Google redirect

Intel / Core2 quad
January 26, 2009 at 18:45:08
Specs: Windows XP, core2 quad 2.4ghz, 3.25gb
Hi, I'm another one of the growing masses impacted by the google redirect problem. My symptoms are consistent with the majority reported here...google links take me to unrelated ad filled sites.

I've tried to implement a number of the solutions in many of the earlier posts and haven't had any luck. I have most of the log files that are commonly asked for...can anyone lend me a hand?


See More: Google redirect

Report •


#1
January 26, 2009 at 19:13:19
This may temporaryily help with the redirects:

Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
January 26, 2009 at 19:28:03
Thanks so much.

I checked for the TDSSserv device...it didn't exist.

Here are the two log files:

Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 5.1.2600 Service Pack 3

26/01/2009 8:27:00 PM
mbam-log-2009-01-26 (20-27-00).txt

Scan type: Quick Scan
Objects scanned: 54849
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:36 PM, on 26/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\docume~1\scottm~1\locals~1\temp\cdm\{da7b2702-0710-48ac-a507-6879d312740c}\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott McLaughlan\Desktop\New Folder\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Documents and Settings\Scott McLaughlan\Desktop\New Folder\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\docume~1\scottm~1\locals~1\temp\cdm\{da7b2702-0710-48ac-a507-6879d312740c}\STacSV.exe

--
End of file - 10326 bytes



Report •

#3
January 26, 2009 at 19:36:08
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Norton antivirus, Spyware Doctor, and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

Related Solutions

#4
January 26, 2009 at 19:48:47
Great, thanks! Here's the log file:

ComboFix 09-01-21.04 - Scott McLaughlan 2009-01-26 20:44:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2774 [GMT -7:00]
Running from: c:\documents and settings\Scott McLaughlan\Desktop\toolb.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\a.exe
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-25 22:46 . 2009-01-25 22:46 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 22:03 . 2009-01-25 22:03 <DIR> d-------- c:\documents and settings\Scott McLaughlan\Application Data\Malwarebytes
2009-01-25 22:03 . 2009-01-25 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 22:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 22:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 21:49 . 2009-01-25 21:49 <DIR> d--hs---- c:\documents and settings\Scott McLaughlan\UserData
2009-01-25 21:33 . 2009-01-26 00:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-25 21:33 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-25 21:33 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-25 21:33 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-25 21:33 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-25 21:32 . 2009-01-25 21:43 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-25 21:32 . 2009-01-25 21:32 <DIR> d-------- c:\documents and settings\Scott McLaughlan\Application Data\PC Tools
2009-01-24 14:15 . 2009-01-24 14:15 <DIR> d-------- c:\windows\ie8updates
2009-01-23 22:17 . 2009-01-23 22:17 <DIR> d--hs---- c:\documents and settings\Scott McLaughlan\PrivacIE
2009-01-23 22:13 . 2009-01-23 22:14 <DIR> d--h-c--- c:\windows\ie8
2009-01-12 22:00 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-01-12 22:00 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-01-10 16:14 . 2009-01-10 16:14 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-01-10 16:13 . 2009-01-10 16:14 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-01-04 08:32 . 2009-01-04 08:32 <DIR> d--h----- c:\program files\Zero G Registry
2009-01-04 08:32 . 2009-01-04 08:32 <DIR> d-------- c:\program files\TOD 012009
2008-12-31 09:17 . 2009-01-25 22:46 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 05:46 --------- d-----w c:\program files\Java
2009-01-14 05:20 --------- d-----w c:\program files\Google
2008-12-21 04:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-21 04:01 --------- d-----w c:\program files\AGEIA Technologies
2008-12-21 03:46 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-12-21 03:46 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-21 03:46 22,328 ----a-w c:\documents and settings\Scott McLaughlan\Application Data\PnkBstrK.sys
2008-12-21 03:46 2,250,024 ----a-w c:\windows\system32\pbsvc.exe
2008-12-21 03:46 107,832 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-21 03:43 --------- d-----w c:\program files\Ubisoft
2008-12-21 03:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-13 15:52 --------- d-----w c:\program files\iTunes
2008-12-13 15:52 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 15:51 --------- d-----w c:\program files\iPod
2008-12-13 15:51 --------- d-----w c:\program files\Common Files\Apple
2008-12-13 15:50 --------- d-----w c:\program files\QuickTime
2008-12-13 15:45 --------- d-----w c:\program files\Safari
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-12 20:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2006-12-29 04:17 43,976 ----a-w c:\documents and settings\Scott McLaughlan\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2006-02-28 05:00 82944 2ed0b7f12a60f90092081c50fa0ec2b2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-13 17:12 82432 ea26746495dc5ed1cf9695907e10cdf8 c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-13 17:12 82432 ea26746495dc5ed1cf9695907e10cdf8 c:\windows\system32\ws2_32.dll
2008-04-13 17:12 82432 ea26746495dc5ed1cf9695907e10cdf8 c:\windows\system32\dllcache\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-16 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-01 81920]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-10 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-01-13 864256]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-12-12 c:\windows\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 c:\windows\system32\Ctxfihlp.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-12-19 25214]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-12-11 967960]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-04-28 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1697:UDP"= 1697:UDP:Windows Media Format SDK (firefox.exe)

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-25 356920]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job
- c:\documents and settings\Scott McLaughlan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-12 14:26]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.msn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\office
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 20:45:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-790525478-688789844-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:d9,cb,36,2b,f4,4c,ac,08,26,00,ca,73,aa,ae,a1,1e,6f,ae,c2,04,94,a8,32,
e6,39,0a,4d,c9,9b,ce,9d,21,00,ef,aa,4a,3d,68,dd,70,ec,01,b2,e2,a3,71,48,1d,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-790525478-688789844-839522115-1003\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:1f,9c,64,79,25,f6,7b,be,7a,ee,bb,ee,f4,30,52,f4,59,d6,5a,93,96,
d4,ed,cd,ae,8a,f9,4f,dc,db,f8,dd,4c,e9,8a,06,f1,ef,ff,dc,9e,75,65,5b,61,52,\
"rkeysecu"=hex:6f,3c,c7,40,b7,22,1d,68,07,17,cd,f1,e2,66,80,31
.
Completion time: 2009-01-26 20:47:00
ComboFix-quarantined-files.txt 2009-01-27 03:46:41

Pre-Run: 287,304,142,848 bytes free
Post-Run: 287,509,286,912 bytes free

180 --- E O F --- 2009-01-24 21:15:41


Report •

#5
January 26, 2009 at 20:14:22
Have the redirects subdided.

Report •

#6
January 26, 2009 at 20:24:21
Sadly, no...still happening as often as before. Any thoughts or suggestions?

Report •

#7
January 27, 2009 at 03:41:07
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\windows\System32\wdmaud.sys

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

If the redircts have not subsided after removing wdmaud.sys from the system folder run the following scans and post there logs.

Once you get SDFix downloaded go offline, turn off your antivirus, and turn off any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.


Report •

#8
January 27, 2009 at 20:06:49
Still having the redirect problems.

Here's the gored log file:

GooredFix v1.83 by jpshortstuff
Log created at 21:05 on 27/01/2009 running Option #1 (Scott McLaughlan)
Firefox version [Unable to determine]

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"


and the SDFix log


[b]SDFix: Version 1.240 [/b]
Run by Scott McLaughlan on 27/01/2009 at 08:55 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:


any thoughts on this?


Report •

#9
January 27, 2009 at 20:14:27
I don't see anything yet. There should be more to SDFix log, please post all of it.

Report •

#10
January 27, 2009 at 20:18:33
Aha! Didn't scroll, sorry about that!


[b]SDFix: Version 1.240 [/b]
Run by Scott McLaughlan on 27/01/2009 at 08:55 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found


Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 21:00:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager"
"C:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="C:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"C:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="C:\\Documents and Settings\\Scott McLaughlan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"="C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe:*:Enabled:Far Cry 2"
"C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"="C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater"
"C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"="C:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe:*:Enabled:Editor"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:

[b]Files with Hidden Attributes [/b]:

Sat 26 Jan 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 10 Jan 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 20 Dec 2008 67,498,308 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\948d02a0ca743a8633a59f43b2bad4d2\BIT2EF.tmp"
Fri 2 Jan 2009 14,930 ...HR --- "C:\Documents and Settings\Scott McLaughlan\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sat 28 May 2005 4,348 A..H. --- "C:\Documents and Settings\Scott McLaughlan\My Documents\My Music\License Backup\drmv1key.bak"
Sat 28 May 2005 20 A..H. --- "C:\Documents and Settings\Scott McLaughlan\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 24 Sep 2004 312 A.SH. --- "C:\Documents and Settings\Scott McLaughlan\My Documents\My Music\License Backup\drmv2key.bak"

[b]Finished![/b]


Report •

#11
January 27, 2009 at 21:33:20
i suggesst manual guide. try manual guidline instead of antiviruses and anti spywares
http://darfuns.com/remove-google-se...

Report •

#12
January 28, 2009 at 03:42:08
Download OTScanIt2 to your Desktop from the following link:

OTScanIt2 by oldtimer

Double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
Under File Age at the top, change it from 30 days to 90 days
Under Additional Scans check the boxes beside Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - NetSvcs, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - SafeBoot Minimal, Reg - SafeBoot Network, Reg - Session Manager Settings, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
Under Rootkit Search change it to Yes
Under the Custom Scans box at the bottom left paste the following in

%systemroot%\Prefetch\*.* /s
%systemroot%\system32\drivers\*.dat
%systemroot%\Temp\bca4e2da.$$$
%systemroot%\Temp\ed47fa.$
%systemroot%\Temp\fa56d7ec.$$$
%systemroot%\System32\antiwpa.dll
%PROGRAMFILES%\*crack*.
%PROGRAMFILES%\*keygen*.
%SYSTEMDRIVE%\*crack*.
%SYSTEMDRIVE%\*keygen*.
%SYSTEMDRIVE%\*.zip
%SYSTEMDRIVE%\*.rar
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\*.dll
%systemroot%\*.zip
%systemroot%\*.rar
%systemroot%\system32\*.zip
%systemroot%\system32\*.rar
%PROGRAMFILES%\*.zip
%PROGRAMFILES%\*.rar
%PROGRAMFILES%\*.exe
%PROGRAMFILES%\*.dll
%DESKTOP%\*.zip
%DESKTOP%\*.rar
%DESKTOP%\*.exe
%PROGRAMFILES%\Common Files\*.*
%PROGRAMFILES%\Common Files\*bak*.
%systemroot%\SYSTEM32\*bak*.
%PROGRAMFILES%\*bak*.
%USERNAME%\*.zip
%USERNAME%\*.rar
%USERNAME%\*.exe
%USERPROFILE%\*.zip
%USERPROFILE%\*.rar
%USERPROFILE%\*.exe
%ALLUSERSPROFILE%\*.zip
%ALLUSERSPROFILE%\*.rar
%ALLUSERSPROFILE%\*.exe
%APPDATA%\*.zip
%APPDATA%\*.rar
%APPDATA%\*.exe
%ALLUSERSSTARTMENU%\*.zip
%ALLUSERSSTARTMENU%\*.rar
%ALLUSERSSTARTMENU%\*.exe
%ALLUSERSSTARTUP%\*.zip
%ALLUSERSSTARTUP%\*.rar
%ALLUSERSSTARTUP%\*.exe
%ALLUSERSPROGRAMS%\*.zip
%ALLUSERSPROGRAMS%\*.rar
%ALLUSERSPROGRAMS%\*.exe
%ALLUSERSAPPDATA%\*.zip
%ALLUSERSAPPDATA%\*.rar
%ALLUSERSAPPDATA%\*.exe
%APPDATA%\*.zip
%APPDATA%\*.rar
%APPDATA%\*.exe
%APPDATA%\*.dat
%APPDATA%\*.dll
%QUICKLAUNCH%\*.zip
%QUICKLAUNCH%\*.rar
%QUICKLAUNCH%\*.exe
%STARTUP%\*.zip
%STARTUP%\*.rar
%STARTUP%\*.exe
%STARTMENU%\*.zip
%STARTMENU%\*.rar
%STARTMENU%\*.exe
%MYDOCUMENTS%\*.zip
%MYDOCUMENTS%\*.rar
%MYDOCUMENTS%\*.exe
%PROGRAMFILES%\Mozilla Firefox\plugins\*.*
%PROGRAMFILES%\Internet Explorer\*.*
%PROGRAMFILES%\Mozilla Firefox\*.zip /s
%PROGRAMFILES%\Mozilla Firefox\*.rar /s
%PROGRAMFILES%\Mozilla Firefox\*.exe /s
%PROGRAMFILES%\Internet Explorer\*.zip /s
%PROGRAMFILES%\Internet Explorer\*.rar /s
%PROGRAMFILES%\Internet Explorer\*.exe /s
%SYSTEMDRIVE%\*.dat
%SYSTEMDRIVE%\*.sys
%SYSTEMROOT%\*.dat
%SYSTEMROOT%\*.sys
%systemroot%\system32\drivers\*.exe /s
%systemroot%\system32\drivers\*.zip /s
%systemroot%\system32\drivers\*.rar /s
%systemroot%\system\*.exe /s
%systemroot%\system\*.zip /s
%systemroot%\system\*.rar /s
%systemroot%\AppPatch\*.exe /s
%systemroot%\AppPatch\*.zip /s
%systemroot%\AppPatch\*.rar /s
%systemroot%\Cache\*.*
%systemroot%\Downloaded Program Files\*.*
%systemroot%\Fonts\*.exe /s
%systemroot%\Fonts\*.zip /s
%systemroot%\Fonts\*.rar /s
%systemroot%\Fonts\*.dll /s
%systemroot%\Help\*.exe /s
%systemroot%\Help\*.zip /s
%systemroot%\Help\*.rar /s
%systemroot%\Tasks\*.*
%APPDATA%\*.sys
%systemroot%\system32\serauth1.dll
%systemroot%\system32\serauth2.dll
%systemroot%\system32\sysaudio.sys
%PROGRAMFILES%\*TinyProxy*.
%PROGRAMFILES%\Bitlord\Downloads\*.zip /s
%PROGRAMFILES%\Bitlord\Downloads\*.rar /s
%PROGRAMFILES%\Bitlord\Downloads\*.exe /s
%PROGRAMFILES%\Bitlord\Downloads\*crack*.
%PROGRAMFILES%\Bitlord\Downloads\*keygen*.
%PROGRAMFILES%\eMule\Incoming\*.zip /s
%PROGRAMFILES%\eMule\Incoming\*.rar /s
%PROGRAMFILES%\eMule\Incoming\*.exe /s
%PROGRAMFILES%\eMule\Incoming\*crack*.
%PROGRAMFILES%\eMule\Incoming\*keygen*.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla|extensions /rs


Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.


Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

This will be a large file and may take several post to get it all posted.


Report •

#13
January 28, 2009 at 18:02:23
Thanks for the help on this one! It is a big file...I'll try 3 or four posts:

POST 1

[code]
OTScanIt2 logfile created on: 28/01/2009 6:53:52 PM - Run 2
OTScanIt2 by OldTimer - Version 1.0.7.1 Folder = C:\Documents and Settings\Scott McLaughlan\Desktop\OTScanIt\OTScanIt2
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18241)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 271.11 Gb Free Space | 90.95% Space Free | Partition Type: NTFS
Drive D: | 298.09 Gb Total Space | 297.79 Gb Free Space | 99.90% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SCOTT
Current User Name: Scott McLaughlan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 90 Days

[Processes - Safe List]
applemobiledeviceservice.exe -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.)
defwatch.exe -> %ProgramFiles%\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -> [2003/05/01 14:22:06 | 00,032,768 | ---- | M] (Symantec Corporation)
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> [2008/10/16 20:57:58 | 00,068,856 | ---- | M] (Google Inc.)
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> [2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.)
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> [2008/11/20 13:20:54 | 00,290,088 | ---- | M] (Apple Inc.)
jqs.exe -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/01/25 22:46:49 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
jusched.exe -> %ProgramFiles%\Java\jre6\bin\jusched.exe -> [2009/01/25 22:46:49 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.)
mdnsresponder.exe -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> [2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.)
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> [2008/11/12 14:54:00 | 00,163,908 | ---- | M] (NVIDIA Corporation)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt2\OTScanIt2.exe -> [2009/01/26 12:13:22 | 00,485,376 | ---- | M] (OldTimer Tools)
rtvscan.exe -> %ProgramFiles%\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -> [2003/05/01 14:24:40 | 00,589,824 | ---- | M] (Symantec Corporation)
rundll32.exe -> %SystemRoot%\system32\rundll32.exe -> [2008/04/13 17:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation)
sttray.exe -> %ProgramFiles%\IDT\WDM\sttray.exe -> [2008/04/10 19:07:20 | 00,413,696 | ---- | M] (IDT, Inc.)
wzqkpick.exe -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> [2008/04/28 10:20:00 | 00,415,072 | R--- | M] (WinZip Computing, S.L.)

[Win32 Services - Safe List]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> [2007/12/19 15:54:30 | 00,069,632 | ---- | M] (Adobe Systems)
(Apple Mobile Device) Apple Mobile Device [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -> [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.)
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -> [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation)
(Bonjour Service) Bonjour Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Bonjour\mDNSResponder.exe -> [2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.)
(clr_optimization_v2.0.50727_32) .NET Runtime Optimization Service v2.0.50727_X86 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation)
(DefWatch) DefWatch [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe -> [2003/05/01 14:22:06 | 00,032,768 | ---- | M] (Symantec Corporation)
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> [2009/01/13 22:20:24 | 00,137,200 | ---- | M] (Google)
(helpsvc) Help and Support [Win32_Shared | Auto | Running] -> %SystemRoot%\pchealth\helpctr\binaries\pchsvc.dll -> [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation)
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> [2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.)
(JavaQuickStarterService) Java Quick Starter [Win32_Own | Auto | Running] -> %ProgramFiles%\Java\jre6\bin\jqs.exe -> [2009/01/25 22:46:49 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.)
(Norton AntiVirus Server) Symantec AntiVirus Client [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe -> [2003/05/01 14:24:40 | 00,589,824 | ---- | M] (Symantec Corporation)
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> [2008/11/12 14:54:00 | 00,163,908 | ---- | M] (NVIDIA Corporation)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(PnkBstrA) PnkBstrA [Win32_Own | Disabled | Stopped] -> %SystemRoot%\system32\PnkBstrA.exe -> [2008/12/20 20:46:38 | 00,066,872 | ---- | M] ()
(PnkBstrB) PnkBstrB [Win32_Own | Disabled | Stopped] -> %SystemRoot%\system32\PnkBstrB.exe -> [2008/12/20 20:46:48 | 00,107,832 | ---- | M] ()
(QBCFMonitorService) QBCFMonitorService [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\Intuit\QuickBooks\QBCFMonitorService.exe -> [2008/12/09 01:40:50 | 00,020,480 | ---- | M] (Intuit)
(QBFCService) Intuit QuickBooks FCS [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -> [2006/10/09 22:01:00 | 00,071,184 | ---- | M] (Intuit Inc.)
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> [2008/06/13 16:29:14 | 00,356,920 | ---- | M] (PC Tools)
(sdCoreService) PC Tools Security Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> [2008/10/09 13:47:42 | 01,079,176 | ---- | M] (PC Tools)
(STacSV) Audio Service [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\stacsv.exe -> [2008/04/10 19:08:44 | 00,212,992 | ---- | M] (IDT, Inc.)
(WMPNetworkSvc) Windows Media Player Network Sharing Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Windows Media Player\wmpnetwk.exe -> [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation)
(WudfSvc) Windows Driver Foundation - User-mode Driver Framework [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\WudfSvc.dll -> [2006/09/28 18:56:14 | 00,055,808 | ---- | M] (Microsoft Corporation)

[Driver Services - Safe List]
(catchme) catchme [Kernel | On_Demand | Running] -> -> File not found
(ctac32k) Creative AC3 Software Decoder [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctac32k.sys -> [2006/12/19 07:35:40 | 00,511,288 | ---- | M] (Creative Technology Ltd)
(ctaud2k) Creative Audio Driver (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctaud2k.sys -> [2007/06/18 02:01:28 | 00,514,560 | ---- | M] (Creative Technology Ltd)
(ctdvda2k) Creative DVD-Audio Device Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ctdvda2k.sys -> [2005/11/10 02:06:04 | 00,340,704 | R--- | M] (Creative Technology Ltd)
(ctprxy2k) Creative Proxy Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctprxy2k.sys -> [2006/12/19 07:36:36 | 00,014,648 | ---- | M] (Creative Technology Ltd)
(ctsfm2k) Creative SoundFont Management Device Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctsfm2k.sys -> [2006/12/19 07:36:42 | 00,156,984 | ---- | M] (Creative Technology Ltd)
(e1express) Intel(R) PRO/1000 PCI Express Network Connection Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\e1e5132.sys -> [2007/06/07 19:59:05 | 00,254,872 | R--- | M] (Intel Corporation)
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys -> [2008/04/14 01:00:00 | 00,385,072 | ---- | M] (Symantec Corporation)
(emupia) E-mu Plug-in Architecture Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\emupia2k.sys -> [2006/12/19 07:36:46 | 00,090,936 | ---- | M] (Creative Technology Ltd)
(GEARAspiWDM) GEAR ASPI Filter Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\GEARAspiWDM.sys -> [2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.)
(ha20x2k) Creative 20X HAL Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ha20x2k.sys -> [2006/12/19 07:36:54 | 01,160,504 | ---- | M] (Creative Technology Ltd)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hdaudbus.sys -> [2008/04/13 09:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(HECI) Intel(R) Management Engine Interface [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HECI.sys -> [2007/03/13 13:05:30 | 00,044,672 | ---- | M] (Intel Corporation)
(IKFileSec) File Security Driver [File_System | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ikfilesec.sys -> [2008/08/25 12:36:28 | 00,040,840 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysFlt) System Filter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksysflt.sys -> [2008/08/25 12:36:28 | 00,066,952 | ---- | M] (PCTools Research Pty Ltd.)
(IKSysSec) System Security Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\iksyssec.sys -> [2008/08/25 12:36:30 | 00,081,288 | ---- | M] (PCTools Research Pty Ltd.)
(kbdhid) Keyboard HID Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\kbdhid.sys -> [2008/04/13 11:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation)
(NAVAP) NAVAP [Kernel | On_Demand | Running] -> %ProgramFiles%\Symantec_Client_Security\Symantec AntiVirus\Navap.sys -> [2002/11/11 08:58:34 | 00,219,136 | ---- | M] (Symantec Corporation)
(NAVAPEL) NAVAPEL [Kernel | Auto | Running] -> %ProgramFiles%\Symantec_Client_Security\Symantec AntiVirus\Navapel.sys -> [2002/11/11 08:58:36 | 00,029,696 | ---- | M] (Symantec Corporation)
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20090127.004\NAVENG.SYS -> [2009/01/27 02:00:00 | 00,089,104 | ---- | M] (Symantec Corporation)
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20090127.004\NAVEX15.SYS -> [2009/01/27 02:00:00 | 00,876,112 | ---- | M] (Symantec Corporation)
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> [2008/11/12 14:54:00 | 06,188,320 | ---- | M] (NVIDIA Corporation)
(ossrv) Creative OS Services Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ctoss2k.sys -> [2006/12/19 07:36:32 | 00,128,312 | ---- | M] (Creative Technology Ltd.)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> [2006/02/28 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(STHDA) IDT High Definition Audio CODEC [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sthda.sys -> [2008/04/10 19:10:10 | 01,271,032 | ---- | M] (IDT, Inc.)
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %ProgramFiles%\Symantec\SYMEVENT.SYS -> [2007/12/19 21:58:25 | 00,073,432 | ---- | M] (Symantec Corporation)


Report •

#14
January 28, 2009 at 18:03:29
POST 2:

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?Lin... ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://go.microsoft.com/fwlink/?Lin... ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://go.microsoft.com/fwlink/?Lin... ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?Lin... ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC17... ->
HKEY_LOCAL_MACHINE\: Search\\"Default_Search_URL" -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://ie.search.msn.com/{SUB_RFC17... ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Page_Transitions" -> ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://www.microsoft.com/isapi/redi... ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultName" -> Google ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultURL" -> http://www.google.com/search?q={sea... ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> www.msn.com/ ->
HKEY_CURRENT_USER\: SearchURL\\"" -> http://www.google.com/search?q=%s ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 1 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> *.local ->
< HOSTS File > (686 bytes and 19 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/12/18 04:16:41 | 00,059,032 | ---- | M] (Adobe Systems Incorporated)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre6\bin\ssv.dll [Java(tm) Plug-In SSV Helper] -> [2009/01/25 22:46:50 | 00,320,920 | ---- | M] (Sun Microsystems, Inc.)
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\Google Toolbar\GoogleToolbar.dll [Google Toolbar Helper] -> [2009/01/13 22:19:38 | 00,251,504 | ---- | M] ()
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [Google Toolbar Notifier BHO] -> [2009/01/13 22:20:25 | 00,657,904 | ---- | M] (Google Inc.)
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E} [HKLM] -> %ProgramFiles%\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [Google Dictionary Compression sdch] -> [2009/01/13 22:19:38 | 00,522,224 | ---- | M] (Google Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> %ProgramFiles%\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2009/01/25 22:46:49 | 00,034,816 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> %ProgramFiles%\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2009/01/25 22:46:50 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" [HKLM] -> %ProgramFiles%\Google\Google Toolbar\GoogleToolbar.dll [&Google Toolbar] -> [2009/01/13 22:19:38 | 00,251,504 | ---- | M] ()
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
ShellBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> %ProgramFiles%\Google\Google Toolbar\GoogleToolbar.dll [&Google Toolbar] -> [2009/01/13 22:19:38 | 00,251,504 | ---- | M] ()
WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
WebBrowser\\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Acrobat Assistant 7.0" -> %ProgramFiles%\Adobe\Acrobat 7.0\Distillr\acrotray.exe ["C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"] -> [2006/01/12 20:52:32 | 00,483,328 | ---- | M] (Adobe Systems Inc.)
"AppleSyncNotifier" -> %CommonProgramFiles%\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe] -> [2008/09/03 19:12:50 | 00,111,936 | ---- | M] (Apple Inc.)
"AudioDrvEmulator" -> %ProgramFiles%\Creative\Shared Files\Module Loader\DLLML.exe ["C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"] -> [2005/11/04 18:07:56 | 00,049,152 | ---- | M] (Creative Technology Ltd.)
"CTHelper" -> %SystemRoot%\system32\CtHelper.exe [CTHELPER.EXE] -> [2006/12/12 09:46:52 | 00,019,456 | ---- | M] (Creative Technology Ltd)
"CTxfiHlp" -> %SystemRoot%\system32\Ctxfihlp.exe [CTXFIHLP.EXE] -> [2006/12/12 09:46:54 | 00,020,480 | ---- | M] (Creative Technology Ltd)
"HPDJ Taskbar Utility" -> %SystemRoot%\system32\spool\drivers\w32x86\3\hpztsb06.exe [C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe] -> [2002/07/11 05:06:23 | 00,188,416 | ---- | M] (HP)
"iTunesHelper" -> %ProgramFiles%\iTunes\iTunesHelper.exe ["C:\Program Files\iTunes\iTunesHelper.exe"] -> [2008/11/20 13:20:54 | 00,290,088 | ---- | M] (Apple Inc.)
"NeroFilterCheck" -> %SystemRoot%\system32\NeroCheck.exe [C:\WINDOWS\system32\NeroCheck.exe] -> [2001/07/09 11:50:42 | 00,155,648 | ---- | M] (Ahead Software Gmbh)
"NvCplDaemon" -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2008/11/12 14:54:00 | 13,672,448 | ---- | M] (NVIDIA Corporation)
"NvMediaCenter" -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> [2008/11/12 14:54:00 | 00,086,016 | ---- | M] (NVIDIA Corporation)
"nwiz" -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> [2008/11/12 14:54:00 | 01,630,208 | ---- | M] ()
"QuickTime Task" -> %ProgramFiles%\QuickTime\QTTask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2008/11/04 10:30:50 | 00,413,696 | ---- | M] (Apple Inc.)
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2009/01/25 22:46:49 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.)
"SysTrayApp" -> %ProgramFiles%\IDT\WDM\sttray.exe [%ProgramFiles%\IDT\WDM\sttray.exe] -> [2008/04/10 19:07:20 | 00,413,696 | ---- | M] (IDT, Inc.)
"UpdReg" -> %SystemRoot%\Updreg.EXE [C:\WINDOWS\UpdReg.EXE] -> [2000/05/11 01:00:00 | 00,090,112 | ---- | M] (Creative Technology Ltd.)
"VolPanel" -> %ProgramFiles%\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe ["C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r] -> [2006/07/13 14:11:42 | 00,122,880 | ---- | M] (Creative Technology Ltd)
"vptray" -> %ProgramFiles%\Symantec_Client_Security\Symantec AntiVirus\VPTray.exe [C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe] -> [2003/05/01 14:21:02 | 00,081,920 | ---- | M] (Symantec Corporation)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"igndlm.exe" -> [C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork] -> File not found
"swg" -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] -> [2008/10/16 20:57:58 | 00,068,856 | ---- | M] (Google Inc.)
"updateMgr" -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe ["C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1] -> [2006/03/30 16:45:08 | 00,313,472 | ---- | M] (Adobe Systems Incorporated)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk -> %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe -> [2008/02/23 10:47:14 | 00,025,214 | R--- | M] ()
%AllUsersProfile%\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk -> %CommonProgramFiles%\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> [2008/12/11 11:35:06 | 00,967,960 | ---- | M] (Intuit Canada)
%AllUsersProfile%\Start Menu\Programs\Startup\WinZip Quick Pick.lnk -> %ProgramFiles%\WinZip\WZQKPICK.EXE -> [2008/04/28 10:20:00 | 00,415,072 | R--- | M] (WinZip Computing, S.L.)
< Scott McLaughlan Startup Folder > -> C:\Documents and Settings\Scott McLaughlan\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
\\"LegalNoticeText" -> [] -> File not found
\\"LegalNoticeCaption" -> [] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"" -> [] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
Convert to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html] -> [2006/12/18 04:18:14 | 00,231,160 | ---- | M] (Adobe Systems Incorporated)
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2008/10/13 11:29:28 | 10,351,944 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 14:10:18 | 00,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}" [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/contro... ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. ->
.[msn] -> My Computer ->
office_microsoft.com [http] -> Trusted sites ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{41564D57-9980-0010-8000-00AA00389B71} [HKLM] -> http://download.microsoft.com/downl... [Reg Error: Key does not exist or could not be opened.] ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://update.microsoft.com/microso... [MUWebControl Class] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/ji... [Java Plug-in 1.6.0_11] ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/ge... [Reg Error: Key does not exist or could not be opened.] ->
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/ji... [Java Plug-in 1.6.0_11] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/ji... [Java Plug-in 1.6.0_11] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/ge... [Shockwave Flash Object] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{7A30835E-511D-42F4-9535-1B28C4506AD1} -> (Intel(R) 82566DC-2 Gigabit Network Connection) ->
{D856D885-85DA-433B-B316-DF639E83E394} -> (1394 Net Adapter) ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
NavLogon -> %SystemRoot%\system32\NavLogon.dll -> [2003/05/01 14:19:00 | 00,045,056 | ---- | M] ()
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 11:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/13 17:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation)
"C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" -> C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe [C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4] -> [2007/05/16 21:52:50 | 11,739,782 | ---- | M] (Firaxis Games)
"C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe" -> C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe [C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords] -> [2007/05/16 18:25:20 | 11,134,130 | ---- | M] (Firaxis Games)
"C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe" -> C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe [C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss] -> [2007/05/16 18:57:52 | 08,581,120 | ---- | M] (Firaxis Games)
"C:\Program Files\Bonjour\mDNSResponder.exe" -> C:\Program Files\Bonjour\mDNSResponder.exe [C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour] -> [2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.)
"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" -> C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe [C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager] -> [2008/06/06 03:39:06 | 00,128,280 | ---- | M] (iAnywhere Solutions, Inc.)
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" -> C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe [C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager] -> [2008/12/11 11:33:44 | 00,128,280 | ---- | M] (iAnywhere Solutions, Inc.)
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2008/11/20 13:20:48 | 14,294,824 | ---- | M] (Apple Inc.)
"C:\Program Files\Messenger\msmsgs.exe" -> C:\Program Files\Messenger\msmsgs.exe [C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger] -> [2008/04/13 17:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Ubisoft\Far Cry 2\bin\FarCry2.exe" -> C:\Program Files\Ubisoft\Far Cry 2\bin\farcry2.exe [C:\Program Files\Ubisoft\Far Cry 2\bin\FarCry2.exe:*:Enabled:Far Cry 2] -> [2008/12/15 09:12:34 | 05,205,640 | ---- | M] (Ubisoft Entertainment)
"C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Editor.exe" -> C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Editor.exe [C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:*:Enabled:Editor] -> [2008/12/09 14:27:26 | 01,171,456 | ---- | M] (Ubisoft Entertainment)
"C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe" -> C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe [C:\Program Files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:*:Enabled:Far Cry 2 Updater] -> [2008/10/02 13:34:14 | 00,619,144 | ---- | M] (Ubisoft)
"C:\WINDOWS\system32\PnkBstrA.exe" -> C:\WINDOWS\system32\PnkBstrA.exe [C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA] -> [2008/12/20 20:46:38 | 00,066,872 | ---- | M] ()
"C:\WINDOWS\system32\PnkBstrB.exe" -> C:\WINDOWS\system32\PnkBstrB.exe [C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB] -> [2008/12/20 20:46:48 | 00,107,832 | ---- | M] ()
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
"AlternateShell" -> cmd.exe ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2008/04/13 11:40:46 | 00,062,976 | ---- | M] (Microsoft Corporation)
< Drives with AutoRun files > -> ->
C:\AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [2007/12/19 14:17:44 | 00,000,000 | ---- | M] ()
C:\autorun.inf [] -> %SystemDrive%\autorun.inf [ NTFS ] -> [2009/01/25 21:48:58 | 00,000,000 | RHSD | M]
D:\autorun.inf [] -> D:\autorun.inf [ NTFS ] -> [2009/01/25 21:48:58 | 00,000,000 | RHSD | M]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->


Report •

#15
January 28, 2009 at 18:04:27
POST 3:

[Registry - Additional Scans - Safe List]
< ColumnHandlers - Folder [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ ->
{7D4D6379-F301-4311-BEBA-E26EB0561882} [HKLM] -> %CommonProgramFiles%\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalColumnHandler Class] -> [2005/09/03 13:58:22 | 01,802,240 | ---- | M] (Nero AG)
{F9DB5320-233E-11D1-9F84-707F02C10627} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll [PDF Shell Extension] -> [2004/12/14 02:20:02 | 00,110,592 | ---- | M] (Adobe Systems, Inc.)
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\ ->
0 -> [Key] ->
0 -> FriendlyName = My Current Home Page ->
0 -> Source = About:Home ->
0 -> SubscribedURL = About:Home ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.bat [@ = batfile] -> "%1" %* ->
.chm [@ = chm.file] -> %SystemRoot%\hh.exe -> [2008/04/13 17:12:21 | 00,010,752 | ---- | M] (Microsoft Corporation)
.cmd [@ = cmdfile] -> "%1" %* ->
.com [@ = ComFile] -> "%1" %* ->
.exe [@ = exefile] -> "%1" %* ->
.hlp [@ = hlpfile] -> %SystemRoot%\system32\winhlp32.exe -> [2006/02/28 05:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation)
.hta [@ = htafile] -> %SystemRoot%\system32\mshta.exe -> [2008/08/22 03:04:54 | 00,045,568 | ---- | M] (Microsoft Corporation)
.html [@ = htmlfile] -> %ProgramFiles%\Internet Explorer\iexplore.exe -> [2008/08/22 03:16:40 | 00,637,984 | ---- | M] (Microsoft Corporation)
.inf [@ = inffile] -> %SystemRoot%\system32\notepad.exe -> [2008/04/13 17:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation)
.ini [@ = inifile] -> %SystemRoot%\system32\notepad.exe -> [2008/04/13 17:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation)
.js [@ = JSFile] -> %SystemRoot%\system32\wscript.exe -> [2008/05/08 04:24:44 | 00,155,648 | ---- | M] (Microsoft Corporation)
.jse [@ = JSEFile] -> %SystemRoot%\system32\wscript.exe -> [2008/05/08 04:24:44 | 00,155,648 | ---- | M] (Microsoft Corporation)
.pif [@ = piffile] -> "%1" %* ->
.reg [@ = regfile] -> %SystemRoot%\regedit.exe -> [2008/04/13 17:12:32 | 00,146,432 | ---- | M] (Microsoft Corporation)
.scr [@ = scrfile] -> "%1" /S ->
.txt [@ = txtfile] -> %SystemRoot%\system32\notepad.exe -> [2008/04/13 17:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation)
.vbe [@ = VBEFile] -> %SystemRoot%\system32\wscript.exe -> [2008/05/08 04:24:44 | 00,155,648 | ---- | M] (Microsoft Corporation)
.vbs [@ = VBSFile] -> %SystemRoot%\system32\wscript.exe -> [2008/05/08 04:24:44 | 00,155,648 | ---- | M] (Microsoft Corporation)
.wsf [@ = WSFFile] -> %SystemRoot%\system32\wscript.exe -> [2008/05/08 04:24:44 | 00,155,648 | ---- | M] (Microsoft Corporation)
.wsh [@ = WSHFile] -> %SystemRoot%\system32\wscript.exe -> [2008/05/08 04:24:44 | 00,155,648 | ---- | M] (Microsoft Corporation)
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ->
6to4 -> [] ->
Ias -> [] ->
Iprip -> [] ->
Irmon -> [] ->
NWCWorkstation -> [] ->
Nwsapagent -> [] ->
WmdmPmSp -> [] ->
helpsvc -> C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll [C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll] -> [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Protocol Filters [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\ ->
text/xml:{807553E5-5146-11D5-A672-00B0D022E945} [HKLM] -> %CommonProgramFiles%\Microsoft Shared\OFFICE11\MSOXMLMF.DLL[Reg Error: Value does not exist or could not be read.] -> [2007/04/19 13:57:40 | 00,046,432 | ---- | M] (Microsoft Corporation)
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
intu-res:{9CE7D474-16F9-4889-9BB9-53E2008EAE8A} [HKLM] -> %CommonProgramFiles%\Intuit\intu-res.dll[INTUResPlugProt Class] -> [2006/06/08 10:25:20 | 00,155,648 | ---- | M] ()
ipp: [HKLM] -> No CLSID value
ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} [HKLM] -> %CommonProgramFiles%\System\Ole DB\MSDAIPP.DLL[MSDAMON.BINDER] -> [2005/09/20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation)
msdaipp: [HKLM] -> No CLSID value
msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} [HKLM] -> %CommonProgramFiles%\System\Ole DB\MSDAIPP.DLL[MSDAMON.BINDER] -> [2005/09/20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation)
msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} [HKLM] -> %CommonProgramFiles%\System\Ole DB\MSDAIPP.DLL[MSDAIPP.BINDER] -> [2005/09/20 12:33:58 | 00,843,984 | ---- | M] (Microsoft Corporation)
mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} [HKLM] -> %CommonProgramFiles%\Microsoft Shared\Web Components\10\OWC10.DLL[Data Page Pluggable Protocol mso-offdap Handler] -> [2007/03/14 13:10:22 | 07,255,384 | ---- | M] (Microsoft Corporation)
mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} [HKLM] -> %CommonProgramFiles%\Microsoft Shared\Web Components\11\OWC11.DLL[Data Page Plugable Protocal mso-offdap11 Handler] -> [2007/05/10 13:45:34 | 08,069,464 | ---- | M] (Microsoft Corporation)
< SafeBoot-Minimal Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ ->
{36FC9E60-C465-11CF-8056-444553540000} -> Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} -> CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} -> DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} -> Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} -> Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} -> Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} -> Mouse
{4D36E977-E325-11CE-BFC1-08002BE10318} -> PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} -> SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} -> System
{4D36E980-E325-11CE-BFC1-08002BE10318} -> Floppy disk drive
{533C5B84-EC70-11D2-9505-00C04F79DEAF} -> Volume shadow copy
{71A27CDD-812A-11D0-BEC7-08002BE2092F} -> Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} -> Human Interface Devices
Base -> Driver Group
Boot Bus Extender -> Driver Group
Boot file system -> Driver Group
File system -> Driver Group
Filter -> Driver Group
HelpSvc -> %SystemRoot%\pchealth\helpctr\binaries\pchsvc.dll -> [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation)
PCI Configuration -> Driver Group
PNP Filter -> Driver Group
Primary disk -> Driver Group
SCSI Class -> Driver Group
sdauxservice -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> [2008/06/13 16:29:14 | 00,356,920 | ---- | M] (PC Tools)
sdcoreservice -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> [2008/10/09 13:47:42 | 01,079,176 | ---- | M] (PC Tools)
sermouse.sys -> Driver
System Bus Extender -> Driver Group
vds -> Service
vga.sys -> Driver
< SafeBoot-Network Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ ->
{36FC9E60-C465-11CF-8056-444553540000} -> Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} -> CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} -> DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} -> Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} -> Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} -> Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} -> Mouse
{4D36E972-E325-11CE-BFC1-08002BE10318} -> Net
{4D36E973-E325-11CE-BFC1-08002BE10318} -> NetClient
{4D36E974-E325-11CE-BFC1-08002BE10318} -> NetService
{4D36E975-E325-11CE-BFC1-08002BE10318} -> NetTrans
{4D36E977-E325-11CE-BFC1-08002BE10318} -> PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} -> SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} -> System
{4D36E980-E325-11CE-BFC1-08002BE10318} -> Floppy disk drive
{71A27CDD-812A-11D0-BEC7-08002BE2092F} -> Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} -> Human Interface Devices
Base -> Driver Group
Boot Bus Extender -> Driver Group
Boot file system -> Driver Group
File system -> Driver Group
Filter -> Driver Group
HelpSvc -> %SystemRoot%\pchealth\helpctr\binaries\pchsvc.dll -> [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation)
NDIS Wrapper -> Driver Group
NetBIOSGroup -> Driver Group
NetDDEGroup -> Driver Group
Network -> Driver Group
NetworkProvider -> Driver Group
PCI Configuration -> Driver Group
PNP Filter -> Driver Group
PNP_TDI -> Driver Group
Primary disk -> Driver Group
rdpdd.sys -> %SystemRoot%\system32\rdpdd.dll -> [2008/04/13 17:13:22 | 00,092,424 | ---- | M] (Microsoft Corporation)
SCSI Class -> Driver Group
sdauxservice -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> [2008/06/13 16:29:14 | 00,356,920 | ---- | M] (PC Tools)
sdcoreservice -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> [2008/10/09 13:47:42 | 01,079,176 | ---- | M] (PC Tools)
sermouse.sys -> Driver
Streams Drivers -> Driver Group
System Bus Extender -> Driver Group
TDI -> Driver Group
vga.sys -> Driver
< Session Manager Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager ->
"BootExecute" -> autocheck autochk *; ->
"ExcludeFromKnownDlls" -> ->
*ObjectDirectories* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\ObjectDirectories ->
\Windows -> -> File not found
\RPC Control -> -> File not found
*MultiFile Done* -> ->
*PendingFileRenameOperations* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations ->
\??\C:\WINDOWS\temp\Perflib_Perfdata_d0.dat [\??\C:\WINDOWS\temp\Perflib_Perfdata_d0.dat] -> %SystemRoot%\temp\Perflib_Perfdata_d0.dat [%SystemRoot%\temp\Perflib_Perfdata_d0.dat] -> [2009/01/27 20:58:40 | 00,016,384 | ---- | M] ()
*MultiFile Done* -> ->
< Session Manager Environment Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ->
"ComSpec" -> C:\WINDOWS\system32\cmd.exe -> [2008/04/13 17:12:14 | 00,389,120 | ---- | M] (Microsoft Corporation)
"TEMP" -> %SystemRoot%\TEMP ->
"TMP" -> %SystemRoot%\TEMP ->
"windir" -> %SystemRoot% ->
*Path* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path ->
%systemroot%\system32 -> %SystemRoot%\system32 -> [2009/01/27 20:34:43 | 00,000,000 | ---D | M]
%systemroot% -> %SystemRoot% -> [2009/01/27 20:52:58 | 00,000,000 | ---D | M]
%systemroot%\system32\wbem -> %SystemRoot%\system32\wbem -> [2008/11/14 23:52:03 | 00,000,000 | ---D | M]
C:\Program Files\Intel\DMIX -> %ProgramFiles%\Intel\DMIX -> [2007/12/19 14:31:40 | 00,000,000 | ---D | M]
C:\Program Files\QuickTime\QTSystem -> %ProgramFiles%\QuickTime\QTSystem -> [2008/12/13 08:50:38 | 00,000,000 | ---D | M]
*MultiFile Done* -> ->
*PATHEXT* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT ->
.COM -> -> File not found
.EXE -> -> File not found
.BAT -> -> File not found
.CMD -> -> File not found
.VBS -> -> File not found
.VBE -> -> File not found
.JS -> -> File not found
.JSE -> -> File not found
.WSF -> -> File not found
.WSH -> -> File not found
*MultiFile Done* -> ->
< Session Manager FileRenameOperations Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations ->
< Session Manager KnownDlls Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDlls ->
"advapi32" -> C:\WINDOWS\system32\advapi32.dll -> [2008/04/13 17:11:48 | 00,617,472 | ---- | M] (Microsoft Corporation)
"comdlg32" -> C:\WINDOWS\system32\comdlg32.dll -> [2008/04/13 17:11:51 | 00,276,992 | ---- | M] (Microsoft Corporation)
"DllDirectory" -> C:\WINDOWS\system32 -> [2009/01/27 20:34:43 | 00,000,000 | ---D | M]
"gdi32" -> C:\WINDOWS\system32\gdi32.dll -> [2008/10/23 05:36:14 | 00,286,720 | ---- | M] (Microsoft Corporation)
"imagehlp" -> C:\WINDOWS\system32\imagehlp.dll -> [2008/04/13 17:11:54 | 00,144,384 | ---- | M] (Microsoft Corporation)
"kernel32" -> C:\WINDOWS\system32\kernel32.dll -> [2008/04/13 17:11:56 | 00,989,696 | ---- | M] (Microsoft Corporation)
"lz32" -> C:\WINDOWS\system32\lz32.dll -> [2006/02/28 05:00:00 | 00,002,560 | ---- | M] (Microsoft Corporation)
"ole32" -> C:\WINDOWS\system32\ole32.dll -> [2008/04/13 17:12:02 | 01,287,168 | ---- | M] (Microsoft Corporation)
"oleaut32" -> C:\WINDOWS\system32\oleaut32.dll -> [2008/04/13 17:12:02 | 00,551,936 | ---- | M] (Microsoft Corporation)
"olecli32" -> C:\WINDOWS\system32\olecli32.dll -> [2008/04/13 17:12:02 | 00,074,752 | ---- | M] (Microsoft Corporation)
"olecnv32" -> C:\WINDOWS\system32\olecnv32.dll -> [2008/04/13 17:12:02 | 00,037,376 | ---- | M] (Microsoft Corporation)
"olesvr32" -> C:\WINDOWS\system32\olesvr32.dll -> [2006/02/28 05:00:00 | 00,022,016 | ---- | M] (Microsoft Corporation)
"olethk32" -> C:\WINDOWS\system32\olethk32.dll -> [2006/02/28 05:00:00 | 00,069,120 | ---- | M] (Microsoft Corporation)
"rpcrt4" -> C:\WINDOWS\system32\rpcrt4.dll -> [2008/04/13 17:12:04 | 00,584,704 | ---- | M] (Microsoft Corporation)
"shell32" -> C:\WINDOWS\system32\shell32.dll -> [2008/04/13 17:12:05 | 08,461,312 | ---- | M] (Microsoft Corporation)
"url" -> C:\WINDOWS\system32\url.dll -> [2008/08/22 03:07:58 | 00,105,984 | ---- | M] (Microsoft Corporation)
"urlmon" -> C:\WINDOWS\system32\urlmon.dll -> [2008/08/22 03:08:22 | 01,206,784 | ---- | M] (Microsoft Corporation)
"user32" -> C:\WINDOWS\system32\user32.dll -> [2008/04/13 17:12:08 | 00,578,560 | ---- | M] (Microsoft Corporation)
"version" -> C:\WINDOWS\system32\version.dll -> [2008/04/13 17:12:08 | 00,018,944 | ---- | M] (Microsoft Corporation)
"wininet" -> C:\WINDOWS\system32\wininet.dll -> [2008/08/22 03:08:06 | 00,878,592 | ---- | M] (Microsoft Corporation)
"wldap32" -> C:\WINDOWS\system32\wldap32.dll -> [2008/04/13 17:12:09 | 00,172,032 | ---- | M] (Microsoft Corporation)
< Session Manager SFC Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SFC ->
"CommonFilesDir" -> C:\Program Files\Common Files -> [2009/01/27 20:29:59 | 00,000,000 | ---D | M]
"ProgramFilesDir" -> C:\Program Files -> [2009/01/25 21:32:51 | 00,000,000 | R--D | M]
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> %ProgramFiles%\Bonjour\mdnsNSP.dll -> [2008/08/29 08:53:50 | 00,147,456 | ---- | M] (Apple Inc.)
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
Application [ Error ] 26/01/2009 2:48:16 AM Computer Name = SCOTT | Source = Application Hang | ID = 1002 -> Description = Hanging application iexplore.exe, version 8.0.6001.18241, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 26/01/2009 2:48:18 AM Computer Name = SCOTT | Source = Application Hang | ID = 1001 -> Description = Fault bucket 897315410.
Application [ Error ] 26/01/2009 10:07:02 PM Computer Name = SCOTT | Source = Application Error | ID = 1000 -> Description = Faulting application spyhunter3.exe, version 1.0.35.0, faulting module spyhunter3.exe, version 1.0.35.0, fault address 0x0003c4e8.
Application [ Error ] 26/01/2009 10:07:07 PM Computer Name = SCOTT | Source = Application Error | ID = 1001 -> Description = Fault bucket 1100788846.
Application [ Error ] 27/01/2009 12:58:54 AM Computer Name = SCOTT | Source = Application Hang | ID = 1002 -> Description = Hanging application EXCEL.EXE, version 11.0.8237.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Application [ Error ] 27/01/2009 12:59:09 AM Computer Name = SCOTT | Source = Microsoft Office 11 | ID = 2001 -> Description = Rejected Safe Mode action : Microsoft Office Excel.
Application [ Error ] 27/01/2009 1:47:30 AM Computer Name = SCOTT | Source = Norton AntiVirus | ID = 16711685 -> Description = Virus Found!Virus name: Bloodhound.Exploit.196 in File: C:\DOCUME~1\SCOTTM~1\LOCALS~1\Temp\nps80.tmp by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied
Application [ Error ] 28/01/2009 12:11:32 AM Computer Name = SCOTT | Source = Norton AntiVirus | ID = 16711685 -> Description = Virus Found!Virus name: Bloodhound.Exploit.196 in File: C:\DOCUME~1\SCOTTM~1\LOCALS~1\Temp\nps80.tmp by: Defwatch scan. Action: Clean failed : Leave Alone succeeded :
Application [ Error ] 28/01/2009 9:51:53 PM Computer Name = SCOTT | Source = Norton AntiVirus | ID = 16711685 -> Description = Virus Found!Virus name: Trojan Horse in File: C:\DOCUME~1\SCOTTM~1\LOCALS~1\Temp\ikooqdro.dll by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied
Application [ Error ] 28/01/2009 9:52:22 PM Computer Name = SCOTT | Source = Norton AntiVirus | ID = 16711685 -> Description = Virus Found!Virus name: Trojan Horse in File: C:\DOCUME~1\SCOTTM~1\LOCALS~1\Temp\ikooqdro.dll by: Realtime Protection scan. Action: Clean failed : Quarantine succeeded : Access denied
System [ Error ] 27/01/2009 11:50:46 PM Computer Name = SCOTT | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
System [ Error ] 27/01/2009 11:51:26 PM Computer Name = SCOTT | Source = Service Control Manager | ID = 7001 -> Description = The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: %%31
System [ Error ] 27/01/2009 11:51:26 PM Computer Name = SCOTT | Source = Service Control Manager | ID = 7001 -> Description = The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31
System [ Error ] 27/01/2009 11:51:26 PM Computer Name = SCOTT | Source = Service Control Manager | ID = 7001 -> Description = The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31
System [ Error ] 27/01/2009 11:51:26 PM Computer Name = SCOTT | Source = Service Control Manager | ID = 7001 -> Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31
System [ Error ] 27/01/2009 11:51:26 PM Computer Name = SCOTT | Source = Service Control Manager | ID = 7001 -> Description = The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31
System [ Error ] 27/01/2009 11:51:26 PM Computer Name = SCOTT | Source = Service Control Manager | ID = 7001 -> Description = The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31
System [ Error ] 27/01/2009 11:51:26 PM Computer Name = SCOTT | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
System [ Error ] 27/01/2009 11:52:41 PM Computer Name = SCOTT | Source = DCOM | ID = 10005 -> Description = DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
System [ Error ] 27/01/2009 11:58:44 PM Computer Name = SCOTT | Source = Service Control Manager | ID = 7000 -> Description = The Audio Service service failed to start due to the following error: %%3

[Files/Folders - Created Within 90 Days]
3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
OTScanIt -> %UserProfile%\Desktop\OTScanIt -> [2009/01/28 18:45:53 | 00,000,000 | ---D | C]
RECYCLER -> %SystemDrive%\RECYCLER -> [2009/01/27 21:49:25 | 00,000,000 | -HSD | C]
GooredFix.exe -> %UserProfile%\Desktop\GooredFix.exe -> [2009/01/27 21:05:06 | 00,091,136 | ---- | C] ()
WinRAR -> %AppData%\WinRAR -> [2009/01/27 21:00:21 | 00,000,000 | ---D | C]
ERUNT -> %SystemRoot%\ERUNT -> [2009/01/27 20:52:58 | 00,000,000 | ---D | C]
SDFix -> %SystemDrive%\SDFix -> [2009/01/27 20:44:19 | 00,000,000 | ---D | C]
SDFix -> %UserProfile%\Desktop\SDFix -> [2009/01/27 20:37:02 | 00,000,000 | ---D | C]
temp -> %SystemRoot%\temp -> [2009/01/27 20:30:09 | 00,000,000 | ---D | C]
toolb -> %SystemDrive%\toolb -> [2009/01/27 20:29:03 | 00,000,000 | ---D | C]
SWXCACLS.exe -> %SystemRoot%\SWXCACLS.exe -> [2009/01/26 20:43:52 | 00,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> %SystemRoot%\SWREG.exe -> [2009/01/26 20:43:52 | 00,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> %SystemRoot%\SWSC.exe -> [2009/01/26 20:43:52 | 00,136,704 | ---- | C] (SteelWerX)
sed.exe -> %SystemRoot%\sed.exe -> [2009/01/26 20:43:52 | 00,098,816 | ---- | C] ()
fdsv.exe -> %SystemRoot%\fdsv.exe -> [2009/01/26 20:43:52 | 00,089,504 | ---- | C] (Smallfrogs Studio)
grep.exe -> %SystemRoot%\grep.exe -> [2009/01/26 20:43:52 | 00,080,412 | ---- | C] ()
zip.exe -> %SystemRoot%\zip.exe -> [2009/01/26 20:43:52 | 00,068,096 | ---- | C] ()
VFIND.exe -> %SystemRoot%\VFIND.exe -> [2009/01/26 20:43:52 | 00,049,152 | ---- | C] ()
NIRCMD.exe -> %SystemRoot%\NIRCMD.exe -> [2009/01/26 20:43:52 | 00,029,696 | ---- | C] (NirSoft)
Qoobox -> %SystemDrive%\Qoobox -> [2009/01/26 20:43:48 | 00,000,000 | ---D | C]
ERDNT -> %SystemRoot%\ERDNT -> [2009/01/26 20:43:48 | 00,000,000 | ---D | C]
toolb.exe -> %UserProfile%\Desktop\toolb.exe -> [2009/01/26 20:41:24 | 03,048,418 | R--- | C] ()
appmgmt -> %SystemRoot%\System32\appmgmt -> [2009/01/25 22:40:47 | 00,000,000 | ---D | C]
AntiPuper.exe -> %UserProfile%\Desktop\AntiPuper.exe -> [2009/01/25 22:12:37 | 00,000,000 | ---- | C] ()
Malwarebytes -> %AppData%\Malwarebytes -> [2009/01/25 22:03:17 | 00,000,000 | ---D | C]
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/01/25 22:03:16 | 00,000,712 | ---- | C] ()
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/01/25 22:03:15 | 00,015,504 | ---- | C] (Malwarebytes Corporation)
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/01/25 22:03:13 | 00,038,496 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> %UserProfile%\My Documents\Malwarebytes' Anti-Malware -> [2009/01/25 22:03:12 | 00,000,000 | ---D | C]
Malwarebytes -> %AllUsersProfile%\Application Data\Malwarebytes -> [2009/01/25 22:03:12 | 00,000,000 | ---D | C]
New Folder -> %UserProfile%\Desktop\New Folder -> [2009/01/25 22:00:58 | 00,000,000 | ---D | C]
UserData -> %UserProfile%\UserData -> [2009/01/25 21:49:26 | 00,000,000 | -HSD | C]
autorun.inf -> %SystemDrive%\autorun.inf -> [2009/01/25 21:48:58 | 00,000,000 | RHSD | C]
Flash_Disinfector.exe -> %UserProfile%\Desktop\Flash_Disinfector.exe -> [2009/01/25 21:48:37 | 00,132,597 | ---- | C] ()
TEMP -> %AllUsersProfile%\Application Data\TEMP -> [2009/01/25 21:33:08 | 00,000,000 | ---D | C]
Spyware Doctor.lnk -> %AllUsersProfile%\Desktop\Spyware Doctor.lnk -> [2009/01/25 21:33:03 | 00,001,637 | ---- | C] ()
iksyssec.sys -> %SystemRoot%\System32\drivers\iksyssec.sys -> [2009/01/25 21:33:01 | 00,081,288 | ---- | C] (PCTools Research Pty Ltd.)
iksysflt.sys -> %SystemRoot%\System32\drivers\iksysflt.sys -> [2009/01/25 21:33:01 | 00,066,952 | ---- | C] (PCTools Research Pty Ltd.)
ikfilesec.sys -> %SystemRoot%\System32\drivers\ikfilesec.sys -> [2009/01/25 21:33:01 | 00,040,840 | ---- | C] (PCTools Research Pty Ltd.)
kcom.sys -> %SystemRoot%\System32\drivers\kcom.sys -> [2009/01/25 21:33:01 | 00,029,576 | ---- | C] (PCTools Research Pty Ltd.)
Spyware Doctor -> %ProgramFiles%\Spyware Doctor -> [2009/01/25 21:32:51 | 00,000,000 | ---D | C]
PC Tools -> %AppData%\PC Tools -> [2009/01/25 21:32:51 | 00,000,000 | ---D | C]
Scott M Evidence.doc -> %UserProfile%\Desktop\Scott M Evidence.doc -> [2009/01/25 20:30:32 | 00,093,696 | ---- | C] ()
ie8updates -> %SystemRoot%\ie8updates -> [2009/01/24 14:15:33 | 00,000,000 | ---D | C]
PrivacIE -> %UserProfile%\PrivacIE -> [2009/01/23 22:17:39 | 00,000,000 | -HSD | C]
ie8 -> %SystemRoot%\ie8 -> [2009/01/23 22:13:11 | 00,000,000 | -H-D | C]
mucltui.dll -> %SystemRoot%\System32\mucltui.dll -> [2009/01/12 22:00:04 | 00,268,648 | ---- | C] (Microsoft Corporation)
mucltui.dll.mui -> %SystemRoot%\System32\mucltui.dll.mui -> [2009/01/12 22:00:04 | 00,027,496 | ---- | C] (Microsoft Corporation)
spmsg.dll -> %SystemRoot%\System32\spmsg.dll -> [2009/01/10 16:14:53 | 00,016,928 | ---- | C] (Microsoft Corporation)
Windows Media Connect 2 -> %ProgramFiles%\Windows Media Connect 2 -> [2009/01/10 16:14:39 | 00,000,000 | ---D | C]
MsftWdf_user_01_00_00.Wdf -> %SystemRoot%\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf -> [2009/01/10 16:13:45 | 00,000,000 | -H-- | C] ()
UMDF -> %SystemRoot%\System32\drivers\UMDF -> [2009/01/10 16:13:41 | 00,000,000 | ---D | C]
Shortcut to Nanny Payroll 2009.xls.lnk -> %UserProfile%\Desktop\Shortcut to Nanny Payroll 2009.xls.lnk -> [2009/01/04 08:34:06 | 00,000,711 | ---- | C] ()
TOD 012009.lnk -> %UserProfile%\Desktop\TOD 012009.lnk -> [2009/01/04 08:32:10 | 00,001,582 | ---- | C] ()
Zero G Registry -> %ProgramFiles%\Zero G Registry -> [2009/01/04 08:32:08 | 00,000,000 | -H-D | C]
TOD 012009 -> %ProgramFiles%\TOD 012009 -> [2009/01/04 08:32:08 | 00,000,000 | ---D | C]
GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job -> %SystemRoot%\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job -> [2008/12/29 22:46:06 | 00,001,240 | ---- | C] ()
Minidump -> %SystemRoot%\Minidump -> [2008/12/21 17:44:49 | 00,000,000 | ---D | C]
AGEIA Technologies -> %ProgramFiles%\AGEIA Technologies -> [2008/12/20 21:01:32 | 00,000,000 | ---D | C]
AGEIA -> %SystemRoot%\System32\AGEIA -> [2008/12/20 21:01:32 | 00,000,000 | ---D | C]
Wise Installation Wizard -> %CommonProgramFiles%\Wise Installation Wizard -> [2008/12/20 21:01:26 | 00,000,000 | ---D | C]
nvapps.nvb -> %SystemRoot%\System32\nvapps.nvb -> [2008/12/20 21:01:22 | 00,203,540 | ---- | C] ()
NVIDIA -> %SystemDrive%\NVIDIA -> [2008/12/20 21:00:50 | 00,000,000 | ---D | C]
Far Cry® 2.lnk -> %AllUsersProfile%\Desktop\Far Cry® 2.lnk -> [2008/12/20 20:51:02 | 00,001,762 | ---- | C] ()
XAudio2_1.dll -> %SystemRoot%\System32\XAudio2_1.dll -> [2008/12/20 20:48:39 | 00,507,400 | ---- | C] (Microsoft Corporation)
xactengine3_1.dll -> %SystemRoot%\System32\xactengine3_1.dll -> [2008/12/20 20:48:39 | 00,238,088 | ---- | C] (Microsoft Corporation)
XAPOFX1_0.dll -> %SystemRoot%\System32\XAPOFX1_0.dll -> [2008/12/20 20:48:39 | 00,065,032 | ---- | C] (Microsoft Corporation)
D3DX9_38.dll -> %SystemRoot%\System32\D3DX9_38.dll -> [2008/12/20 20:48:38 | 03,850,760 | ---- | C] (Microsoft Corporation)
D3DCompiler_38.dll -> %SystemRoot%\System32\D3DCompiler_38.dll -> [2008/12/20 20:48:38 | 01,491,992 | ---- | C] (Microsoft Corporation)
d3dx10_38.dll -> %SystemRoot%\System32\d3dx10_38.dll -> [2008/12/20 20:48:38 | 00,467,984 | ---- | C] (Microsoft Corporation)
X3DAudio1_4.dll -> %SystemRoot%\System32\X3DAudio1_4.dll -> [2008/12/20 20:48:38 | 00,025,608 | ---- | C] (Microsoft Corporation)
XAudio2_0.dll -> %SystemRoot%\System32\XAudio2_0.dll -> [2008/12/20 20:48:37 | 00,479,752 | ---- | C] (Microsoft Corporation)
xactengine3_0.dll -> %SystemRoot%\System32\xactengine3_0.dll -> [2008/12/20 20:48:37 | 00,238,088 | ---- | C] (Microsoft Corporation)
X3DAudio1_3.dll -> %SystemRoot%\System32\X3DAudio1_3.dll -> [2008/12/20 20:48:37 | 00,025,608 | ---- | C] (Microsoft Corporation)
D3DX9_37.dll -> %SystemRoot%\System32\D3DX9_37.dll -> [2008/12/20 20:48:36 | 03,786,760 | ---- | C] (Microsoft Corporation)
D3DCompiler_37.dll -> %SystemRoot%\System32\D3DCompiler_37.dll -> [2008/12/20 20:48:36 | 01,420,824 | ---- | C] (Microsoft Corporation)
d3dx10_37.dll -> %SystemRoot%\System32\d3dx10_37.dll -> [2008/12/20 20:48:36 | 00,462,864 | ---- | C] (Microsoft Corporation)
Logs -> %SystemRoot%\Logs -> [2008/12/20 20:47:37 | 00,000,000 | ---D | C]
Ubisoft -> %ProgramFiles%\Ubisoft -> [2008/12/20 20:43:01 | 00,000,000 | ---D | C]
iTunes.lnk -> %AllUsersProfile%\Desktop\iTunes.lnk -> [2008/12/13 08:52:17 | 00,002,137 | ---- | C] ()
iPod -> %ProgramFiles%\iPod -> [2008/12/13 08:51:57 | 00,000,000 | ---D | C]
{3276BE95_AF08_429F_A64F_CA64CB79BCF6} -> %AllUsersProfile%\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} -> [2008/12/13 08:51:55 | 00,000,000 | ---D | C]
iTunes -> %ProgramFiles%\iTunes -> [2008/12/13 08:51:54 | 00,000,000 | ---D | C]
QuickTime -> %ProgramFiles%\QuickTime -> [2008/12/13 08:50:22 | 00,000,000 | ---D | C]
I am doing my book talk on.doc -> %UserProfile%\My Documents\I am doing my book talk on.doc -> [2008/12/10 18:07:19 | 00,038,912 | ---- | C] ()
PhotoSnapViewer.INI -> %SystemRoot%\PhotoSnapViewer.INI -> [2008/12/04 12:33:48 | 00,000,151 | ---- | C] ()
QuickBooks Pro 2009.lnk -> %AllUsersProfile%\Desktop\QuickBooks Pro 2009.lnk -> [2008/11/15 17:35:07 | 00,001,836 | ---- | C] ()
SpyHunter.lnk -> %AllUsersProfile%\Desktop\SpyHunter.lnk -> [2008/11/14 23:38:22 | 00,000,899 | ---- | C] ()
Enigma Software Group -> %ProgramFiles%\Enigma Software Group -> [2008/11/14 23:38:17 | 00,000,000 | ---D | C]
mrxsmb.sys -> %SystemRoot%\System32\dllcache\mrxsmb.sys -> [2008/11/12 21:54:03 | 00,455,296 | ---- | C] (Microsoft Corporation)
msxml3.dll -> %SystemRoot%\System32\dllcache\msxml3.dll -> [2008/11/12 21:53:56 | 01,106,944 | ---- | C] (Microsoft Corporation)


Report •

#16
January 28, 2009 at 18:05:25
POST 4:

[Files/Folders - Modified Within 90 Days]
3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job -> %SystemRoot%\tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job -> [2009/01/28 00:00:12 | 00,001,240 | ---- | M] ()
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [2009/01/27 21:16:27 | 00,013,646 | ---- | M] ()
qmgr0.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [2009/01/27 21:16:12 | 00,006,728 | ---- | M] ()
qmgr1.dat -> %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [2009/01/27 21:16:08 | 00,006,728 | ---- | M] ()
GooredFix.exe -> %UserProfile%\Desktop\GooredFix.exe -> [2009/01/27 21:05:14 | 00,091,136 | ---- | M] ()
Adobe Acrobat Speed Launcher.lnk -> %AllUsersProfile%\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk -> [2009/01/27 21:02:34 | 00,002,335 | ---- | M] ()
nvapps.xml -> %SystemRoot%\System32\nvapps.xml -> [2009/01/27 21:02:30 | 00,194,204 | ---- | M] ()
Perflib_Perfdata_d0.dat -> %SystemRoot%\Temp\Perflib_Perfdata_d0.dat -> [2009/01/27 20:58:40 | 00,016,384 | ---- | M] ()
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [2009/01/27 20:58:32 | 00,000,006 | -H-- | M] ()
bootstat.dat -> %SystemRoot%\bootstat.dat -> [2009/01/27 20:58:31 | 00,002,048 | --S- | M] ()
NTUSER.DAT -> %UserProfile%\NTUSER.DAT -> [2009/01/27 20:57:25 | 05,767,168 | ---- | M] ()
HOSTS -> %SystemRoot%\System32\drivers\etc\HOSTS -> [2009/01/27 20:55:46 | 00,000,686 | ---- | M] ()
DVCState-{00000007-00000000-00000002-00001102-00000005-002C1102}.rfx -> %SystemRoot%\System32\DVCState-{00000007-00000000-00000002-00001102-00000005-002C1102}.rfx -> [2009/01/27 20:48:28 | 00,064,756 | ---- | M] ()
BMXStateBkp-{00000007-00000000-00000002-00001102-00000005-002C1102}.rfx -> %SystemRoot%\System32\BMXStateBkp-{00000007-00000000-00000002-00001102-00000005-002C1102}.rfx -> [2009/01/27 20:48:28 | 00,054,328 | ---- | M] ()
BMXState-{00000007-00000000-00000002-00001102-00000005-002C1102}.rfx -> %SystemRoot%\System32\BMXState-{00000007-00000000-00000002-00001102-00000005-002C1102}.rfx -> [2009/01/27 20:48:28 | 00,054,328 | ---- | M] ()
settingsbkup.sfm -> %SystemRoot%\System32\settingsbkup.sfm -> [2009/01/27 20:48:28 | 00,001,080 | ---- | M] ()
settings.sfm -> %SystemRoot%\System32\settings.sfm -> [2009/01/27 20:48:28 | 00,001,080 | ---- | M] ()
system.ini -> %SystemRoot%\system.ini -> [2009/01/27 20:32:19 | 00,000,227 | ---- | M] ()
Scott M Evidence.doc -> %UserProfile%\Desktop\Scott M Evidence.doc -> [2009/01/26 22:32:02 | 00,093,696 | ---- | M] ()
Default.rdp -> %UserProfile%\My Documents\Default.rdp -> [2009/01/26 22:23:46 | 00,001,854 | -H-- | M] ()
GDIPFONTCACHEV1.DAT -> %UserProfile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2009/01/26 21:54:51 | 00,051,440 | ---- | M] ()
toolb.exe -> %UserProfile%\Desktop\toolb.exe -> [2009/01/26 20:41:31 | 03,048,418 | R--- | M] ()
Malwarebytes' Anti-Malware.lnk -> %AllUsersProfile%\Desktop\Malwarebytes' Anti-Malware.lnk -> [2009/01/26 19:18:45 | 00,000,712 | ---- | M] ()
SpyHunter.lnk -> %AllUsersProfile%\Desktop\SpyHunter.lnk -> [2009/01/26 19:07:57 | 00,000,899 | ---- | M] ()
ntuser.ini -> %UserProfile%\ntuser.ini -> [2009/01/26 19:05:09 | 00,000,178 | -HS- | M] ()
AntiPuper.exe -> %UserProfile%\Desktop\AntiPuper.exe -> [2009/01/25 22:12:39 | 00,000,000 | ---- | M] ()
Flash_Disinfector.exe -> %UserProfile%\Desktop\Flash_Disinfector.exe -> [2009/01/25 21:48:38 | 00,132,597 | ---- | M] ()
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI -> [2009/01/25 21:34:16 | 00,477,846 | ---- | M] ()
perfh009.dat -> %SystemRoot%\System32\perfh009.dat -> [2009/01/25 21:34:16 | 00,407,102 | ---- | M] ()
perfc009.dat -> %SystemRoot%\System32\perfc009.dat -> [2009/01/25 21:34:16 | 00,063,984 | ---- | M] ()
Spyware Doctor.lnk -> %AllUsersProfile%\Desktop\Spyware Doctor.lnk -> [2009/01/25 21:33:03 | 00,001,637 | ---- | M] ()
desktop.ini -> %UserProfile%\My Documents\desktop.ini -> [2009/01/23 22:16:45 | 00,000,087 | -HS- | M] ()
imsins.BAK -> %SystemRoot%\imsins.BAK -> [2009/01/23 22:14:41 | 00,001,374 | ---- | M] ()
AppleSoftwareUpdate.job -> %SystemRoot%\tasks\AppleSoftwareUpdate.job -> [2009/01/23 11:52:01 | 00,000,284 | ---- | M] ()
McLaughlan Budget.xls -> %UserProfile%\Desktop\McLaughlan Budget.xls -> [2009/01/21 11:05:45 | 00,742,400 | ---- | M] ()
mbamswissarmy.sys -> %SystemRoot%\System32\drivers\mbamswissarmy.sys -> [2009/01/14 16:11:32 | 00,038,496 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> [2009/01/14 16:11:28 | 00,015,504 | ---- | M] (Malwarebytes Corporation)
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT -> [2009/01/13 20:32:59 | 00,211,288 | ---- | M] ()
win.ini -> %SystemRoot%\win.ini -> [2009/01/13 20:29:23 | 00,000,603 | ---- | M] ()
nscompat.tlb -> %SystemRoot%\System32\nscompat.tlb -> [2009/01/10 16:14:47 | 00,023,392 | ---- | M] ()
amcompat.tlb -> %SystemRoot%\System32\amcompat.tlb -> [2009/01/10 16:14:47 | 00,016,832 | ---- | M] ()
MsftWdf_user_01_00_00.Wdf -> %SystemRoot%\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf -> [2009/01/10 16:13:45 | 00,000,000 | -H-- | M] ()
Google Chrome.lnk -> %UserProfile%\Desktop\Google Chrome.lnk -> [2009/01/10 12:24:15 | 00,002,325 | ---- | M] ()
MRT.exe -> %SystemRoot%\System32\MRT.exe -> [2009/01/09 17:35:30 | 20,853,704 | ---- | M] (Microsoft Corporation)
Shortcut to Nanny Payroll 2009.xls.lnk -> %UserProfile%\Desktop\Shortcut to Nanny Payroll 2009.xls.lnk -> [2009/01/04 08:34:06 | 00,000,711 | ---- | M] ()
TOD 012009.lnk -> %UserProfile%\Desktop\TOD 012009.lnk -> [2009/01/04 08:32:10 | 00,001,582 | ---- | M] ()
iTunes.lnk -> %AllUsersProfile%\Desktop\iTunes.lnk -> [2009/01/03 07:50:18 | 00,002,137 | ---- | M] ()
Far Cry® 2.lnk -> %AllUsersProfile%\Desktop\Far Cry® 2.lnk -> [2008/12/20 20:51:02 | 00,001,762 | ---- | M] ()
PnkBstrK.sys -> %SystemRoot%\System32\drivers\PnkBstrK.sys -> [2008/12/20 20:46:59 | 00,022,328 | ---- | M] ()
PnkBstrK.sys -> %AppData%\PnkBstrK.sys -> [2008/12/20 20:46:59 | 00,022,328 | ---- | M] ()
PnkBstrB.exe -> %SystemRoot%\System32\PnkBstrB.exe -> [2008/12/20 20:46:48 | 00,107,832 | ---- | M] ()
pbsvc.exe -> %SystemRoot%\System32\pbsvc.exe -> [2008/12/20 20:46:38 | 02,250,024 | ---- | M] ()
PnkBstrA.exe -> %SystemRoot%\System32\PnkBstrA.exe -> [2008/12/20 20:46:38 | 00,066,872 | ---- | M] ()
mshtml.dll -> %SystemRoot%\System32\mshtml.dll -> [2008/12/14 06:59:44 | 05,699,584 | ---- | M] (Microsoft Corporation)
mshtml.dll -> %SystemRoot%\System32\dllcache\mshtml.dll -> [2008/12/14 06:59:44 | 05,699,584 | ---- | M] (Microsoft Corporation)
srv.sys -> %SystemRoot%\System32\drivers\srv.sys -> [2008/12/11 03:57:09 | 00,333,952 | ---- | M] (Microsoft Corporation)
srv.sys -> %SystemRoot%\System32\dllcache\srv.sys -> [2008/12/11 03:57:09 | 00,333,952 | ---- | M] (Microsoft Corporation)
I am doing my book talk on.doc -> %UserProfile%\My Documents\I am doing my book talk on.doc -> [2008/12/10 18:07:19 | 00,038,912 | ---- | M] ()
PhotoSnapViewer.INI -> %SystemRoot%\PhotoSnapViewer.INI -> [2008/12/04 12:33:48 | 00,000,151 | ---- | M] ()
QuickBooks Update Agent.lnk -> %AllUsersProfile%\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk -> [2008/11/15 17:35:07 | 00,002,109 | ---- | M] ()
QuickBooks Pro 2009.lnk -> %AllUsersProfile%\Desktop\QuickBooks Pro 2009.lnk -> [2008/11/15 17:35:07 | 00,001,836 | ---- | M] ()
nvapps.nvb -> %SystemRoot%\System32\nvapps.nvb -> [2008/11/13 16:20:28 | 00,203,540 | ---- | M] ()
nvwdmcpl.dll -> %SystemRoot%\System32\nvwdmcpl.dll -> [2008/11/12 14:54:00 | 01,703,936 | ---- | M] ()
nwiz.exe -> %SystemRoot%\System32\nwiz.exe -> [2008/11/12 14:54:00 | 01,630,208 | ---- | M] ()
nview.dll -> %SystemRoot%\System32\nview.dll -> [2008/11/12 14:54:00 | 01,486,848 | ---- | M] ()
nvdspsch.exe -> %SystemRoot%\System32\nvdspsch.exe -> [2008/11/12 14:54:00 | 01,339,392 | ---- | M] ()
nvwimg.dll -> %SystemRoot%\System32\nvwimg.dll -> [2008/11/12 14:54:00 | 01,019,904 | ---- | M] ()
nvshell.dll -> %SystemRoot%\System32\nvshell.dll -> [2008/11/12 14:54:00 | 00,466,944 | ---- | M] ()
nvappbar.exe -> %SystemRoot%\System32\nvappbar.exe -> [2008/11/12 14:54:00 | 00,442,368 | ---- | M] ()
keystone.exe -> %SystemRoot%\System32\keystone.exe -> [2008/11/12 14:54:00 | 00,425,984 | ---- | M] ()
nvtuicpl.cpl -> %SystemRoot%\System32\nvtuicpl.cpl -> [2008/11/12 14:54:00 | 00,073,728 | ---- | M] ()
nvdisp.nvu -> %SystemRoot%\System32\nvdisp.nvu -> [2008/11/12 14:54:00 | 00,018,537 | ---- | M] ()
opa11.dat -> %AllUsersProfile%\Application Data\Microsoft\OFFICE\DATA\opa11.dat -> [2007/12/19 16:06:27 | 00,011,082 | ---- | M] ()

[Alternate Data Streams]
@Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
@Alternate Data Stream - 0 bytes -> %UserProfile%\My Documents\Thumbs.db:encryptable
@Alternate Data Stream - 138 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2

[File - Lop Check]
Application Data -> C:\Documents and Settings\All Users\Application Data -> [2009/01/25 22:03:12 | 00,000,000 | RH-D | M]
{3276BE95_AF08_429F_A64F_CA64CB79BCF6} -> C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} -> [2008/12/13 08:52:16 | 00,000,000 | ---D | M]
COMMON FILES -> C:\Documents and Settings\All Users\Application Data\COMMON FILES -> [2008/01/26 22:22:11 | 00,000,000 | ---D | M]
Intuit -> C:\Documents and Settings\All Users\Application Data\Intuit -> [2008/11/15 17:34:41 | 00,000,000 | ---D | M]
Intuit Canada -> C:\Documents and Settings\All Users\Application Data\Intuit Canada -> [2008/02/23 14:11:53 | 00,000,000 | ---D | M]
TEMP -> C:\Documents and Settings\All Users\Application Data\TEMP -> [2009/01/27 20:26:35 | 00,000,000 | ---D | M]
WinZip -> C:\Documents and Settings\All Users\Application Data\WinZip -> [2008/09/07 10:33:21 | 00,000,000 | ---D | M]
Application Data -> C:\Documents and Settings\Scott McLaughlan\Application Data -> [2009/01/27 21:00:21 | 00,000,000 | RH-D | M]
Ahead -> C:\Documents and Settings\Scott McLaughlan\Application Data\Ahead -> [2007/12/20 11:40:13 | 00,000,000 | ---D | M]
Command & Conquer 3 Tiberium Wars -> C:\Documents and Settings\Scott McLaughlan\Application Data\Command & Conquer 3 Tiberium Wars -> [2007/12/19 15:36:48 | 00,000,000 | ---D | M]
Firaxis Games -> C:\Documents and Settings\Scott McLaughlan\Application Data\Firaxis Games -> [2008/04/19 19:38:26 | 00,000,000 | ---D | M]
GetRightToGo -> C:\Documents and Settings\Scott McLaughlan\Application Data\GetRightToGo -> [2007/12/19 15:36:50 | 00,000,000 | ---D | M]
Greenpoint -> C:\Documents and Settings\Scott McLaughlan\Application Data\Greenpoint -> [2007/12/19 15:36:50 | 00,000,000 | ---D | M]
IGN_DLM -> C:\Documents and Settings\Scott McLaughlan\Application Data\IGN_DLM -> [2008/09/29 20:43:02 | 00,000,000 | ---D | M]
InterTrust -> C:\Documents and Settings\Scott McLaughlan\Application Data\InterTrust -> [2007/12/19 15:36:50 | 00,000,000 | ---D | M]
Intuit -> C:\Documents and Settings\Scott McLaughlan\Application Data\Intuit -> [2008/10/15 19:39:10 | 00,000,000 | ---D | M]
Intuit Canada -> C:\Documents and Settings\Scott McLaughlan\Application Data\Intuit Canada -> [2008/02/23 14:12:24 | 00,000,000 | ---D | M]
MSN6 -> C:\Documents and Settings\Scott McLaughlan\Application Data\MSN6 -> [2007/12/19 15:36:58 | 00,000,000 | ---D | M]
My Games -> C:\Documents and Settings\Scott McLaughlan\Application Data\My Games -> [2007/12/19 15:36:58 | 00,000,000 | ---D | M]
NewSoft -> C:\Documents and Settings\Scott McLaughlan\Application Data\NewSoft -> [2007/12/19 15:36:58 | 00,000,000 | ---D | M]
Payroll System -> C:\Documents and Settings\Scott McLaughlan\Application Data\Payroll System -> [2007/12/19 15:36:58 | 00,000,000 | ---D | M]
SecuROM -> C:\Documents and Settings\Scott McLaughlan\Application Data\SecuROM -> [2007/12/19 15:33:37 | 00,000,000 | RH-D | M]
C:\WINDOWS\Tasks\ -> C:\WINDOWS\Tasks -> [2008/12/29 22:46:06 | 00,000,000 | --SD | M]
AppleSoftwareUpdate.job -> C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -> [2009/01/23 11:52:01 | 00,000,284 | ---- | M] ()
desktop.ini -> C:\WINDOWS\Tasks\desktop.ini -> [2006/02/28 05:00:00 | 00,000,065 | RH-- | M] ()
GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job -> C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job -> [2009/01/28 00:00:12 | 00,001,240 | ---- | M] ()
SA.DAT -> C:\WINDOWS\Tasks\SA.DAT -> [2009/01/27 20:58:32 | 00,000,006 | -H-- | M] ()

[File - Purity Scan]

