Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE popping up ad windows at random - redux

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IE popping up ad windows at random - redux

Unread postby Occam » July 8th, 2010, 1:12 am

This is a continuation of the problems described in http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=52049. The computer behaved for a few hours - long enough for the thread to be closed - but the original symptoms have returned.

Symptoms returned before OTL cleanup and other suggested preventative steps were done, so none of the suggested actions in the last post were completed. The system is in the same state it was in after TFC was run; no additional changes have been made.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:05:12 PM, on 7/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINNT\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
\Sean2\c\Program Files\PureText\PureText.exe
C:\Program Files\AutoMate4\Automate.exe
C:\Program Files\GridMove\GridMove.exe
C:\Program Files\WallMaster\wallmast.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINNT\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [TridentWatchDog] twatdog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINNT\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [PureText] "\\Sean2\c\Program Files\PureText\PureText.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: GridMove.lnk = C:\Program Files\GridMove\GridMove.exe
O4 - Startup: QuickMonth Calendar.lnk = C:\WINNT\qmc.exe
O4 - Startup: WallMaster Pro.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo! Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoMate Task Service.lnk = C:\Program Files\AutoMate4\Automate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4457702253
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

--
End of file - 8130 bytes

Adobe Acrobat 7.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Altium Designer 2004 (SP3)
Altium Designer 2004 Service Pack 4
AutoMate 4
Color LaserJet 2600n
Conexant HDA D330 MDC V.92 Modem
DivX
DivX Web Player
DVDFab 7.0.1.2 Beta (05/03/2010)
GridMove V1.19.53
High Definition Audio Driver Package - KB888111
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJackThis
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB952287)
Icon Restore 1.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Internet Explorer Q903235
InterVideo XPack (DVD Only)
IrfanView (remove only)
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Antimalware
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Data Access Components KB870669
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Essentials
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Journal Viewer
Mozilla Firefox (3.6.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
MuvEnum Address Bar - Windows Explorer Extension
NameIt
NEF Codec
NVIDIA Drivers
Paint.NET v3.20
QuickMonth Calendar 1.1
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SmartDraw 7
TeraCopy 1.22
TOSHIBA Software Modem
Trend Micro RUBotted
Trident Display Driver
TrueCrypt
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
WallMaster Pro
Windows Genuine Advantage v1.3.0254.0
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Install Manager
Yahoo! Widgets
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am
Advertisement
Register to Remove

Re: IE popping up ad windows at random - redux

Unread postby MWR 3 day Mod » July 11th, 2010, 10:54 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 12th, 2010, 8:43 am

Hi Occam,

Back with me again!

It looked like we had this one sorted – let's continue.

Please run Malwarebytes, update and run a quick scan and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 12th, 2010, 4:04 pm

Yes, the sneaky little bastard was laying low for a while. Looks like the new MWB database has found a few things.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4306

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/12/2010 2:01:59 PM
mbam-log-2010-07-12 (14-01-59).txt

Scan type: Quick scan
Objects scanned: 144657
Time elapsed: 13 minute(s), 9 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\xxkbpddtd\fvvllcrtssd.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
C:\WINNT\Temp\32.tmp (Rootkit.TDSS) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksllnqqn (Trojan.Downloader) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksllnqqn (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\xxkbpddtd\fvvllcrtssd.exe (Trojan.Downloader) -> No action taken.
C:\WINNT\Temp\32.tmp (Rootkit.TDSS) -> No action taken.
C:\WINNT\Temp\34.tmp (Rootkit.TDSS) -> No action taken.
C:\WINNT\Temp\OKnY.exe (Trojan.Downloader) -> No action taken.
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 12th, 2010, 4:15 pm

Hi Occam,

Malwarebytes detects Rootkit.TDSS and that fits with the symptoms and is why we ran TDSSKiller.

Please run TDSSKiller again if it is still on the desktop, if not here are the details to download it again.

TDSSKiller

  • Please Download TDSSKiller.exe and save it on your desktop.
  • Important!: only run this fix once.
  • Double click TDSSKiller.exe to run it.
  • a log file should be created on your C: drive named something like TDSSKiller.2.3.2.0 13.06.2010
  • To find the log click Start > Computer > C:.
  • Please post the contents of that log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 12th, 2010, 10:41 pm

14:28:20:369 0572 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
14:28:20:369 0572 ================================================================================
14:28:20:369 0572 SystemInfo:

