce(tm)
    DRV - [2004/06/03 03:40:46 | 000,079,360 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
    DRV - [2004/05/17 07:00:54 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
    DRV - [2004/05/17 07:00:52 | 000,033,280 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
    DRV - [2004/05/07 13:02:08 | 000,044,344 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EyeOneDp.sys -- (eyeonedp)
    DRV - [2004/04/02 08:40:00 | 000,021,760 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
    DRV - [2003/12/08 12:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcan5wn.sys -- (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)
    DRV - [2003/12/08 12:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcaudsl.sys -- (alcaudsl)
    DRV - [2003/06/02 21:28:02 | 000,040,060 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ulink.sys -- (Usblink)
    DRV - [2002/04/02 17:30:16 | 000,033,024 | ---- | M] (Colorvision Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cvspydr2.sys -- (cvspydr2)
    DRV - [2001/08/17 15:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
    DRV - [2001/08/17 14:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)
    DRV - [1996/04/03 20:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.update: false
    FF - prefs.js..browser.startup.homepage: "http://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html|http://www.flashbarstores.co.uk/|http://www.maccinfo.com/cat/|http://www.windowsbbs.com/malware-virus-removal/|http://www.lakeland.co.uk/ultimate-ironing-station/F/keyword/mesh+ironing+board/product/22756 "
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20100908
    FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
    FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

    FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\IPSFFPlgn\ [2010/05/26 09:25:05 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.5.0.127\coFFPlgn\ [2010/04/09 16:39:10 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/27 23:24:31 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/25 10:47:42 | 000,000,000 | ---D | M]

    [2008/09/05 16:59:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Extensions
    [2010/09/21 08:59:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\9rzdtr1d.default\extensions
    [2010/05/04 07:56:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\9rzdtr1d.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010/09/16 21:19:22 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Sarah\Application Data\Mozilla\Firefox\Profiles\9rzdtr1d.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    [2010/09/21 08:59:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/05/10 12:09:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/08/14 08:11:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2008/02/07 22:46:12 | 000,087,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\CgpCore.dll
    [2008/02/07 22:46:20 | 000,091,448 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\confmgr.dll
    [2008/02/07 22:46:16 | 000,021,824 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\ctxlogging.dll
    [2007/03/16 18:27:00 | 000,479,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcm80.dll
    [2007/03/16 18:27:00 | 000,548,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcp80.dll
    [2007/03/16 18:27:00 | 000,626,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\msvcr80.dll
    [2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2008/02/07 22:48:26 | 000,419,136 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npicaN.dll
    [2008/02/07 22:46:12 | 000,024,384 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\TcpPServ.dll
    [2010/01/16 01:55:13 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2010/01/16 01:55:13 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2010/01/16 01:55:13 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2010/01/16 01:55:13 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2010/09/21 08:34:58 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll ()
    O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
    O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\ipsbho.dll (Symantec Corporation)
    O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll ()
    O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
    O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
    O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.7.0.12\coieplg.dll (Symantec Corporation)
    O4 - HKLM..\Run: [JMB36X Configure] C:\WINDOWS\System32\JMRaidTool.exe (JMicron Technology Corp.)
    O4 - HKLM..\Run: [Launch PC Probe II] C:\Program Files\ASUS\PC Probe II\Probe2.exe ()
    O4 - HKLM..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe (NVIDIA Corporation)
    O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
    O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe (THOMSON Telecom Belgium)
    O4 - HKLM..\Run: [Symantec PIF AlertEng] C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe (Symantec Corporation)
    O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE (SEIKO EPSON CORPORATION)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe (LOGO Kommunikations- und Drucktechnik GmbH & Co. KG)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe (LOGO Kommunikations- und Drucktechnik GmbH & Co. KG)
    O4 - Startup: C:\Documents and Settings\Sarah\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4E4D-9C54-AFB56EFCB312/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} http://download.five.tv/Download/five_3_4_0_8.cab (Reg Error: Key error.)
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab (Windows Live Safety Center Base Module)
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169683246062 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} http://www.photodex.com/pxplay.cab (Photodex Presenter AX control)
    O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} http://download.five.tv/Download/Entriq_3_4_0_10_Silent.cab (MediaControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab (CTAdjust Class)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
    O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
    O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sarah\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Program Files\SpywareGuard\spywareguard.dll ()
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007/01/19 13:27:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902053519425536)