[File - Signature Check]
< Cached Copy > -> < OS Copy > -> < MD5's >
C:\WINDOWS\servicepackfiles\i386\explorer.exe [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\explorer.exe [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -> Cached Copy = 12896823FB95BFB3DC9B46BCAEDC9923 \ OS Copy = 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\servicepackfiles\i386\csrss.exe [2008/04/13 17:12:15 | 00,006,144 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\csrss.exe [2008/04/13 17:12:15 | 00,006,144 | ---- | M] (Microsoft Corporation) -> Cached Copy = 44F275C64738EA2056E3D9580C23B60F \ OS Copy = 44F275C64738EA2056E3D9580C23B60F
C:\WINDOWS\servicepackfiles\i386\lsass.exe [2008/04/13 17:12:24 | 00,013,312 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\lsass.exe [2008/04/13 17:12:24 | 00,013,312 | ---- | M] (Microsoft Corporation) -> Cached Copy = BF2466B3E18E970D8A976FB95FC1CA85 \ OS Copy = BF2466B3E18E970D8A976FB95FC1CA85
C:\WINDOWS\servicepackfiles\i386\rundll32.exe [2008/04/13 17:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\rundll32.exe [2008/04/13 17:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation) -> Cached Copy = 037B1E7798960E0420003D05BB577EE6 \ OS Copy = 037B1E7798960E0420003D05BB577EE6
C:\WINDOWS\servicepackfiles\i386\services.exe [2008/04/13 17:12:34 | 00,108,544 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\services.exe [2008/04/13 17:12:34 | 00,108,544 | ---- | M] (Microsoft Corporation) -> Cached Copy = 0E776ED5F7CC9F94299E70461B7B8185 \ OS Copy = 0E776ED5F7CC9F94299E70461B7B8185
C:\WINDOWS\servicepackfiles\i386\smss.exe [2008/04/13 17:12:36 | 00,050,688 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\smss.exe [2008/04/13 17:12:36 | 00,050,688 | ---- | M] (Microsoft Corporation) -> Cached Copy = 5F816C1F539266D2D4C78694239DA0B5 \ OS Copy = 5F816C1F539266D2D4C78694239DA0B5
C:\WINDOWS\servicepackfiles\i386\spoolsv.exe [2008/04/13 17:12:36 | 00,057,856 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\spoolsv.exe [2008/04/13 17:12:36 | 00,057,856 | ---- | M] (Microsoft Corporation) -> Cached Copy = D8E14A61ACC1D4A6CD0D38AEBAC7FA3B \ OS Copy = D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
C:\WINDOWS\servicepackfiles\i386\svchost.exe [2008/04/13 17:12:36 | 00,014,336 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\svchost.exe [2008/04/13 17:12:36 | 00,014,336 | ---- | M] (Microsoft Corporation) -> Cached Copy = 27C6D03BCDB8CFEB96B716F3D8BE3E18 \ OS Copy = 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\servicepackfiles\i386\taskmgr.exe [2008/04/13 17:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\taskmgr.exe [2008/04/13 17:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -> Cached Copy = 2CD1C3506A85B38E2D17E61ADED175C4 \ OS Copy = 2CD1C3506A85B38E2D17E61ADED175C4
C:\WINDOWS\servicepackfiles\i386\userinit.exe [2008/04/13 17:12:38 | 00,026,112 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\userinit.exe [2008/04/13 17:12:38 | 00,026,112 | ---- | M] (Microsoft Corporation) -> Cached Copy = A93AEE1928A9D7CE3E16D24EC7380F89 \ OS Copy = A93AEE1928A9D7CE3E16D24EC7380F89
C:\WINDOWS\system32\dllcache\winlogon.exe [2008/04/13 17:12:39 | 00,507,904 | ---- | M] (Microsoft Corporation) -> C:\WINDOWS\system32\winlogon.exe [2008/04/13 17:12:39 | 00,507,904 | ---- | M] (Microsoft Corporation) -> Cached Copy = ED0EF0A136DEC83DF69F04118870003E \ OS Copy = ED0EF0A136DEC83DF69F04118870003E

[CatchMe Rootkit Scan by GMER]
< Windows folder & sub-folders >
scanning hidden processes ...
IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
< Document and Settings folder & sub folders >
scanning hidden files ...
IPC error: 2 The system cannot find the file specified.
C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 138 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Apple - Movie Trailers.url:favicon 4150 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Automobile Magazine.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Banking\EasyWeb.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Banking\Fool.com Investing, Stock Research, and Personal Finance.url:favicon 4710 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Banking\TD Travel Rewards.url:favicon 3638 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Car Imports\CMVss 114.url:favicon 22486 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\ComicsPriceGuide.com - The Online Price Guide.url:favicon 3638 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Edmonton Businesses, Services, Professionals Website Directory, Edmonton Alberta.url:favicon 3638 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Edmonton Movie Guide.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gamasutra - The Art & Business of Making Games.url:favicon 1910 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\BioWare Welcome to BioWare.url:favicon 894 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\Gamasutra - Report Computer Games Magazine, Massive Shut Down.url:favicon 1910 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\Games\Civ IV\Sisiutil's Strategy Guide for Beginners - Civilization Fanatics' Forums.url:favicon 1406 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\Games\MOU\Xbox.com Xbox 360 Games - MUA MAIN RESOURCE INDEX ... Tag This !!!.url:favicon 1150 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\GamesIndustry.biz.url:favicon 1718 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\GameSpot for your PC, PlayStation 2, Xbox, GameCube, GBA, and video game needs..url:favicon 1406 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\Gordon Walton - Wikipedia, the free encyclopedia.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\IGN.com Games, Cheats, Movies and More.url:favicon 3638 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\List of best-selling video games - Wikipedia, the free encyclopedia.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\NEWS Edge Online.url:favicon 3638 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Gaming\Quarter To Three Forums - Powered by vBulletin.url:favicon 1150 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Google & MSN search redirect.url:favicon 1150 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Hardware\Canada Computer Parts, PC Components, Desktop Computers, Laptops, Notebooks at TigerDirect.ca.url:favicon 2104 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Hardware\Main Page - WSGFWiki.url:favicon 2550 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Hardware\NCIX.com - Canada's Premier Computer Store - Great Technology, Service and Selection..url:favicon 1406 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Hardware\TigerDirect.com Super Buys - Computer Parts, PC Components, Desktop Computers, Laptops, Notebooks.url:favicon 2104 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Hardware\Tom's Hardware.url:favicon 1406 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Hardware\[H]ardForum - Powered by vBulletin.url:favicon 10134 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Business\ERP System\About.com http--www.possoftwareguide.com.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Business\ERP System\Canadian Retail Solutions Home.url:favicon 1150 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Business\ERP System\Microsoft Retail Management System.url:favicon 3638 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Business\Marketing\Canada Post - Unaddressed Admail™.url:favicon 894 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Business\Welcome page.url:favicon 894 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Theater\Buyers Guides - AVguide.com.url:favicon 23722 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Theater\Flat TV People LCD TVs versus Plasma Televisions.url:favicon 1406 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Theater\LCD, DLP and LCOS Projectors - Free Consumer info on all projectors..url:favicon 894 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Home Theater\Plasma TV Canada Hitachi Pioneer NEC Samsung hdtv plasma tv.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\reportonbusiness.com Canada's destination for Business News, Investing, Personal Finance, and Managing.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\ROTTEN TOMATOES Movies and Games, Reviews and Previews.url:favicon 318 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Security and Virus Forum - Computing.Net.url:favicon 1150 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Ski Racing\Welcome to Snow Valley Racing Association.url:favicon 4286 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Tie-a-Tie.net Windsor Knot.url:favicon 1406 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Vacations\Disney World\dummiesWalt Disney World & Orlando For Dummies 2007Book Information.url:favicon 2550 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\http--supplementscanada.com-.url:favicon 1150 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Kids\hockey\SWAT Hockey Evaluations.url:favicon 1150 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Links\Suggested Sites.url:favicon 25214 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Marketing Data\Yahoo! Buzz Index - Today's Top 20 Movies Searches.url:favicon 6598 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Marvel.com Comics.url:favicon 1406 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\MSN.com.url:favicon 1406 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\OEM Reman\NACG - North American Construction Group.url:favicon 15086 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\Epinions.com - Welcome.url:favicon 2494 bytes
C:\Documents and Settings\Scott McLaughlan\Favorites\How To Tie A Tie - Full Windsor Knot (Beauty & Style Style For Men).url:favicon 3638 bytes
scan completed successfully
hidden files: 122


Report •

#17
January 28, 2009 at 18:06:14
POST 5: LAST ONE!

[Custom Scans]
< %systemroot%\Prefetch\*.* /s >
C:\WINDOWS\Prefetch\ -> C:\WINDOWS\Prefetch -> [2009/01/27 21:55:07 | 00,000,000 | ---D | M]
ATF-CLEANER.EXE-1231361B.pf -> C:\WINDOWS\Prefetch\ATF-CLEANER.EXE -> [2009/01/27 21:51:02 | 00,016,474 | ---- | M] ()
IEXPLORE.EXE-27122324.pf -> C:\WINDOWS\Prefetch\IEXPLORE.EXE -> [2009/01/28 18:50:50 | 00,089,902 | ---- | M] ()
layout.ini -> C:\WINDOWS\Prefetch\layout.ini -> [2009/01/26 23:29:35 | 00,435,636 | ---- | M] ()
MSIMN.EXE-38BA891D.pf -> C:\WINDOWS\Prefetch\MSIMN.EXE -> [2009/01/27 21:51:09 | 00,075,454 | ---- | M] ()
MSMSGS.EXE-2B6052DE.pf -> C:\WINDOWS\Prefetch\MSMSGS.EXE -> [2009/01/27 21:51:11 | 00,022,308 | ---- | M] ()
NOTEPAD.EXE-336351A9.pf -> C:\WINDOWS\Prefetch\NOTEPAD.EXE -> [2009/01/27 22:02:13 | 00,016,386 | ---- | M] ()
< %systemroot%\system32\drivers\*.dat >
< %systemroot%\Temp\bca4e2da.$$$ >
< %systemroot%\Temp\ed47fa.$ >
< %systemroot%\Temp\fa56d7ec.$$$ >
< %systemroot%\System32\antiwpa.dll >
< %PROGRAMFILES%\*crack*. >
< %PROGRAMFILES%\*keygen*. >
< %SYSTEMDRIVE%\*crack*. >
< %SYSTEMDRIVE%\*keygen*. >
< %SYSTEMDRIVE%\*.zip >
< %SYSTEMDRIVE%\*.rar >
< %SYSTEMDRIVE%\*.exe >
< %SYSTEMDRIVE%\*.dll >
< %systemroot%\*.zip >
< %systemroot%\*.rar >
< %systemroot%\system32\*.zip >
< %systemroot%\system32\*.rar >
< %PROGRAMFILES%\*.zip >
< %PROGRAMFILES%\*.rar >
< %PROGRAMFILES%\*.exe >
< %PROGRAMFILES%\*.dll >
Invalid Environment Variable: DESKTOP
Invalid Environment Variable: DESKTOP
Invalid Environment Variable: DESKTOP
< %PROGRAMFILES%\Common Files\*.* >
< %PROGRAMFILES%\Common Files\*bak*. >
< %systemroot%\SYSTEM32\*bak*. >
3 C:\WINDOWS\SYSTEM32\*.tmp files -> C:\WINDOWS\SYSTEM32\*.tmp ->
< %PROGRAMFILES%\*bak*. >
< %USERNAME%\*.zip >
< %USERNAME%\*.rar >
< %USERNAME%\*.exe >
< %USERPROFILE%\*.zip >
< %USERPROFILE%\*.rar >
< %USERPROFILE%\*.exe >
< %ALLUSERSPROFILE%\*.zip >
< %ALLUSERSPROFILE%\*.rar >
< %ALLUSERSPROFILE%\*.exe >
< %APPDATA%\*.zip >
< %APPDATA%\*.rar >
< %APPDATA%\*.exe >
Invalid Environment Variable: ALLUSERSSTARTMENU
Invalid Environment Variable: ALLUSERSSTARTMENU
Invalid Environment Variable: ALLUSERSSTARTMENU
Invalid Environment Variable: ALLUSERSSTARTUP
Invalid Environment Variable: ALLUSERSSTARTUP
Invalid Environment Variable: ALLUSERSSTARTUP
Invalid Environment Variable: ALLUSERSPROGRAMS
Invalid Environment Variable: ALLUSERSPROGRAMS
Invalid Environment Variable: ALLUSERSPROGRAMS
Invalid Environment Variable: ALLUSERSAPPDATA
Invalid Environment Variable: ALLUSERSAPPDATA
Invalid Environment Variable: ALLUSERSAPPDATA
< %APPDATA%\*.zip >
< %APPDATA%\*.rar >
< %APPDATA%\*.exe >
< %APPDATA%\*.dat >
C:\Documents and Settings\Scott McLaughlan\Application Data\ -> C:\Documents and Settings\Scott McLaughlan\Application Data -> [2009/01/27 21:00:21 | 00,000,000 | RH-D | M]
GDIPFONTCACHEV1.DAT -> C:\Documents and Settings\Scott McLaughlan\Application Data\GDIPFONTCACHEV1.DAT -> [2006/12/28 21:17:26 | 00,043,976 | ---- | M] ()
< %APPDATA%\*.dll >
Invalid Environment Variable: QUICKLAUNCH
Invalid Environment Variable: QUICKLAUNCH
Invalid Environment Variable: QUICKLAUNCH
Invalid Environment Variable: STARTUP
Invalid Environment Variable: STARTUP
Invalid Environment Variable: STARTUP
Invalid Environment Variable: STARTMENU
Invalid Environment Variable: STARTMENU
Invalid Environment Variable: STARTMENU
Invalid Environment Variable: MYDOCUMENTS
Invalid Environment Variable: MYDOCUMENTS
Invalid Environment Variable: MYDOCUMENTS
< %PROGRAMFILES%\Mozilla Firefox\plugins\*.* >
C:\Program Files\Mozilla Firefox\plugins\ -> C:\Program Files\Mozilla Firefox\plugins -> [2008/10/12 14:30:14 | 00,000,000 | ---D | M]
install.js -> C:\Program Files\Mozilla Firefox\plugins\install.js -> [2007/12/19 05:57:38 | 00,001,351 | ---- | M] ()
npGoogleGadgetPluginFirefoxWin.dll -> C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll -> [2007/12/19 05:57:38 | 00,310,272 | ---- | M] ()
nppdf32.dll -> C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll -> [2006/12/18 04:18:30 | 00,077,824 | ---- | M] (Adobe Systems Inc.)
npqtplugin.dll -> C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll -> [2008/09/13 13:23:22 | 00,143,360 | ---- | M] (Apple Inc.)
npqtplugin2.dll -> C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll -> [2008/09/13 13:23:22 | 00,143,360 | ---- | M] (Apple Inc.)
npqtplugin3.dll -> C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll -> [2008/09/13 13:23:22 | 00,143,360 | ---- | M] (Apple Inc.)
QuickTimePlugin.class -> C:\Program Files\Mozilla Firefox\plugins\QuickTimePlugin.cla -> [2008/09/13 13:23:22 | 00,004,208 | ---- | M] ()
< %PROGRAMFILES%\Internet Explorer\*.* >
C:\Program Files\Internet Explorer\ -> C:\Program Files\Internet Explorer -> [2009/01/23 22:16:34 | 00,000,000 | ---D | M]
custsat.dll -> C:\Program Files\Internet Explorer\custsat.dll -> [2007/08/13 17:54:10 | 00,033,792 | ---- | M] (Microsoft Corporation)
ExtExport.exe -> C:\Program Files\Internet Explorer\ExtExport.exe -> [2008/08/22 03:08:34 | 00,015,360 | ---- | M] (Microsoft Corporation)
hmmapi.dll -> C:\Program Files\Internet Explorer\hmmapi.dll -> [2008/08/22 03:00:28 | 00,068,608 | ---- | M] (Microsoft Corporation)
iedvtool.dll -> C:\Program Files\Internet Explorer\iedvtool.dll -> [2008/08/22 03:08:56 | 00,658,944 | ---- | M] (Microsoft Corporation)
iedw.exe -> C:\Program Files\Internet Explorer\iedw.exe -> [2007/08/13 17:44:02 | 00,069,120 | ---- | M] (Microsoft Corporation)
ieproxy.dll -> C:\Program Files\Internet Explorer\ieproxy.dll -> [2008/08/22 03:07:14 | 00,259,072 | ---- | M] (Microsoft Corporation)
iexplore.exe -> C:\Program Files\Internet Explorer\iexplore.exe -> [2008/08/22 03:16:40 | 00,637,984 | ---- | M] (Microsoft Corporation)
jsdbgui.dll -> C:\Program Files\Internet Explorer\jsdbgui.dll -> [2008/08/22 03:08:28 | 00,382,976 | ---- | M] (Microsoft Corporation)
jsdebuggeride.dll -> C:\Program Files\Internet Explorer\jsdebuggeride.dll -> [2008/08/22 03:08:22 | 00,120,832 | ---- | M] (Microsoft Corporation)
JSProfilerCore.dll -> C:\Program Files\Internet Explorer\JSProfilerCore.dll -> [2008/08/22 03:08:32 | 00,118,272 | ---- | M] (Microsoft Corporation)
jsprofilerui.dll -> C:\Program Files\Internet Explorer\jsprofilerui.dll -> [2008/08/22 03:08:40 | 00,217,088 | ---- | M] (Microsoft Corporation)
pdm.dll -> C:\Program Files\Internet Explorer\pdm.dll -> [2008/08/05 17:55:38 | 00,355,832 | ---- | M] (Microsoft Corporation)
sqmapi.dll -> C:\Program Files\Internet Explorer\sqmapi.dll -> [2008/06/12 11:27:56 | 00,134,144 | ---- | M] (Microsoft Corporation)
< %PROGRAMFILES%\Mozilla Firefox\*.zip /s >
< %PROGRAMFILES%\Mozilla Firefox\*.rar /s >
< %PROGRAMFILES%\Mozilla Firefox\*.exe /s >
< %PROGRAMFILES%\Internet Explorer\*.zip /s >
< %PROGRAMFILES%\Internet Explorer\*.rar /s >
< %PROGRAMFILES%\Internet Explorer\*.exe /s >
C:\Program Files\Internet Explorer\ -> C:\Program Files\Internet Explorer -> [2009/01/23 22:16:34 | 00,000,000 | ---D | M]
ExtExport.exe -> C:\Program Files\Internet Explorer\ExtExport.exe -> [2008/08/22 03:08:34 | 00,015,360 | ---- | M] (Microsoft Corporation)
iedw.exe -> C:\Program Files\Internet Explorer\iedw.exe -> [2007/08/13 17:44:02 | 00,069,120 | ---- | M] (Microsoft Corporation)
iexplore.exe -> C:\Program Files\Internet Explorer\iexplore.exe -> [2008/08/22 03:16:40 | 00,637,984 | ---- | M] (Microsoft Corporation)
C:\Program Files\Internet Explorer\Connection Wizard\ -> C:\Program Files\Internet Explorer\Connection Wizard -> [2008/08/27 19:23:19 | 00,000,000 | ---D | M]
icwconn1.exe -> C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe -> [2008/04/13 17:12:22 | 00,214,528 | ---- | M] (Microsoft Corporation)
icwconn2.exe -> C:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe -> [2008/04/13 17:12:22 | 00,086,016 | ---- | M] (Microsoft Corporation)
icwrmind.exe -> C:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe -> [2008/04/13 17:12:22 | 00,024,576 | ---- | M] (Microsoft Corporation)
icwtutor.exe -> C:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe -> [2006/02/28 05:00:00 | 00,073,728 | ---- | M] (Microsoft Corporation)
inetwiz.exe -> C:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe -> [2008/04/13 17:12:22 | 00,020,480 | ---- | M] (Microsoft Corporation)
isignup.exe -> C:\Program Files\Internet Explorer\Connection Wizard\isignup.exe -> [2006/02/28 05:00:00 | 00,016,384 | ---- | M] (Microsoft Corporation)
< %SYSTEMDRIVE%\*.dat >
< %SYSTEMDRIVE%\*.sys >
C:\ -> -> [2009/01/28 18:54:57 | 00,000,000 | ---D | M]
CONFIG.SYS -> C:\CONFIG.SYS -> [2007/12/19 14:17:44 | 00,000,000 | ---- | M] ()
IO.SYS -> C:\IO.SYS -> [2007/12/19 14:17:44 | 00,000,000 | RHS- | M] ()
MSDOS.SYS -> C:\MSDOS.SYS -> [2007/12/19 14:17:44 | 00,000,000 | RHS- | M] ()
pagefile.sys -> C:\pagefile.sys -> [2009/01/27 20:58:25 | 21,453,86496 | -HS- | M] ()
< %SYSTEMROOT%\*.dat >
C:\WINDOWS\ -> C:\WINDOWS -> [2009/01/27 20:52:58 | 00,000,000 | ---D | M]
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2009/01/27 20:58:31 | 00,002,048 | --S- | M] ()
mozver.dat -> C:\WINDOWS\mozver.dat -> [2008/01/06 15:19:07 | 00,000,671 | ---- | M] ()
nsreg.dat -> C:\WINDOWS\nsreg.dat -> [2007/12/19 16:05:40 | 00,000,000 | ---- | M] ()
5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
< %SYSTEMROOT%\*.sys >
< %systemroot%\system32\drivers\*.exe /s >
< %systemroot%\system32\drivers\*.zip /s >
< %systemroot%\system32\drivers\*.rar /s >
< %systemroot%\system\*.exe /s >
< %systemroot%\system\*.zip /s >
< %systemroot%\system\*.rar /s >
< %systemroot%\AppPatch\*.exe /s >
< %systemroot%\AppPatch\*.zip /s >
< %systemroot%\AppPatch\*.rar /s >
< %systemroot%\Cache\*.* >
< %systemroot%\Downloaded Program Files\*.* >
C:\WINDOWS\Downloaded Program Files\ -> C:\WINDOWS\Downloaded Program Files -> [2009/01/12 07:58:31 | 00,000,000 | --SD | M]
desktop.ini -> C:\WINDOWS\Downloaded Program Files\desktop.ini -> [2007/12/19 14:17:00 | 00,000,065 | -H-- | M] ()
DLMControl.dll -> C:\WINDOWS\Downloaded Program Files\DLMControl.dll -> [2008/08/01 12:36:32 | 00,324,976 | ---- | M] ()
erma.inf -> C:\WINDOWS\Downloaded Program Files\erma.inf -> [2007/04/11 13:55:06 | 00,001,292 | ---- | M] ()
FP_AX_CAB_INSTALLER.exe -> C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe -> [2008/03/24 18:33:02 | 01,527,056 | ---- | M] ()
muweb.inf -> C:\WINDOWS\Downloaded Program Files\muweb.inf -> [2008/10/16 14:16:04 | 00,000,295 | ---- | M] ()
swflash.inf -> C:\WINDOWS\Downloaded Program Files\swflash.inf -> [2008/03/24 18:18:48 | 00,000,247 | ---- | M] ()
wmvadvd.inf -> C:\WINDOWS\Downloaded Program Files\wmvadvd.inf -> [2005/03/04 11:11:04 | 00,002,371 | ---- | M] ()
< %systemroot%\Fonts\*.exe /s >
< %systemroot%\Fonts\*.zip /s >
< %systemroot%\Fonts\*.rar /s >
< %systemroot%\Fonts\*.dll /s >
< %systemroot%\Help\*.exe /s >
C:\WINDOWS\Help\Tours\mmTour\ -> C:\WINDOWS\Help\Tours\mmTour -> [2007/12/19 07:03:01 | 00,000,000 | ---D | M]
tour.exe -> C:\WINDOWS\Help\Tours\mmTour\tour.exe -> [2006/02/28 05:00:00 | 03,374,640 | ---- | M] (Macromedia, Inc.)
< %systemroot%\Help\*.zip /s >
< %systemroot%\Help\*.rar /s >
< %systemroot%\Tasks\*.* >
C:\WINDOWS\Tasks\ -> C:\WINDOWS\Tasks -> [2008/12/29 22:46:06 | 00,000,000 | --SD | M]
AppleSoftwareUpdate.job -> C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -> [2009/01/23 11:52:01 | 00,000,284 | ---- | M] ()
desktop.ini -> C:\WINDOWS\Tasks\desktop.ini -> [2006/02/28 05:00:00 | 00,000,065 | RH-- | M] ()
GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job -> C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-688789844-839522115-1003.job -> [2009/01/28 00:00:12 | 00,001,240 | ---- | M] ()
SA.DAT -> C:\WINDOWS\Tasks\SA.DAT -> [2009/01/27 20:58:32 | 00,000,006 | -H-- | M] ()
< %APPDATA%\*.sys >
C:\Documents and Settings\Scott McLaughlan\Application Data\ -> C:\Documents and Settings\Scott McLaughlan\Application Data -> [2009/01/27 21:00:21 | 00,000,000 | RH-D | M]
PnkBstrK.sys -> C:\Documents and Settings\Scott McLaughlan\Application Data\PnkBstrK.sys -> [2008/12/20 20:46:59 | 00,022,328 | ---- | M] ()
< %systemroot%\system32\serauth1.dll >
< %systemroot%\system32\serauth2.dll >
< %systemroot%\system32\sysaudio.sys >
< %PROGRAMFILES%\*TinyProxy*. >
< %PROGRAMFILES%\Bitlord\Downloads\*.zip /s >
< %PROGRAMFILES%\Bitlord\Downloads\*.rar /s >
< %PROGRAMFILES%\Bitlord\Downloads\*.exe /s >
< %PROGRAMFILES%\Bitlord\Downloads\*crack*. >
< %PROGRAMFILES%\Bitlord\Downloads\*keygen*. >
< %PROGRAMFILES%\eMule\Incoming\*.zip /s >
< %PROGRAMFILES%\eMule\Incoming\*.rar /s >
< %PROGRAMFILES%\eMule\Incoming\*.exe /s >
< %PROGRAMFILES%\eMule\Incoming\*crack*. >
< %PROGRAMFILES%\eMule\Incoming\*keygen*. >
< HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla|extensions /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\\jqs@sun.com -> %ProgramFiles%\Java\jre6\lib\deploy\jqs\ff [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2009/01/25 22:46:50 | 00,000,000 | ---D | M]
< End of report >
[/code]


Report •

#18
January 28, 2009 at 19:14:21
And I still don't see anything.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#19
January 28, 2009 at 20:57:01
Thanks, as always, for the help.

Here's what came back:

----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, January 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 29, 2009 02:10:14
Records in database: 1722673
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 84439
Threat name: 7
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 01:04:33


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A140000.VBN Infected: Trojan-Dropper.Win32.Agent.zvf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A140002.VBN Infected: Trojan.Win32.Agent.ange 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\1CDC0000.VBN Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\1CDC0002.VBN Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\Scott McLaughlan\.housecall6.6\Quarantine\arr3.jar-44f46a26-351ba4e8.zip.bac_a01892 Infected: Trojan.Java.ClassLoader.i 1
C:\Documents and Settings\Scott McLaughlan\.housecall6.6\Quarantine\arr3.jar-44f46a26-351ba4e8.zip.bac_a01892 Infected: Trojan.Java.ClassLoader.k 2
C:\Documents and Settings\Scott McLaughlan\.housecall6.6\Quarantine\arr3.jar-452572ae-17b6ee1f.zip.bac_a01892 Infected: Trojan.Java.ClassLoader.i 1
C:\Documents and Settings\Scott McLaughlan\.housecall6.6\Quarantine\arr3.jar-452572ae-17b6ee1f.zip.bac_a01892 Infected: Trojan.Java.ClassLoader.k 2
C:\Documents and Settings\Scott McLaughlan\Application Data\Sun\Java\Deployment\cache\6.0\59\4d13647b-118aad8d Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\Scott McLaughlan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_0019b8 Infected: Trojan-Downloader.Win32.CodecPack.eji 1

The selected area was scanned.


Report •

#20
January 29, 2009 at 03:47:26
Go to start> control panel> java> temporary internet files> settings> delete files> ok> ok.

Navigate to and delete the contents of these folders but not the folders themselves:

C:\Documents and Settings\Scott McLaughlan\.housecall6.6\Quarantine


C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine

Navigate to and delete this folder:

C:\Documents and Settings\Scott McLaughlan\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_0019b8

Have the redirects subsided?


Report •

#21
January 29, 2009 at 17:56:38
They are reduced, but not gone. I would estimate that one time in 10 I get a redirect, and that most of the time the redirect first goes to an "adlinkmarket" site and then redirects to a variety of other sites such as party poker etc.

Any thoughts?


Report •

#22
January 29, 2009 at 18:48:31
This should fix it.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\windows\System32\wdmaud.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Let us know if the redirects have subsided.


Report •

#23
January 30, 2009 at 16:22:00
Sorry guys, no obvious improvement with that step. It is reduced from what it was at the start of this thread, but I'm still getting adlinkmarket redirects on 10% of google clicks.

Report •

#24
January 31, 2009 at 18:40:36
I've done a bit more testing and can confirm that the adlinkmarket redirect occurs every single time on the first link after a google search, and only once in a while on links after that one. Doesn't seem to matter what the search topic is.

Do those symptoms help refine the remedy?


Report •


Ask Question