14:28:20:369 0572 OS Version: 5.1.2600 ServicePack: 3.0
14:28:20:369 0572 Product type: Workstation
14:28:20:369 0572 ComputerName: LATITUDE
14:28:20:369 0572 UserName: User
14:28:20:369 0572 Windows directory: C:\WINNT
14:28:20:369 0572 System windows directory: C:\WINNT
14:28:20:369 0572 Processor architecture: Intel x86
14:28:20:369 0572 Number of processors: 1
14:28:20:369 0572 Page size: 0x1000
14:28:20:399 0572 Boot type: Normal boot
14:28:20:399 0572 ================================================================================
14:28:20:830 0572 Initialize success
14:28:20:830 0572
14:28:20:830 0572 Scanning Services ...
14:28:21:291 0572 Raw services enum returned 350 services
14:28:21:301 0572
14:28:21:301 0572 Scanning Drivers ...
14:28:22:863 0572 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINNT\system32\DRIVERS\ABP480N5.SYS
14:28:22:953 0572 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINNT\system32\DRIVERS\ACPI.sys
14:28:22:983 0572 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINNT\system32\drivers\ACPIEC.sys
14:28:23:033 0572 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINNT\system32\DRIVERS\adpu160m.sys
14:28:23:083 0572 aeaudio (f13d8e7e1faa31019c25eb17b5fb2662) C:\WINNT\system32\drivers\aeaudio.sys
14:28:23:153 0572 aec (8bed39e3c35d6a489438b8141717a557) C:\WINNT\system32\drivers\aec.sys
14:28:23:223 0572 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINNT\System32\drivers\afd.sys
14:28:23:304 0572 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINNT\system32\DRIVERS\AGRSM.sys
14:28:23:384 0572 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINNT\System32\DRIVERS\agp440.sys
14:28:23:454 0572 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINNT\System32\DRIVERS\agpCPQ.sys
14:28:23:494 0572 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINNT\system32\DRIVERS\aha154x.sys
14:28:23:504 0572 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINNT\system32\DRIVERS\aic78u2.sys
14:28:23:524 0572 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINNT\system32\DRIVERS\aic78xx.sys
14:28:23:554 0572 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINNT\system32\DRIVERS\aliide.sys
14:28:23:594 0572 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINNT\System32\DRIVERS\alim1541.sys
14:28:23:634 0572 altio (5e90a956526086634547bf8093feb699) C:\WINNT\system32\altio.sys
14:28:23:674 0572 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINNT\System32\DRIVERS\amdagp.sys
14:28:23:704 0572 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINNT\system32\DRIVERS\amsint.sys
14:28:23:744 0572 ApfiltrService (3ed81e8b4709d13e5a38db2d8e792b28) C:\WINNT\system32\DRIVERS\Apfiltr.sys
14:28:23:804 0572 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINNT\system32\DRIVERS\arp1394.sys
14:28:23:864 0572 asc (62d318e9a0c8fc9b780008e724283707) C:\WINNT\system32\DRIVERS\asc.sys
14:28:23:924 0572 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINNT\system32\DRIVERS\asc3350p.sys
14:28:23:944 0572 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINNT\system32\DRIVERS\asc3550.sys
14:28:24:005 0572 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINNT\system32\DRIVERS\asyncmac.sys
14:28:24:055 0572 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINNT\system32\DRIVERS\atapi.sys
14:28:24:135 0572 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINNT\system32\DRIVERS\atmarpc.sys
14:28:24:235 0572 ATSWPDRV (d19c1309c83123647b233a71e8a05683) C:\WINNT\system32\Drivers\ATSwpDrv.sys
14:28:24:325 0572 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINNT\system32\DRIVERS\audstub.sys
14:28:24:415 0572 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINNT\system32\DRIVERS\b57xp32.sys
14:28:24:475 0572 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINNT\system32\drivers\Beep.sys
14:28:24:575 0572 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINNT\system32\DRIVERS\cbidf2k.sys
14:28:24:615 0572 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINNT\system32\drivers\cbidf2k.sys
14:28:24:635 0572 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINNT\system32\DRIVERS\cd20xrnt.sys
14:28:24:655 0572 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINNT\system32\drivers\Cdaudio.sys
14:28:24:706 0572 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINNT\system32\drivers\Cdfs.sys
14:28:24:716 0572 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINNT\system32\DRIVERS\cdrom.sys
14:28:24:786 0572 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINNT\system32\DRIVERS\CmBatt.sys
14:28:24:886 0572 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINNT\system32\DRIVERS\cmdide.sys
14:28:24:956 0572 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINNT\system32\DRIVERS\compbatt.sys
14:28:25:016 0572 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINNT\system32\DRIVERS\cpqarray.sys
14:28:25:096 0572 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINNT\system32\DRIVERS\dac2w2k.sys
14:28:25:106 0572 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINNT\system32\DRIVERS\dac960nt.sys
14:28:25:166 0572 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINNT\system32\DRIVERS\disk.sys
14:28:25:286 0572 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINNT\system32\drivers\dmboot.sys
14:28:25:376 0572 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINNT\system32\drivers\dmio.sys
14:28:25:407 0572 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINNT\system32\drivers\dmload.sys
14:28:25:437 0572 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINNT\system32\drivers\DMusic.sys
14:28:25:487 0572 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINNT\system32\DRIVERS\dpti2o.sys
14:28:25:537 0572 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINNT\system32\drivers\drmkaud.sys
14:28:25:647 0572 E1000 (8179a01475f75417011e27e322c7e0e3) C:\WINNT\system32\DRIVERS\e1000325.sys
14:28:25:897 0572 E100B (fae8b6b311f898df3d19bc638e980ca5) C:\WINNT\system32\DRIVERS\e100b325.sys
14:28:26:067 0572 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINNT\system32\DRIVERS\e1e5132.sys
14:28:26:128 0572 Fastfat (38d332a6d56af32635675f132548343e) C:\WINNT\system32\drivers\Fastfat.sys
14:28:26:218 0572 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINNT\system32\drivers\Fdc.sys
14:28:26:248 0572 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINNT\system32\drivers\Fips.sys
14:28:26:298 0572 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINNT\system32\drivers\Flpydisk.sys
14:28:26:328 0572 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINNT\system32\drivers\fltmgr.sys
14:28:26:348 0572 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINNT\system32\drivers\Fs_Rec.sys
14:28:26:388 0572 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINNT\system32\DRIVERS\ftdisk.sys
14:28:26:428 0572 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINNT\system32\DRIVERS\msgpc.sys
14:28:26:468 0572 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINNT\system32\Drivers\oz776.sys
14:28:26:518 0572 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINNT\system32\DRIVERS\HDAudBus.sys
14:28:26:558 0572 HECI (66fed3eeabdce17829edf4c68702ed22) C:\WINNT\system32\DRIVERS\HECI.sys
14:28:26:618 0572 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINNT\system32\DRIVERS\hidusb.sys
14:28:26:658 0572 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINNT\system32\DRIVERS\hpn.sys
14:28:26:748 0572 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINNT\system32\DRIVERS\HSFHWAZL.sys
14:28:26:809 0572 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINNT\system32\DRIVERS\HSF_DPV.sys
14:28:26:939 0572 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINNT\system32\Drivers\HTTP.sys
14:28:27:009 0572 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINNT\system32\drivers\i2omgmt.sys
14:28:27:029 0572 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINNT\system32\DRIVERS\i2omp.sys
14:28:27:069 0572 i8042prt (f8a2ade0419a2ce267140b18aa260b57) C:\WINNT\system32\DRIVERS\i8042prt.sys
14:28:27:069 0572 Suspicious file (Forged): C:\WINNT\system32\DRIVERS\i8042prt.sys. Real md5: f8a2ade0419a2ce267140b18aa260b57, Fake md5: ac0926a736b41f6bb893ddd678418656
14:28:27:069 0572 File "C:\WINNT\system32\DRIVERS\i8042prt.sys" infected by TDSS rootkit ... 14:28:28:581 0572 Backup copy found, using it..
14:28:28:621 0572 will be cured on next reboot
14:28:28:872 0572 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINNT\system32\DRIVERS\igxpmp32.sys
14:28:29:112 0572 iaStor (2358c53f30cb9dcd1d3843c4e2f299b2) C:\WINNT\system32\DRIVERS\iaStor.sys
14:28:29:162 0572 IFXTPM (0b556e950404d90d097c687e65238730) C:\WINNT\system32\DRIVERS\IFXTPM.SYS
14:28:29:222 0572 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINNT\system32\DRIVERS\imapi.sys
14:28:29:252 0572 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINNT\system32\DRIVERS\ini910u.sys
14:28:29:452 0572 IntcAzAudAddService (00c5e8161d71f6a51885026e1853c027) C:\WINNT\system32\drivers\RtkHDAud.sys
14:28:29:593 0572 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINNT\system32\DRIVERS\intelide.sys
14:28:29:623 0572 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINNT\system32\DRIVERS\intelppm.sys
14:28:29:673 0572 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINNT\system32\drivers\ip6fw.sys
14:28:29:723 0572 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
14:28:29:763 0572 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINNT\system32\DRIVERS\ipinip.sys
14:28:29:813 0572 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINNT\system32\DRIVERS\ipnat.sys
14:28:29:833 0572 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINNT\system32\DRIVERS\ipsec.sys
14:28:29:873 0572 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINNT\system32\DRIVERS\irenum.sys
14:28:29:923 0572 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINNT\system32\DRIVERS\isapnp.sys
14:28:29:953 0572 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINNT\system32\DRIVERS\kbdclass.sys
14:28:30:033 0572 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINNT\system32\DRIVERS\kbdhid.sys
14:28:30:093 0572 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINNT\system32\drivers\klmd.sys
14:28:30:173 0572 kmixer (692bcf44383d056aed41b045a323d378) C:\WINNT\system32\drivers\kmixer.sys
14:28:30:304 0572 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINNT\system32\drivers\KSecDD.sys
14:28:30:374 0572 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINNT\system32\drivers\mbamswissarmy.sys
14:28:30:394 0572 mdmxsdk (195741aee20369980796b557358cd774) C:\WINNT\system32\DRIVERS\mdmxsdk.sys
14:28:30:444 0572 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINNT\system32\drivers\mnmdd.sys
14:28:30:484 0572 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINNT\system32\drivers\Modem.sys
14:28:30:574 0572 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINNT\system32\DRIVERS\mouclass.sys
14:28:30:674 0572 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINNT\system32\DRIVERS\mouhid.sys
14:28:30:714 0572 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINNT\system32\drivers\MountMgr.sys
14:28:30:764 0572 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINNT\system32\DRIVERS\MpFilter.sys
14:28:30:874 0572 MpKslc8b3d12c (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C3B635D8-0BAC-4974-9E0F-6000E3DB5045}\MpKslc8b3d12c.sys
14:28:31:005 0572 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINNT\system32\DRIVERS\mraid35x.sys
14:28:31:105 0572 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINNT\system32\DRIVERS\mrxdav.sys
14:28:31:165 0572 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINNT\system32\DRIVERS\mrxsmb.sys
14:28:31:195 0572 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINNT\system32\drivers\Msfs.sys
14:28:31:235 0572 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINNT\system32\drivers\MSKSSRV.sys
14:28:31:295 0572 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINNT\system32\drivers\MSPCLOCK.sys
14:28:31:365 0572 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINNT\system32\drivers\MSPQM.sys
14:28:31:405 0572 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINNT\system32\DRIVERS\mssmbios.sys
14:28:31:435 0572 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINNT\system32\drivers\Mup.sys
14:28:31:545 0572 NDIS (1df7f42665c94b825322fae71721130d) C:\WINNT\system32\drivers\NDIS.sys
14:28:31:595 0572 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINNT\system32\DRIVERS\ndistapi.sys
14:28:31:635 0572 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINNT\system32\DRIVERS\ndisuio.sys
14:28:31:686 0572 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINNT\system32\DRIVERS\ndiswan.sys
14:28:31:736 0572 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINNT\system32\drivers\NDProxy.sys
14:28:31:756 0572 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINNT\system32\DRIVERS\netbios.sys
14:28:31:816 0572 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINNT\system32\DRIVERS\netbt.sys
14:28:31:916 0572 NETw3x32 (f43da6b7e26fff9ac4d3210f2f9b5d8c) C:\WINNT\system32\DRIVERS\NETw3x32.sys
14:28:32:096 0572 NETw4x32 (a9574f52e2fd5c1c1b4807a326e0488f) C:\WINNT\system32\DRIVERS\NETw4x32.sys
14:28:32:497 0572 NETw5x32 (aa88346ab7849a1cb34bd3424febfece) C:\WINNT\system32\DRIVERS\NETw5x32.sys
14:28:32:657 0572 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINNT\system32\DRIVERS\nic1394.sys
14:28:32:717 0572 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINNT\system32\drivers\Npfs.sys
14:28:32:757 0572 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINNT\system32\drivers\Ntfs.sys
14:28:32:857 0572 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINNT\system32\drivers\Null.sys
14:28:33:017 0572 nv (41bea0680a04740113b0b0678a007e96) C:\WINNT\system32\DRIVERS\nv4_mini.sys
14:28:33:178 0572 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
14:28:33:208 0572 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
14:28:33:258 0572 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINNT\system32\DRIVERS\ohci1394.sys
14:28:33:308 0572 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINNT\system32\DRIVERS\parport.sys
14:28:33:348 0572 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINNT\system32\drivers\PartMgr.sys
14:28:33:398 0572 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINNT\system32\drivers\ParVdm.sys
14:28:33:428 0572 PCI (a219903ccf74233761d92bef471a07b1) C:\WINNT\system32\DRIVERS\pci.sys
14:28:33:488 0572 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINNT\system32\DRIVERS\pciide.sys
14:28:33:498 0572 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINNT\system32\DRIVERS\pcmcia.sys
14:28:33:538 0572 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINNT\system32\Drivers\pcouffin.sys
14:28:33:608 0572 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINNT\system32\DRIVERS\perc2.sys
14:28:33:608 0572 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINNT\system32\DRIVERS\perc2hib.sys
14:28:33:638 0572 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINNT\system32\DRIVERS\raspptp.sys
14:28:33:779 0572 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINNT\system32\DRIVERS\processr.sys
14:28:33:809 0572 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINNT\system32\DRIVERS\psched.sys
14:28:33:829 0572 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINNT\system32\DRIVERS\ptilink.sys
14:28:33:869 0572 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINNT\system32\DRIVERS\ql1080.sys
14:28:33:909 0572 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINNT\system32\DRIVERS\ql10wnt.sys
14:28:33:929 0572 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINNT\system32\DRIVERS\ql12160.sys
14:28:33:959 0572 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINNT\system32\DRIVERS\ql1240.sys
14:28:33:979 0572 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINNT\system32\DRIVERS\ql1280.sys
14:28:34:039 0572 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINNT\system32\DRIVERS\rasacd.sys
14:28:34:059 0572 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINNT\system32\DRIVERS\rasirda.sys
14:28:34:109 0572 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINNT\system32\DRIVERS\rasl2tp.sys
14:28:34:119 0572 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINNT\system32\DRIVERS\raspppoe.sys
14:28:34:129 0572 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINNT\system32\DRIVERS\raspti.sys
14:28:34:159 0572 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINNT\system32\DRIVERS\rdbss.sys
14:28:34:169 0572 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINNT\system32\DRIVERS\RDPCDD.sys
14:28:34:179 0572 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINNT\system32\DRIVERS\rdpdr.sys
14:28:34:209 0572 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINNT\system32\drivers\RDPWD.sys
14:28:34:259 0572 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINNT\system32\DRIVERS\REDBOOK.SYS
14:28:34:299 0572 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINNT\system32\DRIVERS\sdbus.sys
14:28:34:349 0572 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINNT\system32\DRIVERS\secdrv.sys
14:28:34:409 0572 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINNT\system32\DRIVERS\serenum.sys
14:28:34:470 0572 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINNT\system32\DRIVERS\serial.sys
14:28:34:510 0572 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINNT\system32\DRIVERS\sfloppy.sys
14:28:34:580 0572 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINNT\System32\DRIVERS\sisagp.sys
14:28:34:620 0572 SMCIRDA (9951b523fe6820f29ef010680cb692d2) C:\WINNT\system32\DRIVERS\smcirda.sys
14:28:34:700 0572 smwdm (014ab093e6452ea88031bb6e22919bb5) C:\WINNT\system32\drivers\smwdm.sys
14:28:34:770 0572 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINNT\system32\DRIVERS\sparrow.sys
14:28:34:830 0572 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINNT\system32\drivers\splitter.sys
14:28:34:850 0572 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINNT\System32\DRIVERS\sr.sys
14:28:34:900 0572 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINNT\system32\DRIVERS\srv.sys
14:28:35:000 0572 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINNT\system32\drivers\sthda.sys
14:28:35:110 0572 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINNT\system32\DRIVERS\swenum.sys
14:28:35:131 0572 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINNT\system32\drivers\swmidi.sys
14:28:35:161 0572 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINNT\system32\DRIVERS\symc810.sys
14:28:35:201 0572 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINNT\system32\DRIVERS\symc8xx.sys
14:28:35:211 0572 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINNT\system32\DRIVERS\sym_hi.sys
14:28:35:231 0572 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINNT\system32\DRIVERS\sym_u3.sys
14:28:35:261 0572 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINNT\system32\drivers\sysaudio.sys
14:28:35:311 0572 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINNT\system32\DRIVERS\tcpip.sys
14:28:35:371 0572 TcUsb (5ca437a08509fb7ecf843480fc1232e2) C:\WINNT\system32\Drivers\tcusb.sys
14:28:35:421 0572 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINNT\system32\drivers\TDPIPE.sys
14:28:35:481 0572 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINNT\system32\drivers\TDTCP.sys
14:28:35:511 0572 TermDD (88155247177638048422893737429d9e) C:\WINNT\system32\DRIVERS\termdd.sys
14:28:35:751 0572 TMPassthru (f9e86952f5e03e60b3393179e3187151) C:\WINNT\system32\DRIVERS\TMPassthru.sys
14:28:35:832 0572 TMPassthruMP (f9e86952f5e03e60b3393179e3187151) C:\WINNT\system32\DRIVERS\TMPassthru.sys
14:28:36:002 0572 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINNT\system32\DRIVERS\toside.sys
14:28:36:162 0572 tridxp4 (87469be05bf6b12027ac7b40d059b613) C:\WINNT\system32\DRIVERS\tridxp4m.sys
14:28:36:382 0572 truecrypt (0f36134bc7897ac0b038b64fa23c4df9) C:\WINNT\system32\drivers\truecrypt.sys
14:28:36:593 0572 tsdhd (01991b3ce900fa7154adcce6e2936c55) C:\WINNT\system32\DRIVERS\tsdhd.sys
14:28:36:633 0572 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINNT\system32\drivers\Udfs.sys
14:28:36:683 0572 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINNT\system32\DRIVERS\ultra.sys
14:28:36:723 0572 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINNT\system32\DRIVERS\update.sys
14:28:36:743 0572 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINNT\system32\DRIVERS\usbehci.sys
14:28:36:773 0572 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINNT\system32\DRIVERS\usbhub.sys
14:28:36:803 0572 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
14:28:36:813 0572 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINNT\system32\DRIVERS\usbuhci.sys
14:28:36:833 0572 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINNT\System32\drivers\vga.sys
14:28:36:883 0572 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINNT\System32\DRIVERS\viaagp.sys
14:28:36:943 0572 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINNT\system32\DRIVERS\viaide.sys
14:28:36:963 0572 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINNT\system32\drivers\VolSnap.sys
14:28:37:103 0572 w29n51 (9ee38ffcb4cbe5bee6c305700ddc4725) C:\WINNT\system32\DRIVERS\w29n51.sys
14:28:37:274 0572 w70n51 (3eccbb3689807787cd4c0fed20b1d0d8) C:\WINNT\system32\DRIVERS\w70n51.sys
14:28:37:344 0572 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINNT\system32\DRIVERS\wanarp.sys
14:28:37:374 0572 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINNT\system32\drivers\wdmaud.sys
14:28:37:454 0572 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINNT\system32\DRIVERS\HSF_CNXT.sys
14:28:37:524 0572 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINNT\system32\DRIVERS\wmiacpi.sys
14:28:37:554 0572 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINNT\System32\drivers\ws2ifsl.sys
14:28:37:594 0572 yukonwxp (bac4e920c920168c302c90c0f37740f6) C:\WINNT\system32\DRIVERS\yk51x86.sys
14:28:37:604 0572 Reboot required for cure complete..
14:28:38:005 0572 Cure on reboot scheduled successfully
14:28:38:005 0572
14:28:38:005 0572 Completed
14:28:38:005 0572
14:28:38:005 0572 Results:
14:28:38:005 0572 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:28:38:005 0572 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:28:38:005 0572
14:28:38:005 0572 KLMD(ARK) unloaded successfully
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 13th, 2010, 3:10 am