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/09/21 22:46:19 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
    [2010/09/21 08:30:41 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010/09/21 08:28:55 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/09/21 08:28:55 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/09/21 08:28:55 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/09/21 08:28:55 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/09/21 08:28:27 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/08/27 13:40:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sarah\My Documents\Squisito
    [2010/08/14 08:11:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

    ========== Files - Modified Within 90 Days ==========

    [2010/09/21 22:46:25 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
    [2010/09/21 22:29:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/09/21 22:27:51 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/09/21 21:56:47 | 000,161,891 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\MCPF Seminar Booking forms.pdf
    [2010/09/21 08:34:58 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/09/21 08:30:48 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010/09/21 08:17:31 | 003,847,997 | R--- | M] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
    [2010/09/21 08:16:43 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Microsoft Office Word 2003.lnk
    [2010/09/21 08:08:14 | 000,001,374 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/09/21 08:07:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/09/21 08:07:07 | 2121,453,568 | -HS- | M] () -- C:\hiberfil.sys
    [2010/09/20 23:11:50 | 011,010,048 | ---- | M] () -- C:\Documents and Settings\Sarah\ntuser.dat
    [2010/09/20 23:11:50 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Sarah\ntuser.ini
    [2010/09/20 23:02:33 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\MBRCheck.exe
    [2010/09/20 22:52:57 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1108000.005\isolate.ini
    [2010/09/19 22:44:49 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\124cmwvr.exe
    [2010/09/19 17:22:05 | 000,000,638 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Sarah - Full System Scan.job
    [2010/09/19 10:43:14 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\dds(2).scr
    [2010/09/19 10:15:53 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Trojan.Gen 180910.doc
    [2010/09/17 08:22:36 | 000,002,471 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Microsoft Office Access 2003.lnk
    [2010/09/17 08:18:01 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Microsoft Office Excel 2003.lnk
    [2010/09/15 09:05:13 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/09/15 09:04:44 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/09/03 10:29:50 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\SpywareBlaster.lnk
    [2010/08/25 10:47:42 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
    [2010/08/23 10:18:09 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Speakers.doc
    [2010/08/12 23:21:24 | 001,677,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/08/12 23:03:03 | 000,535,450 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/08/12 23:03:03 | 000,465,822 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/08/12 23:03:03 | 000,079,582 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/08/05 16:05:28 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\The South West Prospect of the City of Lichfield museum copy.doc
    [2010/07/31 09:27:24 | 000,052,224 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\Gilfach Farm.doc
    [2010/07/23 09:49:08 | 000,225,214 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Cabbage Patch amended SMB.jpg
    [2010/07/23 09:46:55 | 159,523,923 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\Cabbage Patch amended SMB.psd
    [2010/07/14 12:41:03 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Sarah\My Documents\The South West Prospect of the City of Lichfield.doc
    [2010/07/14 11:07:26 | 023,570,940 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\New Prospect of Lichfield by Sarah Bradbury.jpg
    [2010/07/01 10:42:16 | 000,068,608 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\COMPETITION RULES March 2010.doc