Hi Occam,

Please reboot if not already done so.

Now please run a quick scan with Malwarebytes and remove any infections found. Please post the log in your next reply.

The following tools may still be installed from before, if so use the version on your desktop, if not then follow the instructions to download and run.

TFC

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.


Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post only the contents of OTL.txt along with the log from Malwarebytes in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 13th, 2010, 11:10 am

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4308

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/13/2010 8:20:05 AM
mbam-log-2010-07-13 (08-20-05).txt

Scan type: Quick scan
Objects scanned: 145625
Time elapsed: 15 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\xxkbpddtd\fvvllcrtssd.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksllnqqn (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksllnqqn (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Application Data\xxkbpddtd\fvvllcrtssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\Temp\32.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINNT\Temp\OKnY.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


----------------------------------------------------------------------------

OTL logfile created on: 7/13/2010 8:55:18 AM - Run 3
OTL by OldTimer - Version 3.2.7.1 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 435.00 Mb Available Physical Memory | 43.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 111.75 Gb Total Space | 96.93 Gb Free Space | 86.74% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LATITUDE
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\WINNT\system32\snmp.exe (Microsoft Corporation)
PRC - C:\WINNT\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\GridMove\GridMove.exe ()
PRC - C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe (Trend Micro Inc.)
PRC - C:\Program Files\Yahoo! Widgets\YahooWidgets.exe (Yahoo! Inc.)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe (Adobe Systems Inc.)
PRC - \\Sean2\c\Program Files\PureText\PureText.exe (http://www.SteveMiller.net)
PRC - C:\Program Files\WallMaster\wallmast.exe (Tropical Wares)
PRC - C:\Program Files\AutoMate4\Automate.exe (Unisyn Software, LLC)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\User\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINNT\system32\netui1.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\netui0.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\ntlanman.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\netrap.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\drprov.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\davclnt.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINNT\system32\xpsp2res.dll (Microsoft Corporation)
MOD - C:\WINNT\system32\amnt.dll (Unisyn Software, LLC)


========== Win32 Services (SafeList) ==========

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (SNMP) -- C:\WINNT\system32\snmp.exe (Microsoft Corporation)
SRV - (RUBotted) -- C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe (Trend Micro Inc.)


========== Driver Services (SafeList) ==========

DRV - (HSXHWAZL) -- C:\WINNT\System32\DRIVERS\HSXHWAZL.sys File not found
DRV - (fkwzgmie) -- C:\WINNT\System32\drivers\fkwzgmie.sys File not found
DRV - (MpFilter) -- C:\WINNT\system32\drivers\MpFilter.sys (Microsoft Corporation)
DRV - (NETw5x32) Intel(R) -- C:\WINNT\system32\drivers\NETw5x32.sys (Intel Corporation)
DRV - (amdagp) -- C:\WINNT\System32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINNT\System32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (HDAudBus) -- C:\WINNT\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINNT\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (e1express) Intel(R) -- C:\WINNT\system32\drivers\e1e5132.sys (Intel Corporation)
DRV - (ialm) -- C:\WINNT\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (guardian2) -- C:\WINNT\system32\drivers\oz776.sys (O2Micro)
DRV - (TcUsb) -- C:\WINNT\system32\drivers\tcusb.sys (UPEK Inc.)
DRV - (TMPassthruMP) -- C:\WINNT\system32\drivers\TMPassthru.sys (Trend Micro Inc.)
DRV - (TMPassthru) -- C:\WINNT\system32\drivers\TMPassthru.sys (Trend Micro Inc.)
DRV - (HSF_DPV) -- C:\WINNT\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINNT\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINNT\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (iaStor) -- C:\WINNT\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (NETw4x32) Intel(R) -- C:\WINNT\system32\drivers\NETw4x32.sys (Intel Corporation)
DRV - (STHDA) -- C:\WINNT\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (truecrypt) -- C:\WINNT\system32\drivers\truecrypt.sys (TrueCrypt Foundation)
DRV - (HECI) Intel(R) -- C:\WINNT\system32\drivers\HECI.sys (Intel Corporation)
DRV - (b57w2k) -- C:\WINNT\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (AgereSoftModem) -- C:\WINNT\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (NETw3x32) Intel(R) -- C:\WINNT\system32\drivers\NETw3x32.sys (Intel® Corporation)
DRV - (nv) -- C:\WINNT\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (w29n51) Intel(R) -- C:\WINNT\system32\drivers\w29n51.sys (Intel® Corporation)
DRV - (IFXTPM) -- C:\WINNT\system32\drivers\ifxtpm.sys (Infineon Technologies AG)
DRV - (ATSWPDRV) AuthenTec TruePrint USB Driver (AES2500) -- C:\WINNT\system32\drivers\ATSwpDrv.sys (AuthenTec, Inc.)
DRV - (yukonwxp) -- C:\WINNT\system32\drivers\yk51x86.sys (Marvell)
DRV - (altio) -- C:\WINNT\system32\altio.sys (Altium Limited)
DRV - (ApfiltrService) -- C:\WINNT\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (w70n51) Intel(R) -- C:\WINNT\system32\drivers\w70n51.sys (Intel® Corporation)
DRV - (tridxp4) -- C:\WINNT\system32\drivers\tridxp4m.sys (Trident Microsystems Inc.)
DRV - (tsdhd) -- C:\WINNT\system32\drivers\tsdhd.sys (TOSHIBA Corporation)
DRV - (SMCIRDA) -- C:\WINNT\system32\drivers\smcirda.sys (SMC)
DRV - (Sparrow) -- C:\WINNT\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINNT\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINNT\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINNT\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINNT\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINNT\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINNT\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINNT\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINNT\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINNT\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINNT\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINNT\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINNT\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINNT\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINNT\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3121265979-145127783-2100734864-1051\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKU\S-1-5-21-3121265979-145127783-2100734864-1051\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\S-1-5-21-3121265979-145127783-2100734864-1051\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "eBay.ca"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.7.9
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.10
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.9
FF - prefs.js..extensions.enabledItems: validator@totalvalidator.com:6.5.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/08 20:41:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/07 16:24:14 | 000,000,000 | ---D | M]

[2010/05/20 21:16:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/07/11 22:12:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions
[2010/07/07 16:19:32 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/06/25 00:15:35 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010/06/25 00:15:35 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/07/02 15:50:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\foxmarks@kei.com
[2010/06/29 14:22:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\validator@totalvalidator.com
[2010/07/02 01:54:12 | 000,002,979 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\searchplugins\ebayca.xml
[2010/07/11 22:12:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/07 16:24:15 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/03/09 17:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll

O1 HOSTS File: ([2002/08/29 06:00:00 | 000,000,734 | ---- | M]) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-3121265979-145127783-2100734864-1051\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-3121265979-145127783-2100734864-1051\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINNT\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINNT\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVRotateSysTray] C:\WINNT\System32\nvsysrot.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINNT\System32\nwiz.exe ()
O4 - HKLM..\Run: [RegServer] C:\WINNT\System32\RegServe.exe ()
O4 - HKLM..\Run: [TMRUBottedTray] C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [TridentWatchDog] C:\WINNT\System32\TWatDog.exe ()
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-3121265979-145127783-2100734864-1051..\Run: [PureText] File not found
O4 - HKLM..\RunOnce: [New Value #1] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Pitaschio.lnk = C:\Program Files\Pitaschio\Pitaschio.exe ( )
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WallMaster Pro.lnk = C:\Program Files\WallMaster\wallmast.exe (Tropical Wares)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINNT\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoMate Task Service.lnk = C:\Program Files\AutoMate4\Automate.exe (Unisyn Software, LLC)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\GridMove.lnk = C:\Program Files\GridMove\GridMove.exe ()
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\QuickMonth Calendar.lnk = C:\WINNT\qmc.exe File not found
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\WallMaster Pro.lnk = C:\Program Files\WallMaster\wallmast.exe (Tropical Wares)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\Yahoo! Widgets.lnk = C:\Program Files\Yahoo! Widgets\YahooWidgets.exe (Yahoo! Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoHelp = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3121265979-145127783-2100734864-1051\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3121265979-145127783-2100734864-1051\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoHelp = 1
O7 - HKU\S-1-5-21-3121265979-145127783-2100734864-1051\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windows ... 4457702253 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINNT\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/04/15 12:17:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3a501680-6480-11df-bbb9-001c234442da}\Shell - "" = AutoRun
O33 - MountPoints2\{3a501680-6480-11df-bbb9-001c234442da}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3a501680-6480-11df-bbb9-001c234442da}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\WINNT\TEMP\AUTMGR32.EXE" /START "%1" %* File not found
O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\WINNT\TEMP\AUTMGR32.EXE" /START "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/07/12 02:12:59 | 000,096,512 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\drivers\sksxxdma.sys
[2010/07/11 20:27:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Backup mirror
[2010/07/11 13:36:57 | 000,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\hidserv.dll
[2010/07/11 13:36:49 | 000,014,592 | ---- | C] (Microsoft Corporation) -- C:\WINNT\System32\dllcache\kbdhid.sys
[2010/07/11 09:18:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\xxkbpddtd
[2010/07/11 09:18:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2010/07/11 09:18:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/07/07 16:24:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/07/07 16:24:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/07/07 16:24:14 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\deployJava1.dll
[2010/07/07 16:24:14 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\javaws.exe
[2010/07/07 16:24:14 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\javaw.exe
[2010/07/07 16:24:14 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINNT\System32\java.exe
[2010/07/07 07:18:04 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\TFC.exe
[2010/07/06 16:37:55 | 001,013,584 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\User\Desktop\tdsskiller.exe
[2010/07/06 10:29:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010/07/06 10:29:51 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbamswissarmy.sys
[2010/07/06 10:29:49 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINNT\System32\drivers\mbam.sys
[2010/07/06 10:29:49 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/06 10:29:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/06 09:09:31 | 006,156,288 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\Desktop\mbam-setup.exe
[2010/07/05 08:32:31 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/07/03 07:24:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Bitrix Security
[2010/07/02 17:06:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Altium2004_SP4
[2010/07/02 17:04:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Altium2004_SP4
[2010/07/02 17:03:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Altium2004_SP4
[2010/07/02 16:45:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\WexTech Shared
[2010/07/02 16:45:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Novell Shared
[2010/07/02 16:45:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Lhspf
[2010/07/01 19:09:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2010/07/01 19:08:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/01 19:08:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/06/30 23:14:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Identities
[2010/06/30 01:12:41 | 000,000,000 | ---D | C] -- C:\Program Files\HiJackThis
[2010/06/30 00:21:47 | 000,000,000 | ---D | C] -- C:\c9b20ff71cffe5f758bc
[2010/06/29 22:20:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Threat Expert
[2010/06/29 21:46:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
[2010/06/29 21:42:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Threat Expert
[2010/06/29 21:38:50 | 001,652,688 | ---- | C] (Threat Expert Ltd.) -- C:\WINNT\PCTBDCore.dll.old
[2010/06/29 21:36:19 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/06/29 21:36:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/06/29 14:35:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/06/29 14:35:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/06/29 14:17:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/06/29 14:17:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/06/24 20:47:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Workspaces
[2010/06/23 22:13:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Paint.NET
[2010/06/23 22:09:58 | 000,000,000 | ---D | C] -- C:\Program Files\Paint.NET
[2010/06/23 21:37:17 | 000,000,000 | ---D | C] -- C:\temp
[2010/06/22 21:08:47 | 000,000,000 | ---D | C] -- C:\Program Files\Arachnophilia
[2010/06/21 08:02:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\My Designs
[2010/06/21 08:01:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Altium2004_SP3
[2010/06/21 08:01:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Altium2004_SP3
[2010/06/21 08:00:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Altium2004_SP3
[2010/06/21 08:00:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Altium2004_SP2Security
[2010/06/20 21:54:54 | 000,212,992 | R--- | C] (Microsoft Corporation) -- C:\WINNT\System32\hptcpmui.dll
[2010/06/20 21:54:52 | 000,102,400 | R--- | C] (Hewlett Packard) -- C:\WINNT\System32\hpzjrd01.dll
[2010/06/20 21:54:52 | 000,098,304 | R--- | C] (Hewlett Packard Company) -- C:\WINNT\System32\hpzjsn01.dll
[2010/06/20 21:54:52 | 000,028,672 | R--- | C] (Hewlett-Packard) -- C:\WINNT\System32\hpzjfw01.dll
[2010/06/20 21:54:51 | 000,126,976 | R--- | C] (Hewlett Packard) -- C:\WINNT\System32\hptcpmon.dll
[2010/06/20 21:54:51 | 000,073,728 | R--- | C] (Hewlett Packard) -- C:\WINNT\System32\hptcpmib.dll
[2010/06/20 21:54:28 | 000,028,672 | R--- | C] (Zenographics, Inc.) -- C:\WINNT\System32\IMF32.DLL
[2010/06/20 21:54:26 | 000,086,016 | R--- | C] (Zenographics, Inc.) -- C:\WINNT\System32\zlhp2600.dll
[2010/06/20 21:54:26 | 000,028,672 | R--- | C] (Zenographics, Inc.) -- C:\WINNT\System32\zlm.dll
[2010/06/20 21:54:25 | 000,155,648 | R--- | C] (Zenographics) -- C:\WINNT\System32\HP2600IR.dll
[2010/06/20 21:54:25 | 000,086,016 | R--- | C] (Zenographics, Inc.) -- C:\WINNT\System32\ZSPOOL.DLL
[2010/06/20 21:54:25 | 000,024,576 | R--- | C] (Zenographics, Inc.) -- C:\WINNT\System32\ZTAG32.DLL
[2010/06/20 21:54:24 | 000,000,000 | -H-D | C] -- C:\Program Files\Zenographics
[2010/06/20 21:54:24 | 000,000,000 | ---D | C] -- C:\Program Files\Hewlett-Packard
[2010/06/20 21:39:07 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\User\Application Data\pcouffin.sys
[2010/06/20 21:39:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Vso
[2010/06/20 21:39:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\PcSetup
[2010/06/20 21:39:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\DVDFab
[2010/06/20 21:38:49 | 000,000,000 | ---D | C] -- C:\Program Files\DVDFab 7
[2010/06/20 21:33:08 | 000,188,672 | ---- | C] (TrueCrypt Foundation) -- C:\WINNT\System32\drivers\truecrypt.sys
[2010/06/20 21:33:05 | 000,000,000 | ---D | C] -- C:\Program Files\TrueCrypt
[2010/06/20 21:32:42 | 000,000,000 | ---D | C] -- C:\Program Files\Howies Quick Screen Capture
[2010/06/20 21:23:27 | 000,000,000 | ---D | C] -- C:\Program Files\Altium2004 SP3
[2010/06/20 21:14:16 | 000,000,000 | ---D | C] -- C:\Program Files\NameIt
[2010/06/20 21:09:30 | 000,000,000 | ---D | C] -- C:\Program Files\GridMove
[2010/06/20 21:05:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\My Widgets
[2010/06/20 21:04:57 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/06/20 21:04:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Yahoo
[2010/06/20 21:04:49 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo! Widgets
[2010/06/20 21:00:10 | 000,000,000 | ---D | C] -- C:\Program Files\Nikon
[2010/06/20 21:00:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nikon
[2010/06/20 20:56:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/06/20 20:55:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\SmartDraw
[2010/06/20 20:52:09 | 000,000,000 | ---D | C] -- C:\Program Files\SmartDraw 7
[2010/06/20 20:46:07 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/06/20 20:34:54 | 000,102,912 | ---- | C] (Unisyn Software, LLC) -- C:\WINNT\System32\amnt.dll
[2010/06/20 20:34:41 | 001,108,992 | ---- | C] (Unisyn Software, LLC) -- C:\WINNT\System32\AMOLE.dll
[2010/06/20 20:34:41 | 000,446,464 | ---- | C] (Blue Sky Software Corporation.) -- C:\WINNT\System32\Hhactivex.dll
[2010/06/20 20:34:29 | 000,262,144 | ---- | C] (Polar Engineering and Consulting) -- C:\WINNT\System32\Sbent532.ocx
[2010/06/20 20:34:27 | 001,134,645 | ---- | C] (Polar Engineering and Consulting) -- C:\WINNT\System32\Sbe5_32.dll
[2010/06/20 20:34:18 | 000,283,984 | ---- | C] (Xceed Software Inc (450) 442-2626 zip@xceedsoft.com www.xceedsoft.com) -- C:\WINNT\System32\XceedZip.dll
[2010/06/20 20:34:17 | 000,429,056 | ---- | C] (Unisyn Software, LLC) -- C:\WINNT\System32\RIPCMgr.dll
[2010/06/20 20:34:05 | 000,000,000 | ---D | C] -- C:\Program Files\AutoMate4
[2010/06/20 20:28:57 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2010/06/20 20:28:12 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2010/06/20 20:28:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2010/06/20 20:27:10 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2010/06/20 20:24:31 | 000,000,000 | ---D | C] -- C:\WINNT\SHELLNEW
[2010/06/20 20:23:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Microsoft Help
[2010/06/20 20:23:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2010/06/20 20:23:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2010/06/20 20:23:07 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2010/06/20 20:18:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\AdobeUM
[2010/06/20 13:38:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\TeraCopy
[2010/06/20 13:37:29 | 000,000,000 | ---D | C] -- C:\Program Files\TeraCopy
[2010/06/20 01:44:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\PCHealth
[2010/06/20 01:44:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2010/06/19 22:52:11 | 000,000,000 | ---D | C] -- C:\Program Files\Irfanview
[2010/06/19 22:41:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Help
[2010/06/19 22:41:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Help
[2010/06/19 22:39:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\User\Desktop\d on Vault2 (vault2)
[2010/06/19 22:38:38 | 000,000,000 | ---D | C] -- C:\Program Files\WallMaster
[2010/06/19 22:36:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\Downloads