    ========== Files Created - No Company Name ==========

    [2010/09/21 21:56:47 | 000,161,891 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\MCPF Seminar Booking forms.pdf
    [2010/09/21 08:28:55 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/09/21 08:28:55 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/09/21 08:28:55 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/09/21 08:28:55 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/09/21 08:28:55 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/09/21 08:17:20 | 003,847,997 | R--- | C] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
    [2010/09/20 23:02:33 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\MBRCheck.exe
    [2010/09/20 22:52:28 | 2121,453,568 | -HS- | C] () -- C:\hiberfil.sys
    [2010/09/19 22:44:49 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\124cmwvr.exe
    [2010/09/19 10:43:13 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\dds(2).scr
    [2010/09/18 20:23:39 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Trojan.Gen 180910.doc
    [2010/08/05 10:08:14 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\The South West Prospect of the City of Lichfield museum copy.doc
    [2010/07/31 09:22:04 | 000,052,224 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\Gilfach Farm.doc
    [2010/07/23 09:49:02 | 000,225,214 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Cabbage Patch amended SMB.jpg
    [2010/07/23 09:44:47 | 159,523,923 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\Cabbage Patch amended SMB.psd
    [2010/07/14 12:15:38 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Sarah\My Documents\The South West Prospect of the City of Lichfield.doc
    [2010/07/01 10:42:16 | 000,068,608 | ---- | C] () -- C:\Documents and Settings\Sarah\Desktop\COMPETITION RULES March 2010.doc
    [2008/11/03 23:51:10 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
    [2008/09/03 08:40:52 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/04/01 11:15:26 | 000,124,468 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
    [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2007/06/18 09:39:41 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2007/03/18 14:04:56 | 000,040,060 | ---- | C] () -- C:\WINDOWS\System32\drivers\ulink.sys
    [2007/02/19 15:45:23 | 004,743,168 | ---- | C] () -- C:\WINDOWS\System32\qt-mt335.dll
    [2007/02/19 15:44:18 | 000,000,197 | ---- | C] () -- C:\WINDOWS\i1Share.ini
    [2007/02/19 15:42:05 | 000,044,344 | ---- | C] () -- C:\WINDOWS\System32\drivers\EyeOneDp.sys
    [2007/02/08 11:50:00 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Sarah\Local Settings\Application Data\fusioncache.dat
    [2007/02/08 11:06:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2007/02/07 18:58:42 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
    [2007/02/07 18:58:42 | 000,005,685 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
    [2007/02/07 18:58:40 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
    [2007/02/07 18:58:40 | 000,003,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
    [2007/02/07 18:37:12 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4642.dll
    [2007/02/07 18:37:11 | 000,348,880 | R--- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
    [2007/02/07 18:32:05 | 000,020,026 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
    [2007/02/07 18:31:36 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
    [2007/01/20 11:07:28 | 000,000,131 | ---- | C] () -- C:\WINDOWS\EPSON Perfection 1670.ini
    [2007/01/20 11:00:33 | 000,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
    [2007/01/19 13:39:49 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
    [2007/01/19 13:39:43 | 000,000,092 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
    [2007/01/19 13:39:43 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
    [2007/01/19 13:39:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Wininit.ini
    [2007/01/19 13:39:40 | 000,136,302 | R--- | C] () -- C:\WINDOWS\Cmuda.ini
    [2007/01/19 13:39:38 | 000,028,672 | ---- | C] () -- C:\WINDOWS\CMIRmDriver.dll
    [2007/01/19 13:33:00 | 000,021,247 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
    [2007/01/19 13:32:59 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
    [2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2002/04/11 19:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
    [1996/04/03 20:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

    ========== LOP Check ==========

    [2008/04/27 18:04:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Channel4
    [2009/11/23 12:05:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
    [2009/10/24 21:33:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FRISK Software
    [2007/01/24 17:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
    [2009/04/03 08:40:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
    [2010/09/21 22:32:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009/07/27 13:35:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
    [2009/08/17 09:48:59 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~0
    [2007/10/05 10:11:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Canon
    [2007/02/13 13:37:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\EPSON
    [2009/10/22 20:36:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\FRISK Software
    [2007/02/19 16:24:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\GretagMacbeth
    [2009/05/06 11:08:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\HDRsoft
    [2010/01/29 16:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\ICAClient
    [2007/01/20 11:11:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\InterTrust
    [2008/09/12 10:03:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Netscape
    [2007/01/25 03:30:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Pixmantec
    [2009/07/27 13:35:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Trusteer
    [2009/08/04 14:46:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Uniblue
    [2008/10/11 20:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Windows Desktop Search
    [2009/07/27 00:35:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sarah\Application Data\Windows Search