========== Files - Modified Within 30 Days ==========

[2010/07/13 08:58:09 | 000,000,408 | -H-- | M] () -- C:\WINNT\tasks\MP Scheduled Scan.job
[2010/07/13 08:57:54 | 000,479,920 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2010/07/13 08:57:54 | 000,408,238 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2010/07/13 08:57:54 | 000,064,602 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2010/07/13 08:53:25 | 000,000,448 | ---- | M] () -- C:\WINNT\tasks\SDMsgUpdate (SD).job
[2010/07/13 08:53:23 | 000,002,206 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2010/07/13 08:52:51 | 000,002,331 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/07/13 08:52:43 | 000,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2010/07/13 08:52:41 | 000,002,048 | --S- | M] () -- C:\WINNT\bootstat.dat
[2010/07/13 08:51:18 | 006,291,456 | -H-- | M] () -- C:\Documents and Settings\User\ntuser.dat
[2010/07/13 08:51:18 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/07/12 14:03:45 | 000,000,664 | ---- | M] () -- C:\WINNT\System32\d3d9caps.dat
[2010/07/12 02:12:59 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINNT\System32\drivers\sksxxdma.sys
[2010/07/11 20:26:36 | 000,000,581 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Sean's Documents.lnk
[2010/07/11 12:32:10 | 000,002,469 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Excel 2007.lnk
[2010/07/08 21:15:41 | 000,000,593 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Latest photos.lnk
[2010/07/08 00:24:00 | 000,000,581 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Documents.lnk
[2010/07/07 23:12:07 | 000,000,084 | ---- | M] () -- C:\Documents and Settings\User\Desktop\MalWare Removal • View topic - IE popping up ad windows at random - redux.URL
[2010/07/07 23:04:58 | 000,002,557 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HiJackThis.lnk
[2010/07/07 07:18:04 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\TFC.exe
[2010/07/06 16:37:55 | 001,013,584 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\User\Desktop\tdsskiller.exe
[2010/07/06 12:44:53 | 000,000,151 | ---- | M] () -- C:\WINNT\QScreenCapt.ini
[2010/07/06 10:29:53 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 09:12:27 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\User\Desktop\RKUnhookerLE.EXE
[2010/07/06 09:09:31 | 006,156,288 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\Desktop\mbam-setup.exe
[2010/07/05 09:09:51 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HijackThis (2).lnk
[2010/07/05 08:32:31 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/07/04 20:35:58 | 000,000,897 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Blackline GPS.lnk
[2010/07/02 17:01:55 | 003,792,992 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010/07/02 16:49:33 | 000,000,629 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Altium Designer 2004 (SP3).lnk
[2010/07/02 14:31:21 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
[2010/06/30 08:44:08 | 000,000,873 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Blackline workspace.lnk
[2010/06/29 14:54:51 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/29 14:52:19 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010/06/27 22:42:25 | 000,001,512 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Volume Control.lnk
[2010/06/24 20:49:38 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2010/06/24 20:48:02 | 000,000,897 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Watch video.bat.lnk
[2010/06/24 20:10:33 | 000,000,506 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Mimi.lnk
[2010/06/24 07:39:25 | 000,000,562 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Household.lnk
[2010/06/23 22:11:30 | 000,001,704 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Paint.NET.lnk
[2010/06/23 22:10:25 | 000,000,812 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Paint.NET.lnk
[2010/06/23 21:16:28 | 000,006,144 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/23 09:31:04 | 000,000,749 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\PureText.lnk
[2010/06/22 23:07:24 | 000,001,513 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Notepad.lnk
[2010/06/22 21:09:42 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Arachnophilia.lnk
[2010/06/21 21:36:48 | 000,000,405 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Web.lnk
[2010/06/21 15:32:30 | 000,002,511 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Word 2007.lnk
[2010/06/21 13:48:38 | 000,000,688 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Automate macros.lnk
[2010/06/21 08:43:47 | 000,000,508 | ---- | M] () -- C:\WINNT\win.ini
[2010/06/21 08:43:44 | 000,001,488 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Calculator.lnk
[2010/06/21 08:00:36 | 000,000,543 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Work.lnk
[2010/06/21 07:09:54 | 000,000,506 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Mimi.lnk
[2010/06/20 21:54:55 | 000,000,143 | ---- | M] () -- C:\WINNT\System32\AddPort.ini
[2010/06/20 21:54:21 | 000,000,606 | ---- | M] () -- C:\WINNT\hpntwksetup.ini
[2010/06/20 21:39:07 | 000,087,608 | ---- | M] () -- C:\Documents and Settings\User\Application Data\inst.exe
[2010/06/20 21:39:07 | 000,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\User\Application Data\pcouffin.sys
[2010/06/20 21:39:07 | 000,007,887 | ---- | M] () -- C:\Documents and Settings\User\Application Data\pcouffin.cat
[2010/06/20 21:39:07 | 000,001,144 | ---- | M] () -- C:\Documents and Settings\User\Application Data\pcouffin.inf
[2010/06/20 21:39:02 | 000,000,618 | ---- | M] () -- C:\Documents and Settings\User\Desktop\DVDFab 7.lnk
[2010/06/20 21:17:22 | 000,000,998 | ---- | M] () -- C:\WINNT\unins001.dat
[2010/06/20 21:17:21 | 000,000,710 | ---- | M] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\QuickMonth Calendar.lnk
[2010/06/20 21:17:08 | 000,691,486 | ---- | M] () -- C:\WINNT\unins001.exe
[2010/06/20 21:09:40 | 000,000,642 | ---- | M] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\GridMove.lnk
[2010/06/20 21:04:53 | 000,000,744 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Widgets.lnk
[2010/06/20 21:02:24 | 000,000,521 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Software.lnk
[2010/06/20 21:01:15 | 000,325,112 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT
[2010/06/20 20:52:23 | 000,000,708 | ---- | M] () -- C:\Documents and Settings\User\Desktop\SmartDraw 7.lnk
[2010/06/20 20:34:50 | 000,015,223 | ---- | M] () -- C:\WINNT\System32\ameulas.dll
[2010/06/20 20:34:47 | 000,000,647 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoMate Task Service.lnk
[2010/06/20 20:34:08 | 000,000,023 | ---- | M] () -- C:\WINNT\System32\sco32.dll
[2010/06/20 13:36:17 | 000,000,378 | ---- | M] () -- C:\Documents and Settings\User\Desktop\MyBook.lnk
[2010/06/20 10:16:09 | 000,072,748 | ---- | M] (Jordan Russell) -- C:\WINNT\unins000.exe
[2010/06/20 10:16:09 | 000,000,654 | ---- | M] () -- C:\WINNT\unins000.dat
[2010/06/20 03:01:04 | 000,001,374 | ---- | M] () -- C:\WINNT\imsins.BAK
[2010/06/19 23:15:10 | 000,000,145 | ---- | M] () -- C:\Documents and Settings\User\Desktop\D drive (DVD-RW).lnk
[2010/06/19 23:15:04 | 000,000,293 | ---- | M] () -- C:\Documents and Settings\User\Desktop\C drive.lnk
[2010/06/19 22:53:28 | 000,001,565 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IrfanView Thumbnails.lnk
[2010/06/19 22:53:28 | 000,000,685 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\IrfanView.lnk
[2010/06/19 22:49:57 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\User\Desktop\References.lnk
[2010/06/19 22:49:43 | 000,000,631 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Job search.lnk
[2010/06/19 22:49:42 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Konsepsyon.lnk
[2010/06/19 22:49:40 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Codex.lnk
[2010/06/19 22:49:37 | 000,000,637 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Spark Institute.lnk
[2010/06/19 22:40:03 | 000,000,506 | ---- | M] () -- C:\Documents and Settings\User\Desktop\DVD Rips.lnk
[2010/06/19 22:39:55 | 000,000,433 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Video.lnk
[2010/06/19 22:39:52 | 000,000,438 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Photos.lnk
[2010/06/19 22:39:49 | 000,000,458 | ---- | M] () -- C:\Documents and Settings\User\Desktop\File Cabinet.lnk
[2010/06/19 22:39:44 | 000,000,441 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Backups.lnk
[2010/06/19 22:39:42 | 000,000,433 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Audio.lnk
[2010/06/19 22:38:51 | 000,000,652 | ---- | M] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\WallMaster Pro.lnk
[2010/06/19 19:49:17 | 000,000,124 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Control Panel.lnk

========== Files Created - No Company Name ==========

[2010/07/11 20:26:36 | 000,000,581 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Sean's Documents.lnk
[2010/07/08 21:15:41 | 000,000,593 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Latest photos.lnk
[2010/07/07 23:12:07 | 000,000,084 | ---- | C] () -- C:\Documents and Settings\User\Desktop\MalWare Removal • View topic - IE popping up ad windows at random - redux.URL
[2010/07/06 10:29:53 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/06 09:12:27 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\User\Desktop\RKUnhookerLE.EXE
[2010/07/05 09:09:51 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HijackThis (2).lnk
[2010/07/02 16:52:42 | 000,000,629 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Altium Designer 2004 (SP3).lnk
[2010/07/01 19:21:11 | 000,000,664 | ---- | C] () -- C:\WINNT\System32\d3d9caps.dat
[2010/06/30 08:44:08 | 000,000,873 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Blackline workspace.lnk
[2010/06/30 01:12:42 | 000,002,557 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HiJackThis.lnk
[2010/06/29 21:38:52 | 000,763,832 | ---- | C] () -- C:\WINNT\BDTSupport.dll.old
[2010/06/29 15:01:12 | 000,000,408 | -H-- | C] () -- C:\WINNT\tasks\MP Scheduled Scan.job
[2010/06/29 14:54:51 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/29 14:52:19 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010/06/24 20:48:02 | 000,000,897 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Watch video.bat.lnk
[2010/06/24 20:10:33 | 000,000,506 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Mimi.lnk
[2010/06/24 07:39:25 | 000,000,562 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Household.lnk
[2010/06/23 22:12:35 | 000,000,151 | ---- | C] () -- C:\WINNT\QScreenCapt.ini
[2010/06/23 22:10:25 | 000,000,812 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Paint.NET.lnk
[2010/06/23 21:14:44 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/22 21:09:42 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Arachnophilia.lnk
[2010/06/21 21:36:48 | 000,000,405 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Web.lnk
[2010/06/21 13:48:38 | 000,000,688 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Automate macros.lnk
[2010/06/21 08:00:36 | 000,000,543 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Work.lnk
[2010/06/21 07:09:54 | 000,000,506 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Mimi.lnk
[2010/06/20 21:54:55 | 000,000,143 | ---- | C] () -- C:\WINNT\System32\AddPort.ini
[2010/06/20 21:54:54 | 000,009,864 | R--- | C] () -- C:\WINNT\System32\hptcpmui.hlp
[2010/06/20 21:54:54 | 000,009,820 | R--- | C] () -- C:\WINNT\System32\hpipxmui.hlp
[2010/06/20 21:54:54 | 000,003,399 | R--- | C] () -- C:\WINNT\System32\hptcpmon.ini
[2010/06/20 21:54:29 | 000,749,568 | R--- | C] () -- C:\WINNT\System32\agissi.dll
[2010/06/20 21:54:28 | 000,805,928 | R--- | C] () -- C:\WINNT\System32\hp2600n.img
[2010/06/20 21:54:27 | 011,194,368 | R--- | C] () -- C:\WINNT\System32\zhhp_res.dll
[2010/06/20 21:54:26 | 000,327,680 | R--- | C] () -- C:\WINNT\System32\zshp2600.exe
[2010/06/20 21:54:26 | 000,241,664 | R--- | C] () -- C:\WINNT\System32\zhhp2600.exe
[2010/06/20 21:54:25 | 000,114,688 | R--- | C] () -- C:\WINNT\System32\vshp2600.dll
[2010/06/20 21:54:25 | 000,007,294 | R--- | C] () -- C:\WINNT\System32\ZSHP2600.HLP
[2010/06/20 21:53:42 | 000,000,606 | ---- | C] () -- C:\WINNT\hpntwksetup.ini
[2010/06/20 21:39:15 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\User\Application Data\pcouffin.log
[2010/06/20 21:39:07 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\User\Application Data\inst.exe
[2010/06/20 21:39:07 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\User\Application Data\pcouffin.cat
[2010/06/20 21:39:07 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\User\Application Data\pcouffin.inf
[2010/06/20 21:39:02 | 000,000,618 | ---- | C] () -- C:\Documents and Settings\User\Desktop\DVDFab 7.lnk
[2010/06/20 21:17:21 | 000,000,710 | ---- | C] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\QuickMonth Calendar.lnk
[2010/06/20 21:17:14 | 000,691,486 | ---- | C] () -- C:\WINNT\unins001.exe
[2010/06/20 21:17:14 | 000,000,998 | ---- | C] () -- C:\WINNT\unins001.dat
[2010/06/20 21:09:40 | 000,000,642 | ---- | C] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\GridMove.lnk
[2010/06/20 21:05:06 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
[2010/06/20 21:04:53 | 000,000,744 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Widgets.lnk
[2010/06/20 20:53:52 | 000,000,448 | ---- | C] () -- C:\WINNT\tasks\SDMsgUpdate (SD).job
[2010/06/20 20:52:23 | 000,000,708 | ---- | C] () -- C:\Documents and Settings\User\Desktop\SmartDraw 7.lnk
[2010/06/20 20:43:03 | 000,002,469 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Excel 2007.lnk
[2010/06/20 20:42:58 | 000,002,511 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Word 2007.lnk
[2010/06/20 20:34:50 | 000,015,223 | ---- | C] () -- C:\WINNT\System32\ameulas.dll
[2010/06/20 20:34:47 | 000,000,647 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoMate Task Service.lnk
[2010/06/20 20:34:40 | 000,057,856 | ---- | C] () -- C:\WINNT\System32\UnisynLib.dll
[2010/06/20 20:34:21 | 000,109,568 | ---- | C] () -- C:\WINNT\System32\AMJR.dll
[2010/06/20 20:34:17 | 000,006,439 | ---- | C] () -- C:\WINNT\System32\Sbe5_000.cnt
[2010/06/20 20:34:16 | 000,318,592 | ---- | C] () -- C:\WINNT\System32\Sbe5_000.hlp
[2010/06/20 20:34:08 | 000,000,023 | ---- | C] () -- C:\WINNT\System32\sco32.dll
[2010/06/20 13:36:17 | 000,000,378 | ---- | C] () -- C:\Documents and Settings\User\Desktop\MyBook.lnk
[2010/06/20 10:16:08 | 000,000,654 | ---- | C] () -- C:\WINNT\unins000.dat
[2010/06/19 23:15:10 | 000,000,145 | ---- | C] () -- C:\Documents and Settings\User\Desktop\D drive (DVD-RW).lnk
[2010/06/19 23:15:04 | 000,000,293 | ---- | C] () -- C:\Documents and Settings\User\Desktop\C drive.lnk
[2010/06/19 22:53:28 | 000,001,565 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IrfanView Thumbnails.lnk
[2010/06/19 22:53:28 | 000,000,685 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\IrfanView.lnk
[2010/06/19 22:50:07 | 000,000,897 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Blackline GPS.lnk
[2010/06/19 22:49:57 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\User\Desktop\References.lnk
[2010/06/19 22:49:43 | 000,000,631 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Job search.lnk
[2010/06/19 22:49:42 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Konsepsyon.lnk
[2010/06/19 22:49:40 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Codex.lnk
[2010/06/19 22:49:37 | 000,000,637 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Spark Institute.lnk
[2010/06/19 22:40:02 | 000,000,506 | ---- | C] () -- C:\Documents and Settings\User\Desktop\DVD Rips.lnk
[2010/06/19 22:39:55 | 000,000,433 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Video.lnk
[2010/06/19 22:39:54 | 000,000,521 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Software.lnk
[2010/06/19 22:39:52 | 000,000,438 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Photos.lnk
[2010/06/19 22:39:49 | 000,000,458 | ---- | C] () -- C:\Documents and Settings\User\Desktop\File Cabinet.lnk
[2010/06/19 22:39:46 | 000,000,581 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Documents.lnk
[2010/06/19 22:39:44 | 000,000,441 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Backups.lnk
[2010/06/19 22:39:42 | 000,000,433 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Audio.lnk
[2010/06/19 22:38:51 | 000,000,652 | ---- | C] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\WallMaster Pro.lnk
[2010/06/19 19:49:17 | 000,000,124 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Control Panel.lnk
[2009/02/27 14:58:11 | 000,204,800 | ---- | C] () -- C:\WINNT\System32\igfxCoIn_v4814.dll
[2009/02/12 12:41:04 | 001,399,880 | ---- | C] () -- C:\WINNT\System32\igklg450.dll
[2009/02/12 12:41:04 | 000,147,456 | ---- | C] () -- C:\WINNT\System32\igfxCoIn_v4926.dll
[2009/02/12 12:41:04 | 000,104,636 | ---- | C] () -- C:\WINNT\System32\igmedcompkrn.dll
[2009/02/12 12:41:03 | 001,843,784 | ---- | C] () -- C:\WINNT\System32\igklg400.dll
[2006/06/09 11:06:36 | 000,110,592 | ---- | C] () -- C:\WINNT\System32\nvapi.dll
[2006/05/24 16:47:11 | 003,596,288 | ---- | C] () -- C:\WINNT\System32\qt-dx331.dll
[2006/04/18 18:04:53 | 000,012,288 | ---- | C] () -- C:\WINNT\System32\DivXWMPExtType.dll
[2005/07/27 13:54:24 | 000,073,728 | ---- | C] () -- C:\WINNT\System32\TVCtrl.dll
[2005/07/27 13:54:23 | 000,110,592 | ---- | C] () -- C:\WINNT\System32\GenCtrl.dll
[2005/07/27 13:54:23 | 000,086,016 | ---- | C] () -- C:\WINNT\System32\ColorCtr.dll
[2005/07/27 13:54:23 | 000,061,440 | ---- | C] () -- C:\WINNT\System32\Multview.dll
[2005/07/27 13:54:23 | 000,061,440 | ---- | C] () -- C:\WINNT\System32\LCDCtrl.dll
[2005/07/27 13:54:23 | 000,049,152 | ---- | C] () -- C:\WINNT\System32\CRTCtrl.dll
[2005/07/27 13:54:23 | 000,036,864 | ---- | C] () -- C:\WINNT\System32\DTMenuEx.dll
[2005/07/18 11:27:50 | 000,036,864 | ---- | C] () -- C:\WINNT\System32\NTDisUn.dll
[2005/07/18 09:51:39 | 001,019,904 | ---- | C] () -- C:\WINNT\System32\nvwimg.dll
[2005/07/18 09:51:38 | 001,662,976 | ---- | C] () -- C:\WINNT\System32\nvwdmcpl.dll
[2005/07/18 09:51:37 | 000,466,944 | ---- | C] () -- C:\WINNT\System32\nvshell.dll
[2005/07/18 09:51:33 | 001,466,368 | ---- | C] () -- C:\WINNT\System32\nview.dll
[2005/04/15 16:31:47 | 000,001,793 | ---- | C] () -- C:\WINNT\System32\fxsperf.ini
[2005/04/15 13:52:58 | 000,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[2005/04/15 12:45:32 | 000,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2005/04/15 12:33:59 | 000,016,384 | ---- | C] () -- C:\WINNT\System32\e100bmsg.dll
[2004/10/26 15:39:06 | 003,375,104 | ---- | C] () -- C:\WINNT\System32\qt-mt331.dll
[1999/11/16 12:04:36 | 000,485,376 | ---- | C] () -- C:\WINNT\System32\DrRw40.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
< End of report >
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 13th, 2010, 1:41 pm

Hi Occam,

Backup Your Registry:
* Download ERUNT to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
* Right-click erunt.zip, choose Extract All... and follow the prompts to unzip the program
* Open the erunt folder on your Desktop and double-click ERUNT.exe to start the program
* OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :otl
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    @Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Please reboot the computer.