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2007/01/19 13:27:31 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2010/01/25 23:18:52 | 000,000,281 | ---- | M] () -- C:\Boot.bak
    [2010/09/21 08:30:48 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2010/09/21 22:29:33 | 000,016,215 | ---- | M] () -- C:\ComboFix.txt
    [2007/01/19 13:27:31 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2010/09/21 08:07:07 | 2121,453,568 | -HS- | M] () -- C:\hiberfil.sys
    [2007/01/19 13:27:31 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2009/08/13 08:35:24 | 000,000,229 | ---- | M] () -- C:\JavaRa.log
    [2010/04/30 09:09:16 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
    [2007/01/19 13:27:31 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2004/08/04 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008/08/20 21:59:04 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010/09/21 08:07:01 | 524,288,000 | -HS- | M] () -- C:\pagefile.sys
    [2008/09/12 10:03:59 | 000,001,684 | ---- | M] () -- C:\photodex-presenter-install.log

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2007/01/19 13:27:07 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 11:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2007/01/19 13:14:00 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2007/01/19 13:14:00 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2007/01/19 13:14:00 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2008/08/20 22:04:29 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2007/01/19 13:32:08 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2007/01/19 13:32:07 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Sarah\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2010/09/19 22:44:49 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\124cmwvr.exe
    [2010/01/23 10:54:41 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Sarah\Desktop\ATF-Cleaner.exe
    [2010/09/21 08:17:31 | 003,847,997 | R--- | M] () -- C:\Documents and Settings\Sarah\Desktop\ComboFix.exe
    [2008/09/26 18:07:32 | 020,940,800 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\epson318471eu.exe
    [2010/09/20 23:02:33 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Sarah\Desktop\MBRCheck.exe
    [2010/09/21 22:46:25 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sarah\Desktop\OTL.exe
    [2009/08/16 16:29:24 | 001,557,504 | ---- | M] (Topala Software Solutions) -- C:\Documents and Settings\Sarah\Desktop\siw.exe
    [2010/01/29 16:15:34 | 008,669,472 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Sarah\Desktop\Windows7UpgradeAdvisorSetup(2).exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2007/01/19 13:32:07 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Sarah\Favorites\Desktop.ini
    [2010/02/22 18:05:11 | 000,000,467 | ---- | M] () -- C:\Documents and Settings\Sarah\Favorites\Sarah's Records.lnk

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010/09/21 22:52:10 | 000,032,768 | -HS- | M] () -- C:\Documents and Settings\Sarah\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe
    [2006/06/23 07:48:54 | 000,032,768 | R--- | M] (AsusTek Inc.) -- C:\WINDOWS\inf\UpdateUSB.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 01:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004/08/04 02:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 02:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008/05/02 15:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 18:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 01:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2007/04/02 19:07:23 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2007/04/02 19:07:23 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2007/04/02 19:07:24 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 02:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 02:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [2004/02/17 03:51:56 | 001,458,176 | R--- | M] (C-Media Electronics Inc.) -- C:\WINDOWS\system\SmWizard.exe

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
    @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\rundll32.exe:SummaryInformation
    @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\lsass.exe:SummaryInformation
    @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\dumprep.exe:SummaryInformation
    @Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\drwtsn32.exe:SummaryInformation
    @Alternate Data Stream - 88 bytes -> C:\Program Files\Bonjour\mDNSResponder.exe:SummaryInformation
    < End of report >
     
    SarahB,
    #11
  13. 2010/09/21
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    Extras.txt:

    OTL Extras logfile created on: 21/09/2010 22:48:04 - Run 1
    OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Sarah\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 52.00% Memory free
    5.00 Gb Paging File | 4.00 Gb Available in Paging File | 82.00% Paging File free
    Paging file location(s): [Binary data over 100 bytes]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 186.30 Gb Total Space | 152.74 Gb Free Space | 81.98% Space Free | Partition Type: NTFS
    Drive D: | 111.78 Gb Total Space | 104.09 Gb Free Space | 93.12% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: SMB190107
    Current User Name: Sarah
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1 "
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
    "{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
    "{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
    "{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}" = Symantec KB-DocID:2003093015493306
    "{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
    "{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
    "{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
    "{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
    "{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
    "{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}" = Citrix Presentation Server Client
    "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 21
    "{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
    "{2E5A5B57-57FC-4C79-A239-9DB280ADEC2A}" = Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer
    "{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}" = Google Earth
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4FD1C84E-F387-4609-A31F-4117F88B6600}" = EPSON LFP Remote Panel
    "{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
    "{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
    "{5FCDE341-328B-434B-9F21-AF5BADB57852}" = Symantec Technical Support Web Controls
    "{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
    "{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
    "{6C5D7191-140A-11D6-B5A0-0050DA208A93}" = ArcSoft PhotoImpression
    "{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
    "{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{77D2A9D3-5800-43E3-B274-87841BC87DB2}" = Adobe ExtendScript Toolkit 2
    "{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
    "{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8AE03988-8C8C-40EE-BDC7-76781BEF1B1D}" = Adobe Setup
    "{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
    "{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
    "{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
    "{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{9391F2BC-B6F3-4AAC-82CC-5A74A4ED388E}" = EPSON Photo Print
    "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
    "{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
    "{9AE4AC96-A5F4-4F19-9D13-066C8B3CE034}" = Nikon Scan
    "{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
    "{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
    "{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
    "{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{AF600F7B-67A7-48D9-BA3B-0FF97F35F970}" = ABBYY FineReader 6.0
    "{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
    "{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
    "{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CBCDEDF3-A2E5-4402-8E9E-E2C23DBE1DA8}" = Adobe Photoshop Lightroom
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Professional
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CE378F36-E404-4244-A33F-F50A2A6D31BD}" = Microsoft Color Control Panel Applet for Windows XP
    "{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
    "{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
    "{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
    "{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
    "{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}" = SpeedTouch USB Software
    "{DB6BD5D5-8482-45C0-99CF-745C5B924497}" = WOT for Internet Explorer
    "{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}" = LiveUpdate Notice (Symantec Corporation)
    "{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
    "{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
    "{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
    "{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
    "{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
    "{EBC91840-41E1-4CC3-AC11-0B889546223C}" = Microsoft IntelliPoint 5.5
    "{F02DBC56-E5AB-4F74-B995-4586F91D4BDC}" = SI Pro 1.1.1
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
    "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
    "{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
    "Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
    "Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
    "Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
    "CAL" = Canon Camera Access Library
    "CameraWindowDC" = Canon Utilities CameraWindow DC
    "CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    "CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    "CameraWindowLauncher" = Canon Utilities CameraWindow
    "Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
    "CANON iMAGE GATEWAY Task" = CANON iMAGE GATEWAY Task for ZoomBrowser EX
    "Canon Internet Library for ZoomBrowser EX" = Canon Internet Library for ZoomBrowser EX
    "C-Media Audio" = C-Media 3D Audio
    "CS432_is1" = Tone Mapping Plug-In 2.0.1
    "CSCLIB" = Canon Camera Support Core Library
    "Entriq MediaSphere_is1" = Entriq MediaSphere 3.4.0.10
    "EOS Utility" = Canon Utilities EOS Utility
    "EPSON Printer and Utilities" = EPSON Printer Software
    "Epson Stylus Pro 3880" = Epson Stylus Pro 3880 Printer Uninstall
    "ESPR3800 User’s Guide" = ESPR3800 User’s Guide
    "Eye-One Diagnostics_is1" = Eye-One Diagnostics
    "Eye-One Match_is1" = Eye-One Match 3.6.2
    "Eye-One Share" = Eye-One Share
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "i1ColorPoint 1.0" = i1ColorPoint 1.0
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
    "Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "MyCamera" = Canon Utilities MyCamera
    "MyCameraDC" = Canon Utilities MyCamera DC
    "Nero - Burning Rom!UninstallKey" = Nero OEM
    "NIS" = Norton Internet Security
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "NVIDIA Drivers" = NVIDIA Drivers
    "Photodex Presenter" = Photodex Presenter
    "PhotomatixPro3_is1" = Photomatix Pro version 3.1.3
    "PhotomatixPro3x32_is1" = Photomatix Pro version 3.2.8
    "PhotoStitch" = Canon Utilities PhotoStitch
    "PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
    "Rapport_msi" = Rapport
    "RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
    "RawShooter essentials 2005" = RawShooter essentials 2005
    "RawShooter premium 2006" = RawShooter premium 2006
    "RemoteCaptureDC" = Canon Utilities RemoteCapture DC
    "RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
    "SpeedFan" = SpeedFan (remove only)
    "SpywareBlaster_is1" = SpywareBlaster 4.4
    "SpywareGuard_is1" = SpywareGuard v2.2
    "Wdf01001" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
    "Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
    "ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
    "ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 20/09/2010 15:06:03 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    Error - 20/09/2010 15:21:49 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    Error - 20/09/2010 15:37:22 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    Error - 20/09/2010 15:48:12 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x80080005.

    Error - 20/09/2010 16:26:33 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    Error - 20/09/2010 16:34:29 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    Error - 20/09/2010 16:41:59 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    Error - 20/09/2010 16:49:12 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    Error - 20/09/2010 16:57:16 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    Error - 20/09/2010 17:04:49 | Computer Name = SMB190107 | Source = Automatic LiveUpdate Scheduler | ID = 101
    Description = Information Level: error Initialization of the COM subsystem failed.
    Error code: 0x8007041D.

    [ System Events ]
    Error - 20/09/2010 17:46:03 | Computer Name = SMB190107 | Source = Service Control Manager | ID = 7001
    Description = The IPSEC Services service depends on the IPSEC driver service which
    failed to start because of the following error: %%31

    Error - 20/09/2010 17:46:03 | Computer Name = SMB190107 | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AFD AsIO BHDrvx86 ccHP eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV
    SASKUTIL
    SRTSP
    SRTSPX
    SymIRON
    SYMTDI
    Tcpip

    Error - 20/09/2010 17:46:03 | Computer Name = SMB190107 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service EventSystem
    with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error - 20/09/2010 17:46:05 | Computer Name = SMB190107 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 20/09/2010 17:48:07 | Computer Name = SMB190107 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 20/09/2010 17:52:49 | Computer Name = SMB190107 | Source = Service Control Manager | ID = 7000
    Description = The Parallel port driver service failed to start due to the following
    error: %%1058

    Error - 20/09/2010 17:52:49 | Computer Name = SMB190107 | Source = Service Control Manager | ID = 7001
    Description = The Computer Browser service depends on the Server service which failed
    to start because of the following error: %%1058

    Error - 21/09/2010 03:07:34 | Computer Name = SMB190107 | Source = Service Control Manager | ID = 7000
    Description = The Parallel port driver service failed to start due to the following
    error: %%1058

    Error - 21/09/2010 03:07:35 | Computer Name = SMB190107 | Source = Service Control Manager | ID = 7001
    Description = The Computer Browser service depends on the Server service which failed
    to start because of the following error: %%1058

    Error - 21/09/2010 03:29:52 | Computer Name = SMB190107 | Source = Service Control Manager | ID = 7034
    Description = The C-DillaCdaC11BA service terminated unexpectedly. It has done
    this 1 time(s).


    < End of report >
     
    SarahB,
    #12
  14. 2010/09/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You didn't say how computer is doing....
     
    broni,
    #13
  15. 2010/09/21
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    Oh sorry!

    Outlook Express still keeps asking for log on data (user name and password) intermittently when I check email.

    Otherwise PC seems OK.
     
    SarahB,
    #14
  16. 2010/09/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Regarding OE, it'd be better, if you start new topic about it in appropriate forum.
    My duty here is to make sure your computer is clean :)

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} http://download.five.tv/Download/five_3_4_0_8.cab (Reg Error: Key error.)
@Alternate Data Stream - 95 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\rundll32.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\lsass.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\dumprep.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\drwtsn32.exe:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\Program Files\Bonjour\mDNSResponder.exe:SummaryInformation


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===========================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • IMOPRTANT! UN-check Remove found threats
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
    broni,
    #15
  17. 2010/09/22
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    Here's the OTL log. The rest to follow.

    All processes killed
    ========== OTL ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
    Starting removal of ActiveX control {46431044-1B22-4EF3-B333-863AAF310153}
    C:\WINDOWS\Downloaded Program Files\MediaSphere.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{46431044-1B22-4EF3-B333-863AAF310153}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46431044-1B22-4EF3-B333-863AAF310153}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{46431044-1B22-4EF3-B333-863AAF310153}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46431044-1B22-4EF3-B333-863AAF310153}\ not found.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
    ADS C:\WINDOWS\System32\rundll32.exe:SummaryInformation deleted successfully.
    ADS C:\WINDOWS\System32\lsass.exe:SummaryInformation deleted successfully.
    ADS C:\WINDOWS\System32\dumprep.exe:SummaryInformation deleted successfully.
    ADS C:\WINDOWS\System32\drwtsn32.exe:SummaryInformation deleted successfully.
    ADS C:\Program Files\Bonjour\mDNSResponder.exe:SummaryInformation deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32835 bytes

    User: Sarah
    ->Temp folder emptied: 389334 bytes
    ->Temporary Internet Files folder emptied: 448574 bytes
    ->Java cache emptied: 2079771 bytes
    ->FireFox cache emptied: 42587793 bytes
    ->Flash cache emptied: 1572222 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 45.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: Sarah
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.14.1 log created on 09212010_233244

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6a0.dat not found!

    Registry entries deleted on Reboot...
     
    SarahB,
    #16
  18. 2010/09/22
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    Security Check log:

    Results of screen317's Security Check version 0.99.5
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:
    Windows Firewall Disabled!
    Norton Internet Security
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Adobe Flash Player 10.1.82.76
    Adobe Reader 9.3.4
    Mozilla Firefox (3.6.) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    Norton ccSvcHst.exe
    ````````````````````````````````
    DNS Vulnerability Check:
    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
     
    SarahB,
    #17
  19. 2010/09/22
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    Have done TFC.

    Eset using Firefox does not give the options of List of found threats or Export to text file.

    It had scanned though (5000+ files) and found 0.
     
    SarahB,
    #18
  20. 2010/09/22
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Update your Firefox.

    ===============================================================

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
    broni,
    #19
  21. 2010/09/23
    SarahB

    SarahB Well-Known Member Thread Starter

    Joined:
    2009/08/10
    Messages:
    115
    Likes Received:
    1
    Thanks Broni. The clean bill of health is good news. :)

    Here's the OTL log:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Sarah
    ->Temp folder emptied: 424388 bytes
    ->Temporary Internet Files folder emptied: 82322 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 18456167 bytes
    ->Flash cache emptied: 640 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 17048 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 18.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: LocalService

    User: NetworkService

    User: Sarah
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.14.1 log created on 09232010_100214

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6a8.dat not found!

    Registry entries deleted on Reboot...




    I've done the OTL Cleanup and deleted what was left.


    My Windows Updates are automatic.


    I thought Firefox updated automatically too. However, I've updated it manually now.


    I already have WOT (from the last time!)


    Will run MBAM and TFC weekly as you suggest. I also have SuperAntiSpyware Pro which I run at regular intervals. As does Norton.


    I have downloaded Secunia, and will defrag later.


    I am bemused how I got this virus. I've been so careful since last time. I can only think it was a pdf from a website?


    Anyway, many thanks for your help. Your instructions are so clear and easy to follow.


    My PC seems OK now. There is still an intermittent problem when I type in a password, nothing happens. A reboot solves it. This must be something unrelated then?


    Sarah
     
    SarahB,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...