Now please run a quick scan with Malwarebytes and remove any infections found. Please post the log in your next reply along with the log from OTL.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 14th, 2010, 12:56 am

PC is not clean - annoying pop-ups continue after above steps completed.


========== OTL ==========
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84 deleted successfully.

OTL by OldTimer - Version 3.2.7.1 log created on 07132010_154038


----------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4308

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/13/2010 3:52:04 PM
mbam-log-2010-07-13 (15-52-04).txt

Scan type: Quick scan
Objects scanned: 138137
Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 14th, 2010, 5:20 am

Hi Occam,

Run Combofix

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 14th, 2010, 6:52 pm

Log below.

Note that Microsoft Security Essentials was NOT enabled during the scan. I only figured out how to totally disable MSE after the "please kindly note that MSE is still active" prompt. Before the final OK I did disable MSE.

Another note is that Windows Firewall is supposed to be disabled. I have a hardware firewall.

Final note is that ComboFix hung at the end of Stage 2 scanning when a "process has encountered an error and cannot continue" box came up. The process had a strange name that I didn't write down, sorry.

After the scan, IE became my default browser.

Thanks again!

--

p.s. - oops, another pop up just as I was writing this note. Not clean yet.


ComboFix 10-07-13.08 - User 07/14/2010 11:39:03.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.585 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\User\Application Data\inst.exe
c:\winnt\system32\ameulas.dll
c:\winnt\system32\sco32.dll
c:\winnt\system32\st325602.dll
c:\winnt\xpsp1hfm.log

----- BITS: Possible infected sites -----

hxxp://windowsupdatecalgary.nexeninc.com:8530
.
((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))
.

2010-07-12 08:12 . 2010-07-12 08:12 96512 ----a-w- c:\winnt\system32\drivers\sksxxdma.sys
2010-07-11 19:36 . 2008-04-14 00:11 21504 -c--a-w- c:\winnt\system32\dllcache\hidserv.dll
2010-07-11 19:36 . 2008-04-14 00:11 21504 ----a-w- c:\winnt\system32\hidserv.dll
2010-07-11 19:36 . 2008-04-13 18:39 14592 -c--a-w- c:\winnt\system32\dllcache\kbdhid.sys
2010-07-11 19:36 . 2008-04-13 18:39 14592 ----a-w- c:\winnt\system32\drivers\kbdhid.sys
2010-07-11 16:32 . 2010-07-11 16:32 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-07-11 15:18 . 2010-07-13 14:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\xxkbpddtd
2010-07-11 15:18 . 2010-07-11 15:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-07 22:24 . 2010-07-07 22:24 -------- d-----w- c:\program files\Common Files\Java
2010-07-07 22:24 . 2010-07-07 22:24 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20f5732d-n\msvcp71.dll
2010-07-07 22:24 . 2010-07-07 22:24 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20f5732d-n\jmc.dll
2010-07-07 22:24 . 2010-07-07 22:24 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-20f5732d-n\msvcr71.dll
2010-07-07 22:24 . 2010-07-07 22:24 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6da7a07f-n\decora-sse.dll
2010-07-07 22:24 . 2010-07-07 22:24 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6da7a07f-n\decora-d3d.dll
2010-07-07 22:24 . 2010-04-12 23:29 411368 ----a-w- c:\winnt\system32\deployJava1.dll
2010-07-07 22:19 . 2010-07-01 19:52 1496064 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-07 22:19 . 2010-07-01 19:51 43008 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-07 22:19 . 2010-07-01 19:51 338944 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-07 22:19 . 2010-07-01 19:51 346112 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-06 16:29 . 2010-07-06 16:29 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-07-06 16:29 . 2010-04-29 21:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-07-06 16:29 . 2010-07-06 16:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 16:29 . 2010-07-06 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-06 16:29 . 2010-04-29 21:39 20952 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-07-05 15:24 . 2010-07-05 15:24 57600 ----a-w- c:\winnt\system32\drivers\REDBOOK.SYS
2010-07-03 13:24 . 2010-07-03 13:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bitrix Security
2010-07-02 23:06 . 2010-07-02 23:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Altium2004_SP4
2010-07-02 23:04 . 2010-07-02 23:04 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Altium2004_SP4
2010-07-02 23:03 . 2010-07-12 02:25 -------- d-----w- c:\documents and settings\User\Application Data\Altium2004_SP4
2010-07-02 22:45 . 2010-07-02 22:45 -------- d-----w- c:\program files\Common Files\WexTech Shared
2010-07-02 22:45 . 2010-07-02 22:45 -------- d-----w- c:\program files\Common Files\Novell Shared
2010-07-02 22:45 . 2010-07-02 22:45 -------- d-----w- c:\program files\Common Files\Lhspf
2010-07-02 17:00 . 2010-07-02 17:00 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-07-02 01:21 . 2010-07-12 20:03 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-07-02 01:09 . 2010-07-02 01:09 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-07-02 01:08 . 2010-07-02 01:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-01 05:14 . 2010-07-01 05:14 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Identities
2010-06-30 07:12 . 2010-06-30 07:12 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-30 06:21 . 2010-06-30 06:44 -------- d-----w- C:\c9b20ff71cffe5f758bc
2010-06-30 04:20 . 2010-06-30 04:20 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Threat Expert
2010-06-30 03:46 . 2010-06-30 03:46 63488 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-30 03:46 . 2010-06-30 03:46 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-30 03:46 . 2010-06-30 03:46 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-30 03:46 . 2010-06-30 03:46 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-06-30 03:42 . 2010-06-30 03:42 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-06-30 03:36 . 2010-07-02 21:51 -------- d-----w- c:\program files\Spyware Doctor
2010-06-30 03:36 . 2010-07-02 21:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-25 06:15 . 2010-05-23 23:50 73216 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
2010-06-25 06:15 . 2010-04-18 20:33 172032 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2010-06-25 06:15 . 2010-04-18 20:33 307200 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2010-06-25 02:49 . 2004-08-04 07:56 221184 ----a-w- c:\winnt\system32\wmpns.dll
2010-06-24 04:13 . 2010-07-08 06:38 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Paint.NET
2010-06-24 04:09 . 2010-06-24 04:10 -------- d-----w- c:\program files\Paint.NET
2010-06-24 03:37 . 2010-07-11 23:27 -------- d-----w- C:\temp
2010-06-23 03:08 . 2010-06-23 03:22 -------- d-----w- c:\program files\Arachnophilia
2010-06-21 14:01 . 2010-06-21 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Altium2004_SP3
2010-06-21 14:01 . 2010-06-21 14:01 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Altium2004_SP3
2010-06-21 14:00 . 2010-07-02 22:53 -------- d-----w- c:\documents and settings\User\Application Data\Altium2004_SP3
2010-06-21 14:00 . 2010-06-21 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Altium2004_SP2Security
2010-06-21 03:39 . 2010-06-21 03:39 47360 ----a-w- c:\winnt\system32\drivers\pcouffin.sys
2010-06-21 03:39 . 2010-06-21 03:39 47360 ----a-w- c:\documents and settings\User\Application Data\pcouffin.sys
2010-06-21 03:39 . 2010-06-21 03:39 -------- d-----w- c:\documents and settings\User\Application Data\Vso
2010-06-21 03:38 . 2010-06-21 03:39 -------- d-----w- c:\program files\DVDFab 7
2010-06-21 03:33 . 2007-05-04 04:22 188672 ----a-w- c:\winnt\system32\drivers\truecrypt.sys
2010-06-21 03:33 . 2010-06-21 03:33 -------- d-----w- c:\program files\TrueCrypt
2010-06-21 03:32 . 2010-06-21 03:32 -------- d-----w- c:\program files\Howies Quick Screen Capture
2010-06-21 03:23 . 2010-07-02 22:56 -------- d-----w- c:\program files\Altium2004 SP3
2010-06-21 03:17 . 2010-06-21 03:17 998 ----a-w- c:\winnt\unins001.dat
2010-06-21 03:17 . 2010-06-21 03:17 691486 ----a-w- c:\winnt\unins001.exe
2010-06-21 03:14 . 2010-06-21 03:14 -------- d-----w- c:\program files\NameIt
2010-06-21 03:09 . 2010-06-21 03:09 -------- d-----w- c:\program files\GridMove
2010-06-21 03:04 . 2010-06-21 03:04 -------- d-----w- c:\program files\Yahoo!
2010-06-21 03:04 . 2010-06-21 03:04 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Yahoo
2010-06-21 03:04 . 2010-06-21 03:04 -------- d-----w- c:\program files\Yahoo! Widgets
2010-06-21 03:00 . 2010-06-21 03:00 -------- d-----w- c:\program files\Nikon
2010-06-21 03:00 . 2010-06-21 03:00 -------- d-----w- c:\program files\Common Files\Nikon
2010-06-21 02:56 . 2010-06-30 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-21 02:55 . 2010-07-09 19:38 -------- d-----w- c:\documents and settings\User\Application Data\SmartDraw
2010-06-21 02:52 . 2010-06-21 02:55 -------- d-----w- c:\program files\SmartDraw 7
2010-06-21 02:34 . 1999-09-16 17:15 102912 ----a-w- c:\winnt\system32\amnt.dll
2010-06-21 02:34 . 2000-09-14 16:58 1108992 ----a-w- c:\winnt\system32\AMOLE.dll
2010-06-21 02:34 . 2000-05-26 21:08 446464 ----a-w- c:\winnt\system32\Hhactivex.dll
2010-06-21 02:34 . 1998-09-03 22:49 57856 ----a-w- c:\winnt\system32\UnisynLib.dll
2010-06-21 02:34 . 1999-10-08 16:12 1134645 ----a-w- c:\winnt\system32\Sbe5_32.dll
2010-06-21 02:34 . 1999-08-20 20:56 109568 ----a-w- c:\winnt\system32\AMJR.dll
2010-06-21 02:34 . 1999-07-02 00:03 283984 ----a-w- c:\winnt\system32\XceedZip.dll
2010-06-21 02:34 . 2000-03-14 18:35 429056 ----a-w- c:\winnt\system32\RIPCMgr.dll
2010-06-21 02:34 . 2010-06-21 02:35 -------- d-----w- c:\program files\AutoMate4
2010-06-21 02:28 . 2010-06-21 02:28 -------- d-----w- c:\program files\Microsoft Works
2010-06-21 02:27 . 2010-06-21 02:27 -------- d-----w- c:\program files\Microsoft.NET
2010-06-21 02:24 . 2010-06-21 02:28 -------- d-----w- c:\winnt\SHELLNEW
2010-06-21 02:23 . 2010-06-21 02:23 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Microsoft Help
2010-06-21 02:23 . 2010-07-03 13:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-21 02:23 . 2010-06-21 02:23 -------- d-----r- C:\MSOCache
2010-06-21 02:18 . 2010-06-21 02:18 -------- d-----w- c:\documents and settings\User\Application Data\AdobeUM
2010-06-20 19:38 . 2010-07-14 14:21 -------- d-----w- c:\documents and settings\User\Application Data\TeraCopy
2010-06-20 19:37 . 2010-06-20 19:37 -------- d-----w- c:\program files\TeraCopy
2010-06-20 16:16 . 2010-06-20 16:16 654 ----a-w- c:\winnt\unins000.dat
2010-06-20 07:44 . 2010-06-20 07:44 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth
2010-06-20 07:44 . 2010-06-20 07:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-06-20 04:52 . 2010-06-20 04:53 -------- d-----w- c:\program files\Irfanview
2010-06-20 04:41 . 2010-06-20 04:41 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Help
2010-06-20 04:38 . 2010-06-20 04:47 -------- d-----w- c:\program files\WallMaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 20:29 . 2002-08-29 12:00 52480 ----a-w- c:\winnt\system32\drivers\i8042prt.sys
2010-07-07 22:24 . 2010-05-21 02:48 -------- d-----w- c:\program files\Java
2010-06-29 20:56 . 2010-05-07 17:12 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-21 03:54 . 2010-06-21 03:54 -------- d--h--w- c:\program files\Zenographics
2010-06-21 03:54 . 2010-06-21 03:54 -------- d-----w- c:\program files\Hewlett-Packard
2010-06-21 03:00 . 2005-04-15 23:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-21 02:59 . 2005-04-15 23:19 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-20 16:16 . 2002-02-10 07:00 72748 ----a-w- c:\winnt\unins000.exe
2010-06-01 17:37 . 2010-05-07 17:15 221568 ------w- c:\winnt\system32\MpSigStub.exe
2010-05-21 18:03 . 2010-05-21 02:26 -------- d-----w- c:\documents and settings\User\Application Data\U3
2010-05-21 03:49 . 2010-05-21 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-05-21 03:49 . 2010-05-21 03:49 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-05-21 03:49 . 2010-05-21 03:45 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-21 03:33 . 2010-05-21 03:33 -------- d-----w- c:\program files\Trend Micro
2010-05-21 03:33 . 2010-05-21 03:33 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield
2010-05-21 03:04 . 2010-05-21 03:04 -------- d-----w- c:\program files\MuvEnum AddressBar
2010-05-21 03:00 . 2010-05-21 02:59 -------- d-----w- c:\program files\Pitaschio
2010-05-21 02:46 . 2010-05-21 02:46 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2010-05-21 02:31 . 2010-05-21 02:31 -------- d-----w- c:\documents and settings\User\Application Data\Talkback
2010-05-21 02:31 . 2010-05-21 02:31 0 ----a-w- c:\winnt\nsreg.dat
2010-05-07 16:55 . 2005-04-15 18:16 168791 ----a-w- c:\winnt\PCHealth\HelpCtr\OfflineCache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PureText"="\\Sean2\c\Program Files\PureText\PureText.exe" [2003-08-21 28672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"RegServer"="regserve.exe" [2003-03-17 24576]
"TridentWatchDog"="twatdog.exe" [2003-03-17 53248]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2005-12-17 7340032]
"nwiz"="nwiz.exe" [2005-12-17 1519616]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-27 16384512]
"NVRotateSysTray"="c:\winnt\system32\nvsysrot.dll" [2005-12-17 49152]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2008-02-29 141848]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2008-02-29 166424]
"Persistence"="c:\winnt\system32\igfxpers.exe" [2008-02-29 137752]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-19 288088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\User\Start Menu\Programs\Startup\
GridMove.lnk - c:\program files\GridMove\GridMove.exe [2010-6-20 242934]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\winnt\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-5-20 25214]
AutoMate Task Service.lnk - c:\program files\AutoMate4\Automate.exe [2010-6-20 2586624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoHelp"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

R2 altio;altio;c:\winnt\system32\altio.sys [5/26/2004 7:56 PM 3200]
R3 TMPassthruMP;TMPassthruMP;c:\winnt\system32\drivers\TMPassthru.sys [5/20/2010 9:33 PM 35216]
S1 fkwzgmie;fkwzgmie;\??\c:\winnt\system32\drivers\fkwzgmie.sys --> c:\winnt\system32\drivers\fkwzgmie.sys [?]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [5/20/2010 9:33 PM 517456]
S3 IFXTPM;IFXTPM;c:\winnt\system32\drivers\ifxtpm.sys [4/15/2005 1:59 PM 35968]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\winnt\system32\drivers\TMPassthru.sys [5/20/2010 9:33 PM 35216]
S3 tridxp4;tridxp4;c:\winnt\system32\drivers\tridxp4m.sys [7/27/2005 1:54 PM 189440]
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\winnt\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 03:40]

2010-07-14 c:\winnt\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-06-21 16:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\
FF - prefs.js: browser.search.selectedEngine - eBay.ca
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\um64otsq.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-New Value #1 - (no file)
SafeBoot-klmdb.sys
AddRemove-Display Driver Setup - c:\program files\Trident Microsystems



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 15:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-07-14 15:06:57
ComboFix-quarantined-files.txt 2010-07-14 21:06

Pre-Run: 103,599,677,440 bytes free
Post-Run: 103,791,501,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINNT="Microsoft Windows XP Professional" /fastdetect /NoExecute
"Microsoft Windows Recovery Console" /cmdcons=

- - End Of File - - 33D4239BEE144D54555149BB0EDC8944
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 15th, 2010, 3:54 am

Hi Occam,

Not clean yet


Please print these instructions.

Please download maxlook, saving the file to your desktop.

Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.

As soon as the computer starts there will be a black screen with white text displayed for a few seconds.

On this screen there will be the options to boot Microsoft Windows XP or
Microsoft Windows Recovery Console

Use the cursor keys to select Microsoft Windows Recovery Console then press enter.

Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

Image

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig

Follow the prompts, and post the log produced, C:\looklog.txt
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: IE popping up ad windows at random - redux

Unread postby Occam » July 15th, 2010, 10:24 am

Run from C:\Documents and Settings\User\Desktop\maxlook.exe on Thu 07/15/2010 at 8:19:19.74

--------- maxlook unsigned files ---------

c:\winnt\maxdrive\ialmnt5.sys:
Verified: Unsigned
File date: 9:45 AM 2/25/2008
Publisher: Intel Corporation
Description: Intel Graphics Miniport Driver
Product: Intel Graphics Accelerator Drivers for Windows NT(R)
Version: 6.14.10.4631
File version: 6.14.10.4631
c:\winnt\maxdrive\mqac.sys:
Verified: Unsigned
File date: 5:48 AM 6/22/2009
Publisher: Microsoft Corporation
Description: Windows NT MQ Access Control Device Driver
Product: Microsoft Message Queue
Version: 5.01.1111
File version: 5.01.1111
c:\winnt\maxdrive\pcouffin.sys:
Verified: Unsigned
File date: 9:39 PM 6/20/2010
Publisher: VSO Software
Description: low level access layer for CD/DVD/BD devices
Product: Patin couffin engine
Version: 1.37
File version: 1.37
c:\winnt\maxdrive\tsdhd.sys:
Verified: Unsigned
File date: 3:27 AM 2/10/2003
Publisher: TOSHIBA Corporation
Description: SD Card Host Controller Driver
Product: SD Card Driver Set
Version: 2, 0, 2, 0
File version: 2, 0, 2, 30210

--------- system32\drivers unsigned files ---------

c:\winnt\system32\drivers\ialmnt5.sys:
Verified: Unsigned
File date: 9:45 AM 2/25/2008
Publisher: Intel Corporation
Description: Intel Graphics Miniport Driver
Product: Intel Graphics Accelerator Drivers for Windows NT(R)
Version: 6.14.10.4631
File version: 6.14.10.4631
c:\winnt\system32\drivers\mqac.sys:
Verified: Unsigned
File date: 5:48 AM 6/22/2009
Publisher: Microsoft Corporation
Description: Windows NT MQ Access Control Device Driver
Product: Microsoft Message Queue
Version: 5.01.1111
File version: 5.01.1111
c:\winnt\system32\drivers\pcouffin.sys:
Verified: Unsigned
File date: 9:39 PM 6/20/2010
Publisher: VSO Software
Description: low level access layer for CD/DVD/BD devices
Product: Patin couffin engine
Version: 1.37
File version: 1.37
c:\winnt\system32\drivers\tsdhd.sys:
Verified: Unsigned
File date: 3:27 AM 2/10/2003
Publisher: TOSHIBA Corporation
Description: SD Card Host Controller Driver
Product: SD Card Driver Set
Version: 2, 0, 2, 0
File version: 2, 0, 2, 30210
Occam
Regular Member
 
Posts: 26
Joined: June 30th, 2010, 3:24 am

Re: IE popping up ad windows at random - redux

Unread postby deltalima » July 15th, 2010, 1:13 pm

Hi Occam,

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
c:\winnt\system32\drivers\fkwzgmie.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a new HijackThis log and also let me know how your computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware