Ransomware Please help

February 13, 2010 at 03:58:49
Specs: Windows Vista, Athlon 4600/1024
Was browsing and suddenly got a big pop up saying I was infected with a lot of trojans...things flashing up..all these different names of trojans. Clicked on something that was supposed to fix it and guess what? They wanted payment. I now recognise this as Ransomware.
I tried to get task manager up to kill the process to find it had been disabled! System restore had too.
I ran Panda, Adaware, spybot, A-squared and Norton...nothing coming up other than cookies. Ran Prevx (trial) and it came up with as7236.exe and a packageupdate_build6 thing. Both seen as threats the first one very high saying it was fraudulent! Cant get rid of them. Was able to get my task manager and sys restore back through combofix but now I am stuck. I dont know whether I should just reinstall windows but I dont want to have too. How much is my pc compromised please and can anyone help with this? Thanks

Edit Turned off sys restore and ran malwarebytes. It found the package entry and I quarantined it. BUT when I started up again Prevx found it again!!!


See More: Ransomware Please help

Report •


#1
February 13, 2010 at 06:12:17
Rkill should suspend the malware until you restart, DDS will help determine what removal process to use.

You may need to download these to a cd, external drive, or usb drive and run it on the infected computer but first try to run it from the infected computer.

Please download Rkill from the following link.

Rkill

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. This link will help you disable them:

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)

A black screen will appear and then disappear. Please do not worry, that is normal.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the malware . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.

Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop then post them please.


Report •

#2
February 15, 2010 at 09:56:39
Hi I didnt get any wanrings and thought I had disabled both zone alarm and defender!! here are the reports sorry for delay I was in hospital for 2 days Many thanks


DDS (Ver_09-12-01.01) - NTFSx86
Run by Sue at 17:46:11.05 on 15/02/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2045.1160 [GMT 0:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Prevx\prevx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\T-Mobile Internet Manager\UIExec.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sue\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.co.uk/?src=www.aol.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [UIExec] "c:\program files\t-mobile internet manager\UIExec.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.euro.dell.com/systemprofiler/SysProExe.CAB
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\sue\appdata\roaming\mozilla\firefox\profiles\0pbxbd2g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk/?src=www.aol.com
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmidas.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-9 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-2-12 28552]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-2-13 30280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-2-12 1858144]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2009-4-27 73728]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-2-13 6297008]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-2-13 47664]
R2 UI Assistant Service;UI Assistant Service;c:\program files\t-mobile internet manager\AssistantServices.exe [2009-8-10 241664]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-2-13 24368]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-8-10 9728]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2009-4-28 209408]

=============== Created Last 30 ================

2010-02-13 12:49:39 55184 ----a-w- c:\windows\system32\PxSecure.dll
2010-02-13 12:49:39 47664 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-02-13 12:49:39 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-02-13 12:49:38 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-02-13 12:49:38 0 d-----w- c:\program files\Prevx
2010-02-13 12:49:27 0 d-----w- c:\programdata\PrevxCSI
2010-02-13 12:20:15 0 d-----w- c:\program files\Trend Micro
2010-02-12 22:59:45 0 d-----w- c:\program files\TrendMicro
2010-02-12 22:51:09 0 d-----w- c:\programdata\TEMP
2010-02-12 22:43:46 0 d-----w- c:\program files\Trojan Remover
2010-02-12 22:42:03 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-12 22:42:03 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-12 22:42:03 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-12 22:42:03 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-12 22:42:03 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-02-12 22:42:01 0 d-----w- c:\users\sue\appdata\roaming\Simply Super Software
2010-02-12 22:42:01 0 d-----w- c:\programdata\Simply Super Software
2010-02-12 22:23:22 0 d-sh--w- C:\$RECYCLE.BIN
2010-02-12 21:51:04 98816 ----a-w- c:\windows\sed.exe
2010-02-12 21:51:04 77312 ----a-w- c:\windows\MBR.exe
2010-02-12 21:51:04 261632 ----a-w- c:\windows\PEV.exe
2010-02-12 21:51:04 161792 ----a-w- c:\windows\SWREG.exe
2010-02-12 20:58:39 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-12 20:58:39 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 20:04:29 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-12 20:04:22 0 d-----w- c:\program files\Panda Security
2010-02-12 19:45:50 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-12 19:45:28 0 d-----w- c:\users\sue\appdata\roaming\SUPERAntiSpyware.com
2010-02-12 19:45:28 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 19:45:13 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-12 19:40:09 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-12 19:31:18 0 d-----w- c:\windows\system32\drivers\NSS
2010-02-12 19:31:18 0 d-----w- c:\programdata\Symantec
2010-02-12 19:31:18 0 d-----w- c:\programdata\Norton
2010-02-12 19:31:18 0 d-----w- c:\program files\Norton Security Scan
2010-02-12 19:31:06 0 d-----w- c:\programdata\NortonInstaller
2010-02-12 19:31:06 0 d-----w- c:\program files\NortonInstaller
2010-02-12 17:15:18 0 d-----w- c:\users\sue\DoctorWeb
2010-02-12 16:55:02 0 dc----w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-12 16:11:23 0 d-----w- c:\users\sue\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-02-12 16:06:13 0 d-----w- c:\program files\a-squared Free
2010-02-12 16:05:02 0 d-----w- c:\program files\Exterminate It!
2010-02-12 15:51:56 0 d-sh--w- c:\programdata\SAPBDV
2010-02-12 15:51:14 0 d-sh--w- c:\programdata\72362ab
2010-02-06 15:53:28 0 d-----w- c:\users\sue\appdata\roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-02-06 15:52:15 0 ----a-w- c:\windows\EEventManager.INI
2010-02-06 14:52:37 0 d-----w- c:\windows\system32\Adobe
2010-01-24 02:12:09 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-24 02:12:09 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-18 21:53:36 0 d-----w- c:\users\sue\appdata\roaming\Spacejock Software
2010-01-18 21:51:34 0 d-----w- c:\program files\yWriter5

==================== Find3M ====================

2010-02-15 17:29:35 64705 ----a-w- c:\programdata\nvModes.dat
2010-02-15 17:28:44 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 13:46:06 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-21 13:46:06 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-21 13:46:04 86016 ----a-w- c:\windows\inf\infstor.dat
2009-04-28 02:11:14 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-27 17:37:08 76 --sh--r- c:\windows\CT4CET.bin
2009-04-28 01:51:00 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:46:43.91 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 27/04/2009 19:20:02
System Uptime: 15/02/2010 17:28:17 (0 hours ago)

Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | Microprocessor | 2201/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 220 GiB total, 179.716 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 2.524 GiB free.
E: is CDROM (UDF)

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: isatap.{82B5217D-DF5E-4BD2-BA89-4499AE2E1F75}
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

7-Zip 4.65
a-squared Free 4.5
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Advanced Video FX Engine
Browser Address Error Redirector
Compatibility Pack for the 2007 Office system
Dell Edoc Viewer
Dell Getting Started Guide
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
DellSupport
EA Download Manager
EPSON BX600FW Series Printer Uninstall
Epson Easy Photo Print 2
Epson Event Manager
EPSON Scan
EPSON Stylus Office BX600FW_Office TX600FW_SX600FW Manual
EpsonNet Print
Exterminate It!
Fingerprint Reader Suite 5.6
FirstClass® Client
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Matrix Storage Manager
Intel(R) PROSet/Wireless Software
Internet From BT
Java(TM) 6 Update 11
Junk Mail filter update
K101 DVD1
king.com (remove only)
Laptop Integrated Webcam Driver (1.04.01.1011)
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes' Anti-Malware
mCore
MediaDirect
mHelp
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft LifeChat
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 3.0 Runtime
mMHouse
Mozilla Firefox (3.5.7)
mPfMgr
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWMI
Norton Security Scan
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OutlookAddinSetup
Panda ActiveScan 2.0
Prevx
QuickSet
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Sonic CinePlayer Decoder Pack
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
T-Mobile Internet Manager
The Sims™ 3
Trojan Remover 6.8.1
TweetDeck
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb976884)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WIDCOMM Bluetooth Software 6.0.1.3100
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
yWriter5
ZoneAlarm

==== Event Viewer Messages From Past Week ========

11/02/2010 22:11:38, Error: EventLog [6008] - The previous system shutdown at 20:54:45 on 11/02/2010 was unexpected.
11/02/2010 22:10:07, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
11/02/2010 20:19:54, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
11/02/2010 11:30:00, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Send To OneNote 2007 with shared resource name Send To OneNote 2007. Error 1722. The printer cannot be used by others on the network.
09/02/2010 10:32:23, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Send To OneNote 2007 with shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used by others on the network.
09/02/2010 00:25:38, Error: EventLog [6008] - The previous system shutdown at 00:24:01 on 09/02/2010 was unexpected.
08/02/2010 13:03:48, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.4 for the Network Card with network address 001CBF86A8D1 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
08/02/2010 03:19:44, Error: EventLog [6008] - The previous system shutdown at 03:18:03 on 08/02/2010 was unexpected.

==== End Of File ===========================


Report •

#3
February 15, 2010 at 15:02:50
Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 18 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u178-windows-i586-p.exe to install the newest version.

Navigate to C:\Combofix.txt and post that log please.

Download GMER from the following location and save it to your desktop.

GMER.exe


1. Right-click on the gmer.zip icon and select the Extract all
You will be shown a screen asking how you would like to extract the file. Just keep pressing the Next button until you ge to the last screen and then press the Finish button to finish the extraction process. The GMER folder should automatically open and you will see that it contains the file called gmer.exe.

2. Please double-click on the gmer.exe program. Once you double-click the icon a Windows security warning may appear asking if you are sure you would like to run the program. If this warning appears, please click on the Run button to allow GMER to start. If no warning appeared then you should just continue with the guide.

3. You will now see the main GMER window. If it gives you a warning about rootkit activity and asks if you want to run a full scan, please click on the NO button. We now need to configure GMER to not use some settings. Please uncheck the following settings that we do not want in our scan.
•Sections
•IAT/EAT
•Drives/Partition other than Systemdrive, which is typically C:\
•Show All (This is important, so do not miss it.)

4. Click on the Scan button to scan your computer for rootkits. This may take a while, so please be patient.

5. You now need need to save the rootkit scan report to your Desktop by clicking on the Save botton. A screen will open asking where you would like to save the report. Choose to save it to the desktop then in the file name field type help.txt

Finally, press the Save button to save the report to your desktop then post the results.

Please do not act on any of the information you find in this report as many legitimate programs could be listed in it.


Report •

Related Solutions

#4
February 15, 2010 at 15:52:25
Thanks for that. Will get back to you tomorrow with results.

Report •

#5
February 16, 2010 at 06:08:43
Hi
This GMER log is exceptionally long...I cant see a way to zip and attach on here. It seems like it says an awful lot about my pc. Do I just paste in on here? ( have tried three times to get this log but it has crashed my pc each time. Its just coming to the end of a final try)Thanks

Report •

#6
February 16, 2010 at 15:50:13
If you could get the log it would need to posted in segments. If you can't get the log just post your combofix log as requested in response #3 then run the following scan and post its log.

Download TDSSKiller to your Desktop from the following link.

TDSSKiller


1. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. It will extract to an unzipped folder, drag TDSSKiller.exe out of that folder onto the desktop.
2. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


3. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
4. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#7
February 16, 2010 at 16:50:08
Thanks...sending this from another pc. On fourth attempt it finished ...and froze as I tried to save to desktop! It did come up with a warning though.
GMER has found system modification caused by rootkit activity. When I can get it to run and am able to save I will post it. I am supposed to be leaving C drive checked arent I?Will try send the combofix report in a moment. Thanks so much

Report •

#8
February 16, 2010 at 17:00:47
Combofix log is:

ComboFix 10-02-12.01 - Sue 12/02/2010 22:17:17.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2045.1302 [GMT 0:00]
Running from: c:\users\Sue\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((( Files Created from 2010-01-12 to 2010-02-12 )))))))))))))))))))))))))))))))
.

2010-02-12 22:21 . 2010-02-12 22:21 -------- d-----w- c:\users\Sue\AppData\Local\temp
2010-02-12 22:21 . 2010-02-12 22:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-12 22:21 . 2010-02-12 22:21 -------- d-----w- c:\users\gamer\AppData\Local\temp
2010-02-12 22:21 . 2010-02-12 22:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-12 22:21 . 2010-02-12 22:21 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-02-12 20:58 . 2010-02-12 21:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-12 20:58 . 2010-02-12 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 20:04 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-12 20:04 . 2010-02-12 20:04 -------- d-----w- c:\program files\Panda Security
2010-02-12 19:46 . 2010-02-12 22:12 52224 ----a-w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 19:46 . 2010-02-12 22:12 117760 ----a-w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-12 19:40 . 2010-02-12 19:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-12 19:39 . 2010-01-18 18:22 371248 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\eeCtrl.sys
2010-02-12 19:39 . 2010-01-18 18:22 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\cceraser.dll
2010-02-12 19:39 . 2010-01-18 18:22 259440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\ecmsvr32.dll
2010-02-12 19:39 . 2010-01-18 18:22 177520 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\naveng32.dll
2010-02-12 19:39 . 2010-01-18 18:22 1647984 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\navex32a.dll
2010-02-12 19:39 . 2010-01-18 18:22 102448 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\ERASER.sys
2010-02-12 19:38 . 2010-01-18 18:22 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
2010-02-12 19:38 . 2010-01-18 18:22 371248 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
2010-02-12 19:38 . 2010-01-18 18:22 259440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
2010-02-12 19:38 . 2010-01-18 18:22 177520 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\naveng32.dll
2010-02-12 19:38 . 2010-01-18 18:22 1647984 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\navex32a.dll
2010-02-12 19:38 . 2010-01-18 18:22 1323568 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\navex15.sys
2010-02-12 19:38 . 2010-01-18 18:22 102448 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
2010-02-12 19:38 . 2010-01-18 18:22 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
2010-02-12 19:31 . 2010-02-12 19:38 -------- d-----w- c:\programdata\Symantec
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\programdata\Norton
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\windows\system32\drivers\NSS
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\program files\Norton Security Scan
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\program files\NortonInstaller
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\programdata\NortonInstaller
2010-02-12 17:15 . 2010-02-12 17:15 -------- d-----w- c:\users\Sue\DoctorWeb
2010-02-12 17:06 . 2010-02-12 18:50 680 ----a-w- c:\users\Sue\AppData\Local\d3d9caps.dat
2010-02-12 16:55 . 2010-02-12 16:55 -------- dc----w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-12 16:34 . 2010-02-12 16:34 53136 ----a-w- c:\windows\system32\PxSecure.dll
2010-02-12 16:34 . 2010-02-12 16:34 49352 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-02-12 16:34 . 2010-02-12 16:34 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-02-12 16:34 . 2010-02-12 16:34 24496 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-02-12 16:34 . 2010-02-12 16:34 -------- d-----w- c:\program files\Prevx
2010-02-12 16:34 . 2010-02-12 16:36 -------- d-----w- c:\programdata\PrevxCSI
2010-02-12 16:11 . 2010-02-12 16:11 -------- d-----w- c:\users\Sue\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-02-12 16:06 . 2010-02-12 18:37 -------- d-----w- c:\program files\a-squared Free
2010-02-12 16:05 . 2010-02-12 16:11 -------- d-----w- c:\program files\Exterminate It!
2010-02-12 15:52 . 2010-02-12 15:52 71 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\std.dll
2010-02-12 15:52 . 2010-02-12 15:52 23 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\pal.drv
2010-02-12 15:52 . 2010-02-12 15:52 53 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
2010-02-12 15:52 . 2010-02-12 15:52 33 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
2010-02-12 15:52 . 2010-02-12 15:52 63 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\FW.dll
2010-02-12 15:52 . 2010-02-12 15:52 27 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\eb.exe
2010-02-12 15:52 . 2010-02-12 15:52 60 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
2010-02-12 15:52 . 2010-02-12 15:52 30 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\ddv.drv
2010-02-12 15:52 . 2010-02-12 16:02 3 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
2010-02-12 15:51 . 2010-02-12 15:51 -------- d-sh--w- c:\programdata\SAPBDV
2010-02-12 15:51 . 2010-01-10 14:51 457688 ----a-w- c:\programdata\72362ab\sqlite3.dll
2010-02-12 15:51 . 2010-01-10 14:51 722392 ----a-w- c:\programdata\72362ab\mozcrt19.dll
2010-02-12 15:51 . 2010-02-12 15:51 2601472 ----a-w- c:\programdata\72362ab\SA7236.exe
2010-02-12 15:51 . 2010-02-12 16:22 -------- d-sh--w- c:\programdata\72362ab
2010-02-12 09:00 . 2010-02-12 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\NAVENG.SYS
2010-02-12 09:00 . 2010-02-12 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\NAVEX15.SYS
2010-02-06 15:53 . 2010-02-06 15:53 -------- d-----w- c:\users\Sue\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-02-06 15:53 . 2010-02-06 15:46 38784 ----a-w- c:\users\Sue\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:48 . 2010-02-06 15:48 -------- d-----w- c:\users\Administrator\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-02-06 15:48 . 2010-02-06 15:46 38784 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:48 . 2010-02-06 15:46 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:39 . 2010-02-06 15:39 0 ----a-w- c:\windows\nsreg.dat
2010-02-06 15:39 . 2010-02-06 15:39 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
2010-02-06 14:52 . 2010-02-06 14:52 -------- d-----w- c:\windows\system32\Adobe
2010-01-24 02:12 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-24 02:12 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-20 00:13 . 2009-12-17 16:37 31936 ----a-w- c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-20 00:13 . 2009-12-17 16:37 29344 ----a-w- c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-01-18 21:53 . 2010-01-18 21:53 -------- d-----w- c:\users\Sue\AppData\Roaming\Spacejock Software
2010-01-18 21:51 . 2010-01-18 21:51 -------- d-----w- c:\program files\yWriter5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-12 22:11 . 2009-06-02 13:25 64705 ----a-w- c:\programdata\nvModes.dat
2010-02-12 22:11 . 2009-11-11 14:15 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-02-06 15:48 . 2009-06-02 15:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-06 15:42 . 2010-02-06 15:37 101856 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-06 15:37 . 2010-02-06 15:37 -------- d-----w- c:\users\Administrator\AppData\Roaming\Epson
2010-02-06 15:37 . 2010-02-06 15:37 -------- d--h--w- c:\users\Administrator\AppData\Roaming\GTek
2010-01-24 13:59 . 2009-06-09 14:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 00:26 . 2009-06-02 14:52 -------- d-----w- c:\programdata\NOS
2010-01-20 00:13 . 2009-06-02 14:52 -------- d-----w- c:\program files\NOS
2010-01-14 11:12 . 2009-10-13 15:26 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-23 17:52 . 2009-12-24 14:02 1460736 ----a-w- c:\windows\Internet Logs\xDB75A0.tmp
2009-12-23 14:04 . 2009-12-23 14:04 1468006 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-22 17:33 . 2009-12-23 14:04 1460224 ----a-w- c:\windows\Internet Logs\xDB8F39.tmp
2009-12-06 16:47 . 2009-12-06 16:47 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-04-27 17:37 . 2009-04-27 17:37 76 --sh--r- c:\windows\CT4CET.bin
2009-04-28 01:51 . 2009-04-28 01:48 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"UIExec"="c:\program files\T-Mobile Internet Manager\UIExec.exe" [2009-06-12 132608]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2009-09-28 264040]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 22:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-12-09 01:12 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 15:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 11:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 09:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
2009-09-28 11:48 264040 ----a-w- c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 14:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-04-16 21:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-27 17:33 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [09/12/2009 01:13 64160]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [12/02/2010 20:04 28552]
R0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [12/02/2010 16:34 30280]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [12/02/2010 16:06 1858144]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [27/04/2009 18:17 73728]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [12/02/2010 16:34 6297008]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 19:06 1028432]
R2 pxrts;pxrts;c:\windows\System32\drivers\pxrts.sys [12/02/2010 16:34 49352]
R3 pxkbf;pxkbf;c:\windows\System32\drivers\pxkbf.sys [12/02/2010 16:34 24496]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Internet Manager\AssistantServices.exe [10/08/2009 11:07 241664]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\System32\drivers\massfilter.sys [10/08/2009 11:07 9728]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [28/04/2009 02:11 209408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASENUM
*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:12]

2010-02-12 c:\windows\Tasks\Norton Security Scan for Sue.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-12 11:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk/?src=www.aol.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
FF - ProfilePath - c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk/?src=www.aol.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 22:21
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(4728)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2010-02-12 22:23:49
ComboFix-quarantined-files.txt 2010-02-12 22:23
ComboFix2.txt 2010-02-12 22:06

Pre-Run: 193,044,267,008 bytes free
Post-Run: 193,009,123,328 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=16 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
- - End Of File - - D042415AEC53991A9F91CA18B16A370F


Report •

#9
February 16, 2010 at 17:02:08
Do not run GMER any more if is causing the computer to lock up. Run TDSSkiller then post the old Combifix log.

Report •

#10
February 16, 2010 at 17:02:29
TDSSkiller is:

00:57:44:235 5124 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
00:57:44:235 5124 ================================================================================
00:57:44:235 5124 SystemInfo:

57:44:235 5124 Windows directory: C:\Windows
00:57:44:235 5124 Processor architecture: Intel x86
00:57:44:235 5124 Number of processors: 2
00:57:44:235 5124 Page size: 0x1000
00:57:44:235 5124 Boot type: Normal boot
00:57:44:235 5124 ================================================================================
00:57:44:237 5124 UnloadDriverW: NtUnloadDriver error 2
00:57:44:237 5124 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
00:57:44:237 5124 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
00:58:06:502 5124 UtilityInit: KLMD drop and load success
00:58:06:502 5124 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
00:58:06:502 5124 UtilityInit: KLMD open success
00:58:06:502 5124 UtilityInit: Initialize success
00:58:06:502 5124
00:58:06:502 5124 Scanning Services ...
00:58:06:502 5124 CreateRegParser: Registry parser init started
00:58:06:502 5124 CreateRegParser: DisableWow64Redirection error
00:58:06:502 5124 wfopen_ex: Trying to open file C:\Windows\system32\config\system
00:58:06:502 5124 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
00:58:06:502 5124 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:58:06:502 5124 wfopen_ex: Trying to KLMD file open
00:58:06:502 5124 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
00:58:06:502 5124 wfopen_ex: File opened ok (Flags 2)
00:58:06:515 5124 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 2111368
00:58:06:515 5124 wfopen_ex: Trying to open file C:\Windows\system32\config\software
00:58:06:515 5124 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
00:58:06:515 5124 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:58:06:515 5124 wfopen_ex: Trying to KLMD file open
00:58:06:515 5124 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
00:58:06:515 5124 wfopen_ex: File opened ok (Flags 2)
00:58:06:515 5124 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 2111390
00:58:06:515 5124 CreateRegParser: EnableWow64Redirection error
00:58:06:515 5124 CreateRegParser: RegParser init completed
00:58:07:175 5124 GetAdvancedServicesInfo: Raw services enum returned 451 services
00:58:07:177 5124 fclose_ex: Trying to close file C:\Windows\system32\config\system
00:58:07:180 5124 fclose_ex: Trying to close file C:\Windows\system32\config\software
00:58:07:180 5124
00:58:07:180 5124 Scanning Kernel memory ...
00:58:07:180 5124 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
00:58:07:180 5124 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85B53828
00:58:07:180 5124 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
00:58:07:180 5124
00:58:07:180 5124 DetectCureTDL3: DEVICE_OBJECT: 8619DAA0
00:58:07:180 5124 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8619DAA0
00:58:07:180 5124 DetectCureTDL3: DEVICE_OBJECT: 84683030
00:58:07:180 5124 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84683030
00:58:07:180 5124 KLMD_ReadMem: Trying to ReadMemory 0x84683030[0x38]
00:58:07:180 5124 DetectCureTDL3: DRIVER_OBJECT: 84679F38
00:58:07:180 5124 KLMD_ReadMem: Trying to ReadMemory 0x84679F38[0xA8]
00:58:07:180 5124 KLMD_ReadMem: Trying to ReadMemory 0x8465D608[0x1C]
00:58:07:180 5124 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_CREATE : 880EA818
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_CLOSE : 880EA818
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_READ : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_WRITE : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_QUERY_EA : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_SET_EA : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 880E8132
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 880E5918
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_SHUTDOWN : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_CLEANUP : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_SET_SECURITY : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_POWER : 880E1AB4
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 880E107C
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 82264003
00:58:07:180 5124 DetectCureTDL3: IRP_MJ_SET_QUOTA : 82264003
00:58:07:180 5124 TDL3_FileDetect: Processing driver: iaStor
00:58:07:180 5124 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\iastor.sys
00:58:07:180 5124 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\iastor.sys
00:58:07:210 5124 TDL3_FileDetect: Processing driver: iaStor
00:58:07:210 5124 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\iastor.sys
00:58:07:210 5124 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\iastor.sys
00:58:07:215 5124 TDL3_FileDetect: C:\Windows\system32\drivers\iastor.sys - Verdict: Clean
00:58:07:215 5124
00:58:07:215 5124 Completed
00:58:07:215 5124
00:58:07:215 5124 Results:
00:58:07:217 5124 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
00:58:07:217 5124 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:58:07:217 5124 File objects infected / cured / cured on reboot: 0 / 0 / 0
00:58:07:217 5124
00:58:07:217 5124 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
00:58:07:220 5124 UtilityDeinit: KLMD(ARK) unloaded successfully


Report •

#11
February 16, 2010 at 17:14:28
Is this the monster in that last log?

0-02-12 15:51 . 2010-02-12 15:51 2601472 ----a-w- c:\programdata\72362ab\SA7236.exe


Prevx was offering to remove this for £10. If I bought that how can I be sure I would be clean? Thanks


Report •

#12
February 16, 2010 at 17:46:59
GMER drive ( C\:) is supposed to be unchecked. TDSSkiller did not fully run.

The following OTL log will be long and take several post to get it all to us but we need all of it.

Please download OTL from following site:

OTL by OldTimer

1. Save it to your desktop
2. Double click the OTL icon on your desktop
3. Close any open browsers.
4. Double-click on OTL.exe to start the program.
Leave all settings as they appear as default, except for the following:

Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Post the contents of that Notepad document in your next reply.


Report •

#13
February 16, 2010 at 18:05:12
Is it the file called Extras you want? ..or the one that says OTL.Txt Notepad?

Report •

#14
February 16, 2010 at 18:07:22

All of the following are tied to the file, do you know the program?

2010-02-12 15:51 . 2010-02-12 15:51 -------- d-sh--w- c:\programdata\SAPBDV
2010-02-12 15:51 . 2010-01-10 14:51 457688 ----a-w- c:\programdata\72362ab\sqlite3.dll
2010-02-12 15:51 . 2010-01-10 14:51 722392 ----a-w- c:\programdata\72362ab\mozcrt19.dll
2010-02-12 15:51 . 2010-02-12 15:51 2601472 ----a-w- c:\programdata\72362ab\SA7236.exe
2010-02-12 15:51 . 2010-02-12 16:22 -------- d-sh--w- c:\programdata\72362ab

The infected file and folder you are showing me is easily deleted, but the system file that it has replaced may be more difficult and is probably causing the redirects.


Report •

#15
February 16, 2010 at 18:09:02
I have no idea...it all happened in seconds.

Report •

#16
February 16, 2010 at 18:11:07
Both files, extras is the bolded items in the scan that you copied.

Report •

#17
February 16, 2010 at 18:14:15
Its coming up with a .pl?security message in a blank page when I try and post it????

Report •

#18
February 16, 2010 at 18:25:48
It will take several post to get it to us. So chop it up and send about 1/3 in each post.

Report •

#19
February 16, 2010 at 18:29:45
OTL logfile created on: 17/02/2010 01:55:57 - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Users\Sue\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.25 Gb Total Space | 179.39 Gb Free Space | 81.45% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 2.52 Gb Free Space | 25.24% Space Free | Partition Type: NTFS
Drive E: | 5.56 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2010/02/17 01:48:35 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Users\Sue\Desktop\OTL.exe
PRC - [2010/01/11 15:21:52 | 000,246,504 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2009/12/09 01:12:01 | 000,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/12/09 01:12:00 | 001,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2009/09/28 11:48:08 | 000,264,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeChat\LifeChat.exe
PRC - [2009/06/16 10:27:34 | 000,211,488 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2009/06/12 08:34:48 | 000,241,664 | ---- | M] () -- C:\Program Files\T-Mobile Internet Manager\AssistantServices.exe
PRC - [2009/06/12 08:34:10 | 000,132,608 | ---- | M] () -- C:\Program Files\T-Mobile Internet Manager\UIExec.exe
PRC - [2009/04/28 02:06:11 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) -- C:\Windows\System32\ZoneLabs\vsmon.exe
PRC - [2009/02/16 00:10:22 | 000,981,384 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/05/07 14:28:32 | 000,591,696 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2008/03/04 05:05:24 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2008/01/25 05:42:18 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/01/25 05:42:14 | 000,167,936 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/01/25 05:42:14 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/01/25 05:42:14 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2008/01/21 02:25:33 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2008/01/21 02:23:52 | 000,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2008/01/21 02:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/12/17 13:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
PRC - [2007/12/03 04:28:06 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/12/03 04:27:54 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/07/25 15:41:42 | 000,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/07/25 15:22:44 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/04/16 22:05:52 | 000,021,504 | ---- | M] (UPEK Inc.) -- C:\Program Files\Fingerprint Reader Suite\upeksvr.exe
PRC - [2007/03/21 12:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 12:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2007/01/11 13:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
PRC - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2010/02/17 01:48:35 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Users\Sue\Desktop\OTL.exe
MOD - [2008/01/21 02:23:44 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - [2009/12/17 16:37:52 | 000,067,360 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus(R)
SRV - [2009/12/09 01:12:00 | 001,028,432 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/10/01 16:03:14 | 001,858,144 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2009/06/16 10:27:34 | 000,211,488 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)
SRV - [2009/06/12 08:34:48 | 000,241,664 | ---- | M] () [Auto | Running] -- C:\Program Files\T-Mobile Internet Manager\AssistantServices.exe -- (UI Assistant Service)
SRV - [2009/02/16 00:10:22 | 002,402,184 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Windows\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2008/11/04 00:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 10:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/01/21 02:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/17 13:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE -- (EPSON_EB_RPCV4_01) EPSON V5 Service4(01)
SRV - [2007/12/03 04:27:54 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/07/25 15:41:42 | 000,647,168 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2007/07/25 15:22:44 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2007/07/11 08:33:28 | 000,069,632 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2007/03/21 12:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2007/03/19 11:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/01/11 13:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)
SRV - [2006/12/19 17:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [2006/11/02 12:35:29 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/10/26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2004/10/22 02:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


Report •

#20
February 16, 2010 at 18:31:31
DRV - [2010/01/05 07:56:06 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/12/09 01:12:22 | 000,064,160 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/10/01 23:41:44 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\taphss.sys -- (taphss)
DRV - [2009/06/30 09:37:16 | 000,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\Windows\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2009/06/16 14:59:00 | 009,768,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/05/07 15:53:40 | 000,018,816 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\tcpipBM.sys -- (tcpipBM)
DRV - [2009/05/07 15:47:14 | 000,105,344 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2009/05/07 15:47:14 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2009/05/07 15:47:12 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2009/05/07 15:47:12 | 000,009,728 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)
DRV - [2009/04/28 01:49:19 | 000,073,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2009/02/16 00:11:48 | 000,293,528 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsdatant.sys -- (Vsdatant)
DRV - [2008/10/23 05:45:58 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2008/10/23 05:45:56 | 000,046,592 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/10/23 05:45:54 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2008/03/04 05:05:34 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2008/03/04 05:05:18 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2008/01/25 05:42:14 | 000,164,400 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/01/21 02:24:49 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rootmdm.sys -- (ROOTMODEM)
DRV - [2008/01/21 02:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/21 02:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/21 02:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/21 02:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/21 02:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/21 02:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/21 02:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/21 02:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2008/01/21 02:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/21 02:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/21 02:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/21 02:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/21 02:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/21 02:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/21 02:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/21 02:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/21 02:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/21 02:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/21 02:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/21 02:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/21 02:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/21 02:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/21 02:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/21 02:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/12/06 08:51:00 | 000,298,496 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
DRV - [2007/12/03 04:28:08 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/09/26 07:12:00 | 002,251,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel(R)
DRV - [2007/09/07 09:27:32 | 000,209,408 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ianvstor.sys -- (iaNvStor) Intel(R)
DRV - [2007/09/07 09:22:34 | 000,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
DRV - [2007/07/26 02:00:00 | 000,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/04/16 21:44:34 | 000,046,992 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tcusb.sys -- (TcUsb)
DRV - [2007/02/25 11:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2007/01/18 09:24:58 | 000,026,496 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RimSerial.sys -- (RimVSerPort)
DRV - [2006/11/07 01:37:16 | 000,078,128 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2006/11/06 23:13:52 | 000,016,560 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2006/11/06 23:13:50 | 000,080,176 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2006/11/02 09:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 09:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 09:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 09:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 09:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 09:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 09:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 09:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 09:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 09:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 09:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 08:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 08:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 08:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 08:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 08:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 08:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 07:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 07:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 06:37:21 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/?src=www.aol.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.aol.co.uk/?src=www.aol.com"

FF - HKLM\software\mozilla\Firefox\Extensions\\ff-bmboc@bytemobile.com: C:\Program Files\T-Mobile Internet Manager\addon [2009/08/10 11:07:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/06 15:39:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/16 12:03:29 | 000,000,000 | ---D | M]

[2009/06/02 08:18:37 | 000,000,000 | ---D | M] -- C:\Users\Sue\AppData\Roaming\Mozilla\Extensions
[2010/02/17 00:55:16 | 000,000,000 | ---D | M] -- C:\Users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\extensions
[2010/01/20 00:13:43 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/02/16 12:03:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/03/18 14:03:40 | 000,214,272 | ---- | M] (Midasplayer Ltd) -- C:\Program Files\Mozilla Firefox\plugins\npmidas.dll
[2010/01/10 14:51:56 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/01/10 14:51:56 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/01/10 14:51:56 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/01/10 14:51:56 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/02/12 22:00:49 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LifeChat] C:\Program Files\Microsoft LifeChat\LifeChat.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UIExec] C:\Program Files\T-Mobile Internet Manager\UIExec.exe ()
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.euro.dell.com/system... (WMI Class)
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} https://moneymanager.egg.com/Pinsafe/accounttracking.cab (Egg Money Manager Digital Safe)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/ji... (Java Plug-in 1.6.0_18)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/active... (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/ji... (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/ji... (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\Windows\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\psfus: DllName - C:\Windows\system32\psqlpwd.dll - C:\Windows\System32\psqlpwd.dll (UPEK Inc.)
O24 - Desktop WallPaper: C:\Users\Sue\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Sue\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/04/30 02:57:32 | 000,054,544 | R--- | M] (Electronic Arts) - E:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2008/10/21 23:48:37 | 000,000,045 | R--- | M] () - E:\Autorun.inf -- [ UDF ]
O33 - MountPoints2\{17c64970-4f6a-11de-9fa7-001e4ce887be}\Shell\AutoRun\command - "" = F:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/21 02:34:27 | 000,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
OTL cannot create restorepoints on Vista OSs!


Report •

#21
February 16, 2010 at 18:40:42
[2010/02/17 01:48:31 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Users\Sue\Desktop\OTL.exe
[2010/02/17 01:29:47 | 000,000,000 | ---D | C] -- C:\Users\Sue\Pavark
[2010/02/17 00:56:54 | 000,175,880 | ---- | C] (Kaspersky Lab) -- C:\Users\Sue\Desktop\TDSSKiller.exe
[2010/02/16 19:21:54 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/02/16 12:03:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/02/16 12:03:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/16 12:03:29 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/02/16 12:03:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/02/16 12:03:29 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/02/16 12:03:16 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/02/16 11:56:47 | 016,254,752 | ---- | C] (Sun Microsystems, Inc.) -- C:\Users\Sue\Desktop\jre-6u18-windows-i586.exe
[2010/02/13 12:20:15 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/12 22:59:45 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro
[2010/02/12 22:51:09 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/02/12 22:43:46 | 000,000,000 | ---D | C] -- C:\Program Files\Trojan Remover
[2010/02/12 22:42:04 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\Simply Super Software
[2010/02/12 22:42:03 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ztvcabinet.dll
[2010/02/12 22:42:01 | 000,000,000 | ---D | C] -- C:\Users\Sue\AppData\Roaming\Simply Super Software
[2010/02/12 22:42:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software
[2010/02/12 22:23:51 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/02/12 22:23:51 | 000,000,000 | ---D | C] -- C:\Users\Sue\AppData\Local\temp
[2010/02/12 22:23:22 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/02/12 22:16:13 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/02/12 21:51:04 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/02/12 21:51:04 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/02/12 21:51:04 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/02/12 21:05:19 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/02/12 21:04:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/12 20:58:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/02/12 20:58:39 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/12 20:04:29 | 000,028,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\pavboot.sys
[2010/02/12 20:04:22 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2010/02/12 19:45:50 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/02/12 19:45:28 | 000,000,000 | ---D | C] -- C:\Users\Sue\AppData\Roaming\SUPERAntiSpyware.com
[2010/02/12 19:45:28 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/02/12 19:45:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/02/12 19:40:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2010/02/12 19:31:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2010/02/12 19:31:18 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS
[2010/02/12 19:31:18 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Scan
[2010/02/12 19:31:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2010/02/12 19:31:18 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NSS\0207000.034
[2010/02/12 19:31:06 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2010/02/12 19:31:06 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/02/12 17:15:18 | 000,000,000 | ---D | C] -- C:\Users\Sue\DoctorWeb
[2010/02/12 16:55:02 | 000,000,000 | ---D | C] -- C:\ProgramData\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/02/12 16:11:23 | 000,000,000 | ---D | C] -- C:\Users\Sue\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/02/12 16:06:13 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\a-squared Free
[2010/02/12 16:06:13 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/02/12 16:05:02 | 000,000,000 | ---D | C] -- C:\Program Files\Exterminate It!
[2010/02/12 15:51:56 | 000,000,000 | -HSD | C] -- C:\ProgramData\SAPBDV
[2010/02/12 15:51:14 | 000,000,000 | -HSD | C] -- C:\ProgramData\72362ab
[2010/02/06 15:53:28 | 000,000,000 | ---D | C] -- C:\Users\Sue\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2010/02/06 14:52:37 | 000,000,000 | ---D | C] -- C:\Windows\System32\Adobe
[2010/02/04 11:28:48 | 000,000,000 | ---D | C] -- C:\Users\Sue\AppData\Roaming\Sun
[2010/02/03 16:11:53 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\Downloads
[2010/01/24 02:12:09 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2010/01/24 02:12:09 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2010/01/18 22:00:26 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\RTF5
[2010/01/18 22:00:26 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\Logs
[2010/01/18 22:00:26 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\Images
[2010/01/18 22:00:26 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\Export
[2010/01/18 22:00:26 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\Autobackups
[2010/01/18 21:53:36 | 000,000,000 | ---D | C] -- C:\Users\Sue\AppData\Roaming\Spacejock Software
[2010/01/18 21:51:35 | 000,000,000 | ---D | C] -- C:\Users\Sue\Documents\yWriter5 Sample
[2010/01/18 21:51:34 | 000,000,000 | ---D | C] -- C:\Program Files\yWriter5

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010/02/17 01:52:33 | 002,359,296 | -HS- | M] () -- C:\Users\Sue\NTUSER.DAT
[2010/02/17 01:48:35 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Users\Sue\Desktop\OTL.exe
[2010/02/17 01:39:55 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/02/17 01:39:55 | 000,600,378 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/02/17 01:39:55 | 000,105,852 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/02/17 01:35:05 | 000,064,705 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/02/17 01:34:56 | 000,064,705 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/02/17 01:34:55 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/02/17 01:34:54 | 000,350,192 | -H-- | M] () -- C:\Windows\System32\drivers\vsconfig.xml
[2010/02/17 01:34:54 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/02/17 01:34:54 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/02/17 01:34:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/02/17 01:34:47 | 2145,452,032 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/17 01:33:11 | 006,291,456 | -H-- | M] () -- C:\Users\Sue\AppData\Local\IconCache.db
[2010/02/17 01:33:11 | 000,524,288 | -HS- | M] () -- C:\Users\Sue\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/02/17 01:33:11 | 000,065,536 | -HS- | M] () -- C:\Users\Sue\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/02/17 01:32:51 | 000,423,736 | ---- | M] () -- C:\Users\Sue\Desktop\avgarkt-setup-1.1.0.42.exe
[2010/02/17 01:07:15 | 000,000,472 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2010/02/17 00:56:24 | 000,153,078 | ---- | M] () -- C:\Users\Sue\Desktop\tdsskiller.zip
[2010/02/16 19:21:54 | 289,033,745 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/02/16 12:06:15 | 000,284,915 | ---- | M] () -- C:\Users\Sue\Desktop\gmer.zip
[2010/02/16 12:03:17 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll
[2010/02/16 12:03:17 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/02/16 12:03:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/02/16 12:03:17 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/02/16 11:57:55 | 016,254,752 | ---- | M] (Sun Microsystems, Inc.) -- C:\Users\Sue\Desktop\jre-6u18-windows-i586.exe
[2010/02/15 19:39:02 | 000,175,880 | ---- | M] (Kaspersky Lab) -- C:\Users\Sue\Desktop\TDSSKiller.exe
[2010/02/15 17:45:27 | 000,524,288 | ---- | M] () -- C:\Users\Sue\Desktop\dds.scr
[2010/02/13 12:23:54 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/13 12:20:15 | 000,001,876 | ---- | M] () -- C:\Users\Sue\Desktop\HiJackThis.lnk
[2010/02/12 22:50:44 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Trojan Remover.lnk
[2010/02/12 22:22:00 | 000,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/02/12 22:16:05 | 003,857,112 | R--- | M] () -- C:\Users\Sue\Desktop\ComboFix.exe
[2010/02/12 22:00:49 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/02/12 22:00:32 | 000,000,470 | ---- | M] () -- C:\Windows\tasks\Norton Security Scan for Sue.job
[2010/02/12 20:58:43 | 000,001,057 | ---- | M] () -- C:\Users\Sue\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 19:45:28 | 000,000,904 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/02/12 19:31:20 | 000,001,139 | ---- | M] () -- C:\Users\Public\Desktop\Norton Security Scan.lnk
[2010/02/12 19:31:18 | 000,000,172 | ---- | M] () -- C:\Windows\System32\drivers\NSS\0207000.034\isolate.ini
[2010/02/12 19:07:04 | 000,376,056 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/02/12 18:50:59 | 000,000,680 | ---- | M] () -- C:\Users\Sue\AppData\Local\d3d9caps.dat
[2010/02/12 17:01:21 | 000,010,651 | ---- | M] () -- C:\Users\Sue\Documents\Download Ransomlock Key Generator Tool From Symantec at tinyurl.docx
[2010/02/12 16:06:27 | 000,000,772 | ---- | M] () -- C:\Users\Public\Desktop\a-squared Free.lnk
[2010/02/12 16:05:02 | 000,000,880 | ---- | M] () -- C:\Users\Public\Desktop\Exterminate It!.lnk

[2010/02/10 15:40:52 | 000,013,568 | ---- | M] () -- C:\Users\Sue\Desktop\A User.docx
[2010/02/06 15:53:20 | 000,000,931 | ---- | M] () -- C:\Users\Sue\Desktop\TweetDeck - Shortcut.lnk
[2010/02/06 15:52:15 | 000,000,000 | ---- | M] () -- C:\Windows\EEventManager.INI
[2010/02/06 15:48:18 | 000,000,839 | ---- | M] () -- C:\Users\Public\Desktop\TweetDeck.lnk
[2010/02/06 15:39:15 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2010/02/03 13:21:13 | 000,063,488 | ---- | M] () -- C:\Users\Sue\Desktop\Registration_form.doc
[2010/01/19 22:05:56 | 000,009,903 | ---- | M] () -- C:\Users\Sue\Desktop\peter wykman.docx
[2010/01/18 22:11:35 | 000,003,284 | ---- | M] () -- C:\Users\Sue\Documents\To Be decided.yw5
[2010/01/18 22:00:26 | 000,003,284 | ---- | M] () -- C:\Users\Sue\Documents\To Be decided.yw5.bak
[2010/01/18 21:51:35 | 000,000,806 | ---- | M] () -- C:\Users\Sue\Desktop\yWriter5.lnk

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010/02/17 01:32:50 | 000,423,736 | ---- | C] () -- C:\Users\Sue\Desktop\avgarkt-setup-1.1.0.42.exe
[2010/02/17 00:56:19 | 000,153,078 | ---- | C] () -- C:\Users\Sue\Desktop\tdsskiller.zip
[2010/02/16 19:21:27 | 289,033,745 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/02/16 12:06:14 | 000,284,915 | ---- | C] () -- C:\Users\Sue\Desktop\gmer.zip
[2010/02/15 17:45:26 | 000,524,288 | ---- | C] () -- C:\Users\Sue\Desktop\dds.scr
[2010/02/13 12:23:54 | 000,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/12 22:59:45 | 000,001,876 | ---- | C] () -- C:\Users\Sue\Desktop\HiJackThis.lnk
[2010/02/12 22:43:49 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Trojan Remover.lnk
[2010/02/12 22:42:03 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2010/02/12 22:42:03 | 000,153,088 | ---- | C] () -- C:\Windows\System32\unrar3.dll
[2010/02/12 22:42:03 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2010/02/12 22:42:03 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2010/02/12 21:51:04 | 000,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/02/12 21:51:04 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/02/12 21:51:04 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/02/12 21:51:04 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/02/12 21:51:04 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/02/12 21:03:39 | 003,857,112 | R--- | C] () -- C:\Users\Sue\Desktop\ComboFix.exe
[2010/02/12 20:58:43 | 000,001,057 | ---- | C] () -- C:\Users\Sue\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 19:45:28 | 000,000,904 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/02/12 19:31:23 | 000,000,470 | ---- | C] () -- C:\Windows\tasks\Norton Security Scan for Sue.job
[2010/02/12 19:31:20 | 000,001,139 | ---- | C] () -- C:\Users\Public\Desktop\Norton Security Scan.lnk
[2010/02/12 19:31:18 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NSS\0207000.034\isolate.ini
[2010/02/12 19:06:47 | 2145,452,032 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/12 17:06:31 | 000,000,680 | ---- | C] () -- C:\Users\Sue\AppData\Local\d3d9caps.dat
[2010/02/12 17:01:21 | 000,010,651 | ---- | C] () -- C:\Users\Sue\Documents\Download Ransomlock Key Generator Tool From Symantec at tinyurl.docx
[2010/02/12 16:06:27 | 000,000,772 | ---- | C] () -- C:\Users\Public\Desktop\a-squared Free.lnk
[2010/02/12 16:05:02 | 000,000,880 | ---- | C] () -- C:\Users\Public\Desktop\Exterminate It!.lnk
[2010/02/06 15:53:20 | 000,000,931 | ---- | C] () -- C:\Users\Sue\Desktop\TweetDeck - Shortcut.lnk
[2010/02/06 15:52:15 | 000,000,000 | ---- | C] () -- C:\Windows\EEventManager.INI
[2010/02/06 15:48:18 | 000,000,839 | ---- | C] () -- C:\Users\Public\Desktop\TweetDeck.lnk
[2010/02/06 15:39:15 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/02/03 13:21:12 | 000,063,488 | ---- | C] () -- C:\Users\Sue\Desktop\Registration_form.doc
[2010/01/19 22:05:56 | 000,009,903 | ---- | C] () -- C:\Users\Sue\Desktop\peter wykman.docx
[2010/01/18 22:11:35 | 000,003,284 | ---- | C] () -- C:\Users\Sue\Documents\To Be decided.yw5.bak
[2010/01/18 22:00:26 | 000,003,284 | ---- | C] () -- C:\Users\Sue\Documents\To Be decided.yw5
[2010/01/18 21:51:35 | 000,000,806 | ---- | C] () -- C:\Users\Sue\Desktop\yWriter5.lnk
[2009/10/21 15:47:11 | 000,002,528 | ---- | C] () -- C:\Windows\FCIC.INI
[2009/10/17 11:47:29 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/06/03 19:42:42 | 000,000,000 | ---- | C] () -- C:\Users\Sue\AppData\Roaming\wklnhst.dat
[2009/06/02 13:25:44 | 000,064,705 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/06/02 13:25:44 | 000,064,705 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/06/02 11:57:00 | 000,028,160 | ---- | C] () -- C:\Users\Sue\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/28 02:11:47 | 000,167,936 | ---- | C] () -- C:\Windows\System32\nvccoin.dll
[2007/07/25 15:40:02 | 000,999,424 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2006/11/03 16:25:56 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 12:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 10:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/11/14 11:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

[color=#E56717]========== Custom Scans ==========[/color]


[color=#A23BEC]< %SYSTEMDRIVE%\*.exe >[/color]


[color=#A23BEC]< MD5 for: AGP440.SYS >[/color]
[2008/01/21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\ERDNT\cache\AGP440.sys
[2008/01/21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/21 02:23:01 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2006/11/02 09:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

[color=#A23BEC]< MD5 for: ATAPI.SYS >[/color]
[2009/04/28 01:48:55 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/28 01:48:55 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\drivers\atapi.sys
[2009/04/28 01:48:55 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
[2009/04/28 01:48:55 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=0D83C87A801A3DFCD1BF73893FE7518C -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219e87cb\atapi.sys
[2009/04/11 06:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/21 02:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/21 02:23:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 09:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2009/04/28 01:48:55 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=96DC4E1A9F90CCD489950A8935425C59 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.22134_none_dda556493abc2795\atapi.sys

[color=#A23BEC]< MD5 for: CNGAUDIT.DLL >[/color]
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 09:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

[color=#A23BEC]< MD5 for: EVENTLOG.DLL >[/color]
[2007/04/16 22:06:36 | 000,033,280 | ---- | M] (UPEK Inc.) MD5=E2D8E32A93945F3FCE220D0F71FDFB27 -- C:\Program Files\Fingerprint Reader Suite\eventlog.dll

[color=#A23BEC]< MD5 for: IASTOR.SYS >[/color]
[2007/09/07 09:27:28 | 000,277,784 | ---- | M] (Intel Corporation) MD5=5DF93509037399B53D3ECAA8A67B6C58 -- C:\Drivers\storage\R166201\iaStor.sys
[2007/09/07 09:27:28 | 000,277,784 | ---- | M] (Intel Corporation) MD5=5DF93509037399B53D3ECAA8A67B6C58 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_b92fa6ec\iaStor.sys
[2007/09/07 09:27:28 | 000,277,784 | ---- | M] (Intel Corporation) MD5=5DF93509037399B53D3ECAA8A67B6C58 -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_9af7e4ab\iaStor.sys
[2007/09/07 09:22:34 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Drivers\storage\R166200\iastor.sys
[2007/03/21 11:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/09/07 09:22:34 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\drivers\iaStor.sys
[2007/09/07 09:22:34 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys
[2007/09/07 09:22:34 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys
[2007/03/21 11:59:30 | 000,381,720 | ---- | M] (Intel Corporation) MD5=9D7ED4275702E2FC409F2CC563245740 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys

[color=#A23BEC]< MD5 for: IASTORV.SYS >[/color]
[2008/01/21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2008/01/21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 09:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

[color=#A23BEC]< MD5 for: NETLOGON.DLL >[/color]
[2009/04/11 06:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2008/01/21 02:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\ERDNT\cache\netlogon.dll
[2008/01/21 02:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/21 02:24:05 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

[color=#A23BEC]< MD5 for: NVSTOR.SYS >[/color]
[2006/11/02 09:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

[color=#A23BEC]< MD5 for: SCECLI.DLL >[/color]
[2008/01/21 02:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\ERDNT\cache\scecli.dll
[2008/01/21 02:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/21 02:24:50 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/11 06:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

[color=#A23BEC]< %systemroot%\*./mp /s >[/color]

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 76 bytes -> C:\Users\Sue\Documents\Virus:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Sue\Documents\Open College:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Sue\Documents\EVENTS FEBRUARY 2006 print.doc:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\Sue\Desktop\OU:Roxio EMC Stream
< End of report >



Report •

#22
February 16, 2010 at 18:41:19
Just feel like I threw all my dirty washing in the street for all to see lol

So this SA7236.exe has replaced a system file? How would anyone ever know which one?
I was just browsing the internet. Dont even remember what I was looking at at the time...nothing mysterious or malicious. Hadnt just downloaded anything either. A box just popped out of nowhere...seemingly!
It immediately threw up what looked like the windows defender window..all looked very legit until I clicked on repair and it was asking for money!

The packageupdate_build 6 thing has gone- combofix. Got my task manager back after that.

Would system file checker pick up something thats been changed? Lol...I'm of the mind its a bit deeper than that. I am very worried all my passwords and private stuff is now very unsafe.


Report •

#23
February 16, 2010 at 19:11:32
I see only these folders that could be infected.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DIRLOOK::
c:\programdata\SAPBDV
c:\programdata\72362ab

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#24
February 16, 2010 at 19:18:46
Sorry but cant see any x's or Killall or any of those words if you are talking about the OTL. Now I am confused. Sorry..I am very grateful for you helping me like this.
I will have to go very soon as its 3.20am here but I can get back online tomorrow afternoon. Thanks

Report •

#25
February 16, 2010 at 19:25:45
This is a script for combofix that will allow ub to see the contents of the folders between the x's. Just copy everything between the x's in response #23. Open notepad and paste it in notepad make sure the first word ;DIRLOOK" is at the very top of the page.

Next go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".


Report •

#26
February 16, 2010 at 19:38:43
Oh nooo! When I open notepad I get this:
C:\Windows\System32\notepad.exe
Illegal operation attempted on a registry key that has been marked for deleteion
Also getting same when I try to open or manage my computer to look at event log...cant open a lot of things...anything to do with administration or managing my pc

???


Report •

#27
February 16, 2010 at 19:55:39
Got notepad back by rebooting! Now trying to give you what you asked for.

Report •

#28
February 16, 2010 at 19:57:44
Sounds like Nortons to me, are you using it? If not go to add remove programs and uninstall it.

If you are using it you will need to modify it settings.


Report •

#29
February 16, 2010 at 19:58:32
Its in my system but I dont use it...just downloaded it the other day to do a scan.

Report •

#30
February 16, 2010 at 20:08:51
If removing Nortons or modifying it did not help you may be able to run the System File Checker in Safe Mode and resolve it.

Open an elevated command prompt.

To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.


Type the following command, and then press ENTER:


sfc /scannow




Report •

#31
February 16, 2010 at 20:13:01
Heres the combofix log. It did flash up with something it couldnt do but it wasnt there long enough for me to catch it! Have uninstalled norton.


ComboFix 10-02-12.01 - Sue 17/02/2010 3:55.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2045.1298 [GMT 0:00]
Running from: c:\users\Sue\Desktop\ComboFix.exe
Command switches used :: c:\users\Sue\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-17 03:59 . 2010-02-17 03:59 -------- d-----w- c:\users\Sue\AppData\Local\temp
2010-02-17 03:59 . 2010-02-17 03:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-17 03:59 . 2010-02-17 03:59 -------- d-----w- c:\users\gamer\AppData\Local\temp
2010-02-17 03:59 . 2010-02-17 03:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-17 03:59 . 2010-02-17 03:59 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-02-17 01:29 . 2010-02-17 01:32 -------- d-----w- c:\users\Sue\Pavark
2010-02-16 12:03 . 2010-02-16 12:03 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 12:03 . 2010-02-16 12:03 -------- d-----w- c:\program files\Java
2010-02-13 12:24 . 2010-02-13 12:24 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-13 12:23 . 2010-02-13 12:23 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-02-13 12:20 . 2010-02-13 12:20 -------- d-----w- c:\program files\Trend Micro
2010-02-12 22:59 . 2010-02-12 22:59 388096 ----a-r- c:\users\Sue\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-12 22:59 . 2010-02-12 22:59 -------- d-----w- c:\program files\TrendMicro
2010-02-12 22:43 . 2010-02-12 22:50 -------- d-----w- c:\program files\Trojan Remover
2010-02-12 22:42 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-12 22:42 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-12 22:42 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-12 22:42 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-02-12 22:42 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-12 22:42 . 2010-02-12 22:45 -------- d-----w- c:\users\Sue\AppData\Roaming\Simply Super Software
2010-02-12 22:42 . 2010-02-12 22:42 -------- d-----w- c:\programdata\Simply Super Software
2010-02-12 20:58 . 2010-02-12 21:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-12 20:58 . 2010-02-12 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 20:04 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-12 20:04 . 2010-02-12 20:04 -------- d-----w- c:\program files\Panda Security
2010-02-12 19:46 . 2010-02-12 22:12 52224 ----a-w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 19:46 . 2010-02-12 22:12 117760 ----a-w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-12 19:40 . 2010-02-12 19:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-12 19:39 . 2010-01-18 18:22 371248 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\eeCtrl.sys
2010-02-12 19:39 . 2010-01-18 18:22 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\cceraser.dll
2010-02-12 19:39 . 2010-01-18 18:22 259440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\ecmsvr32.dll
2010-02-12 19:39 . 2010-01-18 18:22 177520 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\naveng32.dll
2010-02-12 19:39 . 2010-01-18 18:22 1647984 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\navex32a.dll
2010-02-12 19:39 . 2010-01-18 18:22 102448 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\ERASER.sys
2010-02-12 19:38 . 2010-01-18 18:22 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\naveng.sys
2010-02-12 19:38 . 2010-01-18 18:22 371248 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\eeCtrl.sys
2010-02-12 19:38 . 2010-01-18 18:22 259440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\ecmsvr32.dll
2010-02-12 19:38 . 2010-01-18 18:22 177520 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\naveng32.dll
2010-02-12 19:38 . 2010-01-18 18:22 1647984 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\navex32a.dll
2010-02-12 19:38 . 2010-01-18 18:22 1323568 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\navex15.sys
2010-02-12 19:38 . 2010-01-18 18:22 102448 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\ERASER.sys
2010-02-12 19:38 . 2010-01-18 18:22 2747440 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\BinHub\cceraser.dll
2010-02-12 19:31 . 2010-02-12 19:38 -------- d-----w- c:\programdata\Symantec
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\programdata\Norton
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\windows\system32\drivers\NSS
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\program files\Norton Security Scan
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\program files\NortonInstaller
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\programdata\NortonInstaller
2010-02-12 17:15 . 2010-02-12 17:15 -------- d-----w- c:\users\Sue\DoctorWeb
2010-02-12 17:06 . 2010-02-12 18:50 680 ----a-w- c:\users\Sue\AppData\Local\d3d9caps.dat
2010-02-12 16:55 . 2010-02-12 16:55 -------- dc----w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-12 16:11 . 2010-02-12 16:11 -------- d-----w- c:\users\Sue\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-02-12 16:06 . 2010-02-12 18:37 -------- d-----w- c:\program files\a-squared Free
2010-02-12 16:05 . 2010-02-12 16:11 -------- d-----w- c:\program files\Exterminate It!
2010-02-12 15:52 . 2010-02-12 15:52 71 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\std.dll
2010-02-12 15:52 . 2010-02-12 15:52 23 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\pal.drv
2010-02-12 15:52 . 2010-02-12 15:52 53 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
2010-02-12 15:52 . 2010-02-12 15:52 33 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
2010-02-12 15:52 . 2010-02-12 15:52 63 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\FW.dll
2010-02-12 15:52 . 2010-02-12 15:52 27 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\eb.exe
2010-02-12 15:52 . 2010-02-12 15:52 60 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
2010-02-12 15:52 . 2010-02-12 15:52 30 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\ddv.drv
2010-02-12 15:52 . 2010-02-12 16:02 3 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
2010-02-12 15:51 . 2010-02-12 15:51 -------- d-sh--w- c:\programdata\SAPBDV
2010-02-12 15:51 . 2010-01-10 14:51 457688 ----a-w- c:\programdata\72362ab\sqlite3.dll
2010-02-12 15:51 . 2010-01-10 14:51 722392 ----a-w- c:\programdata\72362ab\mozcrt19.dll
2010-02-12 15:51 . 2010-02-12 15:51 2601472 ----a-w- c:\programdata\72362ab\SA7236.exe
2010-02-12 15:51 . 2010-02-12 16:22 -------- d-sh--w- c:\programdata\72362ab
2010-02-12 09:00 . 2010-02-12 09:00 84912 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\NAVENG.SYS
2010-02-12 09:00 . 2010-02-12 09:00 1324720 ----a-w- c:\programdata\Symantec\Definitions\SymcData\virusdefs-2.5-e\20100212.003\NAVEX15.SYS
2010-02-06 15:53 . 2010-02-06 15:53 -------- d-----w- c:\users\Sue\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-02-06 15:53 . 2010-02-06 15:46 38784 ----a-w- c:\users\Sue\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:48 . 2010-02-06 15:48 -------- d-----w- c:\users\Administrator\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-02-06 15:48 . 2010-02-06 15:46 38784 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:48 . 2010-02-06 15:46 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:39 . 2010-02-06 15:39 0 ----a-w- c:\windows\nsreg.dat
2010-02-06 15:39 . 2010-02-06 15:39 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
2010-02-06 14:52 . 2010-02-06 14:52 -------- d-----w- c:\windows\system32\Adobe
2010-01-24 02:12 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-24 02:12 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-20 00:13 . 2009-12-17 16:37 31936 ----a-w- c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-01-20 00:13 . 2009-12-17 16:37 29344 ----a-w- c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-01-18 21:53 . 2010-01-18 21:53 -------- d-----w- c:\users\Sue\AppData\Roaming\Spacejock Software
2010-01-18 21:51 . 2010-01-18 21:51 -------- d-----w- c:\program files\yWriter5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 03:50 . 2009-06-02 13:25 64705 ----a-w- c:\programdata\nvModes.dat
2010-02-17 03:50 . 2009-11-11 14:15 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-02-16 12:17 . 2010-02-16 15:51 2671104 ----a-w- c:\windows\Internet Logs\xDB731F.tmp
2010-02-16 12:03 . 2009-04-27 17:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-13 12:24 . 2009-06-02 23:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-06 15:48 . 2009-06-02 15:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-06 15:42 . 2010-02-06 15:37 101856 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-06 15:37 . 2010-02-06 15:37 -------- d-----w- c:\users\Administrator\AppData\Roaming\Epson
2010-02-06 15:37 . 2010-02-06 15:37 -------- d--h--w- c:\users\Administrator\AppData\Roaming\GTek
2010-01-24 13:59 . 2009-06-09 14:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 00:26 . 2009-06-02 14:52 -------- d-----w- c:\programdata\NOS
2010-01-20 00:13 . 2009-06-02 14:52 -------- d-----w- c:\program files\NOS
2010-01-14 11:12 . 2009-10-13 15:26 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 16:07 . 2009-06-02 23:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-06-02 23:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 17:52 . 2009-12-24 14:02 1460736 ----a-w- c:\windows\Internet Logs\xDB75A0.tmp
2009-12-23 14:04 . 2009-12-23 14:04 1468006 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-22 17:33 . 2009-12-23 14:04 1460224 ----a-w- c:\windows\Internet Logs\xDB8F39.tmp
2009-12-06 16:47 . 2009-12-06 16:47 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-04-27 17:37 . 2009-04-27 17:37 76 --sh--r- c:\windows\CT4CET.bin
2009-04-28 01:51 . 2009-04-28 01:48 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\72362ab ----

2010-02-12 15:51 . 2010-02-12 15:51 6782 ----a-w- c:\programdata\72362ab\SAV.ico
2010-02-12 15:51 . 2010-02-12 15:51 11948 ----a-w- c:\programdata\72362ab\SAVSys\vd952342.bd
2010-02-12 15:51 . 2010-01-10 14:51 722392 ----a-w- c:\programdata\72362ab\mozcrt19.dll
2010-02-12 15:51 . 2010-01-10 14:51 457688 ----a-w- c:\programdata\72362ab\sqlite3.dll
2010-02-12 15:51 . 2010-02-12 15:51 2601472 ----a-w- c:\programdata\72362ab\SA7236.exe

---- Directory of c:\programdata\SAPBDV ----

2010-02-12 15:51 . 2010-02-12 17:01 21838 --sha-w- c:\programdata\SAPBDV\SAKLTV.cfg


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"UIExec"="c:\program files\T-Mobile Internet Manager\UIExec.exe" [2009-06-12 132608]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2009-09-28 264040]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 22:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-12-09 01:12 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 15:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 11:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 09:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
2009-09-28 11:48 264040 ----a-w- c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 14:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-04-16 21:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-05 07:56 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2009-10-17 19:35 1070984 ----a-w- c:\program files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [09/12/2009 01:13 64160]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [12/02/2010 20:04 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [12/02/2010 16:06 1858144]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [27/04/2009 18:17 73728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 19:06 1028432]
S2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Internet Manager\AssistantServices.exe [10/08/2009 11:07 241664]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\System32\drivers\massfilter.sys [10/08/2009 11:07 9728]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [28/04/2009 02:11 209408]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:12]

2010-02-12 c:\windows\Tasks\Norton Security Scan for Sue.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-12 11:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk/?src=www.aol.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
FF - ProfilePath - c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk/?src=www.aol.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(3760)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
.
Completion time: 2010-02-17 04:01:16
ComboFix-quarantined-files.txt 2010-02-17 04:01
ComboFix2.txt 2010-02-17 03:33
ComboFix3.txt 2010-02-12 22:23
ComboFix4.txt 2010-02-12 22:06

Pre-Run: 192,630,824,960 bytes free
Post-Run: 192,594,034,688 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=16 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
- - End Of File - - 0310DCBE9FAC9298778BDF71D0128B


Report •

#32
February 16, 2010 at 20:23:49
ah ..just found what happened to me.....

http://www.2-spyware.com/remove-sec...

only it left me with a different .exe file
mozcrt19.dll
SAVSys
Sav.ico
sqlite.dll......all this Security antivirus program


Report •

#33
February 16, 2010 at 20:42:12
Going to have to go to bed but will check in tomorrow afternoon. I do hope we can get this sorted and thanks very much for your time.

Report •

#34
February 16, 2010 at 20:44:20
Please go to Virus Total and upload the following file for analysis:

c:\programdata\SAPBDV\SAKLTV.cfg

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". If the file has already been analyzed click the reanalyze button to have it checked again.

Post the results in your reply.

I have to work tomorrow so I have to call it a night. I'll be back tomorrow afternoon.


Report •

#35
February 17, 2010 at 07:28:43
Thanks...heres the results:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.17 -
AhnLab-V3 5.0.0.2 2010.02.17 -
AntiVir 8.2.1.170 2010.02.17 -
Antiy-AVL 2.0.3.7 2010.02.17 -
Authentium 5.2.0.5 2010.02.17 -
Avast 4.8.1351.0 2010.02.17 -
AVG 9.0.0.730 2010.02.17 -
BitDefender 7.2 2010.02.17 -
CAT-QuickHeal 10.00 2010.02.17 -
ClamAV 0.96.0.0-git 2010.02.17 -
Comodo 3969 2010.02.17 -
DrWeb 5.0.1.12222 2010.02.17 -
eSafe 7.0.17.0 2010.02.16 -
eTrust-Vet 35.2.7308 2010.02.17 -
F-Prot 4.5.1.85 2010.02.16 -
F-Secure 9.0.15370.0 2010.02.17 -
Fortinet 4.0.14.0 2010.02.15 -
GData 19 2010.02.17 -
Ikarus T3.1.1.80.0 2010.02.17 -
Jiangmin 13.0.900 2010.02.17 -
K7AntiVirus 7.10.974 2010.02.15 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5894 2010.02.16 -
McAfee+Artemis 5894 2010.02.16 -
McAfee-GW-Edition 6.8.5 2010.02.17 -
Microsoft 1.5406 2010.02.17 -
NOD32 4874 2010.02.17 -
Norman 6.04.08 2010.02.17 -
nProtect 2009.1.8.0 2010.02.17 -
Panda 10.0.2.2 2010.02.16 -
PCTools 7.0.3.5 2010.02.17 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.17 -
Sunbelt 5682 2010.02.17 -
Symantec 20091.2.0.41 2010.02.17 -
TheHacker 6.5.1.4.197 2010.02.17 -
TrendMicro 9.120.0.1004 2010.02.17 -
VBA32 3.12.12.2 2010.02.16 -
ViRobot 2010.2.17.2190 2010.02.17 -
VirusBuster 5.0.21.0 2010.02.17 -
Additional information
File size: 21838 bytes
MD5...: 0d0e1944a1603a7ae55dbb199bbc37ca
SHA1..: 91b96fbdbae1729fa42a70ea938b0b77e26cbf84
SHA256: e7ccdfcc06492cd322017b562d6230e41efe5d54f460d15c4fc0e1a796f4a35c
ssdeep: 384:FRkJZGACMCSllcDScnVhM55eK6iS5CYZ+NjUxPDyDF6NN:FRkqClcGcVy2ii
CYINjUxS6NN
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic INI configuration (100.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Report •

#36
February 17, 2010 at 16:33:16
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\programdata\72362ab\sqlite3.dll
c:\programdata\72362ab\mozcrt19.dll
c:\programdata\72362ab\SA7236.exe

Folder::
c:\programdata\72362ab

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please download TFC by Old Timer from the following link and save it to your desktop.

TFC by Old Timer



1. Save any unsaved work. TFC will close ALL open programs including your browser

2. Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.

3. Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

4. Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

Let me know how the computer is operating especially firefox.


Report •

#37
February 17, 2010 at 17:22:30
Thanks, heres the first task..combofix log. Firefox wouldnt start (illegal operation message) until I rebooted!

ComboFix 10-02-12.01 - Sue 18/02/2010 1:05.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2045.1243 [GMT 0:00]
Running from: c:\users\Sue\Desktop\ComboFix.exe
Command switches used :: c:\users\Sue\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}

FILE ::
"c:\programdata\72362ab\mozcrt19.dll"
"c:\programdata\72362ab\sqlite3.dll"
"c:\programdata\7236ab\SA7236.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\72362ab
c:\programdata\72362ab\mozcrt19.dll
c:\programdata\72362ab\SA7236.exe
c:\programdata\72362ab\SAV.ico
c:\programdata\72362ab\SAVSys\vd952342.bd
c:\programdata\72362ab\sqlite3.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-18 01:09 . 2010-02-18 01:10 -------- d-----w- c:\users\Sue\AppData\Local\temp
2010-02-18 01:09 . 2010-02-18 01:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-18 01:09 . 2010-02-18 01:09 -------- d-----w- c:\users\gamer\AppData\Local\temp
2010-02-18 01:09 . 2010-02-18 01:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-18 01:09 . 2010-02-18 01:09 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-02-17 01:29 . 2010-02-17 01:32 -------- d-----w- c:\users\Sue\Pavark
2010-02-16 12:03 . 2010-02-16 12:03 -------- d-----w- c:\program files\Common Files\Java
2010-02-16 12:03 . 2010-02-16 12:03 -------- d-----w- c:\program files\Java
2010-02-13 12:23 . 2010-02-13 12:23 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2010-02-13 12:20 . 2010-02-13 12:20 -------- d-----w- c:\program files\Trend Micro
2010-02-12 22:59 . 2010-02-12 22:59 -------- d-----w- c:\program files\TrendMicro
2010-02-12 22:43 . 2010-02-12 22:50 -------- d-----w- c:\program files\Trojan Remover
2010-02-12 22:42 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-12 22:42 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-12 22:42 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-12 22:42 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-02-12 22:42 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-12 22:42 . 2010-02-12 22:45 -------- d-----w- c:\users\Sue\AppData\Roaming\Simply Super Software
2010-02-12 22:42 . 2010-02-12 22:42 -------- d-----w- c:\programdata\Simply Super Software
2010-02-12 20:58 . 2010-02-12 21:28 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-12 20:58 . 2010-02-12 20:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-12 20:04 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-12 20:04 . 2010-02-12 20:04 -------- d-----w- c:\program files\Panda Security
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 19:45 . 2010-02-12 19:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-12 19:40 . 2010-02-12 19:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-12 19:31 . 2010-02-17 04:06 -------- d-----w- c:\programdata\Norton
2010-02-12 19:31 . 2010-02-17 04:06 -------- d-----w- c:\programdata\Symantec
2010-02-12 19:31 . 2010-02-12 19:31 -------- d-----w- c:\programdata\NortonInstaller
2010-02-12 17:15 . 2010-02-12 17:15 -------- d-----w- c:\users\Sue\DoctorWeb
2010-02-12 17:06 . 2010-02-12 18:50 680 ----a-w- c:\users\Sue\AppData\Local\d3d9caps.dat
2010-02-12 16:55 . 2010-02-12 16:55 -------- dc----w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-12 16:11 . 2010-02-12 16:11 -------- d-----w- c:\users\Sue\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-02-12 16:06 . 2010-02-12 18:37 -------- d-----w- c:\program files\a-squared Free
2010-02-12 16:05 . 2010-02-12 16:11 -------- d-----w- c:\program files\Exterminate It!
2010-02-12 15:51 . 2010-02-12 15:51 -------- d-sh--w- c:\programdata\SAPBDV
2010-02-06 15:53 . 2010-02-06 15:53 -------- d-----w- c:\users\Sue\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-02-06 15:48 . 2010-02-06 15:48 -------- d-----w- c:\users\Administrator\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2010-02-06 15:39 . 2010-02-06 15:39 0 ----a-w- c:\windows\nsreg.dat
2010-02-06 15:39 . 2010-02-06 15:39 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
2010-02-06 14:52 . 2010-02-06 14:52 -------- d-----w- c:\windows\system32\Adobe
2010-01-24 02:12 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-24 02:12 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 01:10 . 2009-06-02 13:25 64705 ----a-w- c:\programdata\nvModes.dat
2010-02-18 01:10 . 2009-11-11 14:15 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-02-16 12:17 . 2010-02-16 15:51 2671104 ----a-w- c:\windows\Internet Logs\xDB731F.tmp
2010-02-16 12:03 . 2009-04-27 17:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-13 12:24 . 2009-06-02 23:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-13 12:24 . 2010-02-13 12:24 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-12 22:59 . 2010-02-12 22:59 388096 ----a-r- c:\users\Sue\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-12 22:12 . 2010-02-12 19:46 52224 ----a-w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 22:12 . 2010-02-12 19:46 117760 ----a-w- c:\users\Sue\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 16:02 . 2010-02-12 15:52 3 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
2010-02-12 15:52 . 2010-02-12 15:52 71 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\std.dll
2010-02-12 15:52 . 2010-02-12 15:52 23 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\pal.drv
2010-02-12 15:52 . 2010-02-12 15:52 27 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\eb.exe
2010-02-12 15:52 . 2010-02-12 15:52 53 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
2010-02-12 15:52 . 2010-02-12 15:52 33 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
2010-02-12 15:52 . 2010-02-12 15:52 63 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\FW.dll
2010-02-12 15:52 . 2010-02-12 15:52 60 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
2010-02-12 15:52 . 2010-02-12 15:52 30 ----a-w- c:\users\Sue\AppData\Roaming\Microsoft\Windows\Recent\ddv.drv
2010-02-06 15:48 . 2009-06-02 15:07 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-06 15:46 . 2010-02-06 15:53 38784 ----a-w- c:\users\Sue\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:46 . 2010-02-06 15:48 38784 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:46 . 2010-02-06 15:48 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 15:42 . 2010-02-06 15:37 101856 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-06 15:37 . 2010-02-06 15:37 -------- d-----w- c:\users\Administrator\AppData\Roaming\Epson
2010-02-06 15:37 . 2010-02-06 15:37 -------- d--h--w- c:\users\Administrator\AppData\Roaming\GTek
2010-01-24 13:59 . 2009-06-09 14:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 00:26 . 2009-06-02 14:52 -------- d-----w- c:\programdata\NOS
2010-01-20 00:13 . 2009-06-02 14:52 -------- d-----w- c:\program files\NOS
2010-01-18 21:53 . 2010-01-18 21:53 -------- d-----w- c:\users\Sue\AppData\Roaming\Spacejock Software
2010-01-18 21:51 . 2010-01-18 21:51 -------- d-----w- c:\program files\yWriter5
2010-01-14 11:12 . 2009-10-13 15:26 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 16:07 . 2009-06-02 23:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-06-02 23:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 17:52 . 2009-12-24 14:02 1460736 ----a-w- c:\windows\Internet Logs\xDB75A0.tmp
2009-12-23 14:04 . 2009-12-23 14:04 1468006 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-22 17:33 . 2009-12-23 14:04 1460224 ----a-w- c:\windows\Internet Logs\xDB8F39.tmp
2009-12-17 16:37 . 2010-01-20 00:13 31936 ----a-w- c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-17 16:37 . 2010-01-20 00:13 29344 ----a-w- c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-12-06 16:47 . 2009-12-06 16:47 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-04-27 17:37 . 2009-04-27 17:37 76 --sh--r- c:\windows\CT4CET.bin
2009-04-28 01:51 . 2009-04-28 01:48 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-04-16 22:13 721408 ----a-w- c:\program files\Fingerprint Reader Suite\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-12-03 405504]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"UIExec"="c:\program files\T-Mobile Internet Manager\UIExec.exe" [2009-06-12 132608]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2009-09-28 264040]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-04-16 22:04 86528 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-12-09 01:12 520024 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
2007-07-27 15:43 118784 ------w- c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 11:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 09:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
2009-09-28 11:48 264040 ----a-w- c:\program files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-11-01 14:39 189736 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2007-04-16 21:50 49168 ----a-w- c:\program files\Fingerprint Reader Suite\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-05 07:56 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2009-10-17 19:35 1070984 ----a-w- c:\program files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [09/12/2009 01:13 64160]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [12/02/2010 20:04 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [12/02/2010 16:06 1858144]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [27/04/2009 18:17 73728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 19:06 1028432]
R2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Internet Manager\AssistantServices.exe [10/08/2009 11:07 241664]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\System32\drivers\massfilter.sys [10/08/2009 11:07 9728]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S4 iaNvStor;Intel(R) Turbo Memory Controller;c:\windows\System32\drivers\iaNvStor.sys [28/04/2009 02:11 209408]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk/?src=www.aol.com
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
FF - ProfilePath - c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0pbxbd2g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.co.uk/?src=www.aol.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmidas.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 01:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(600)
c:\windows\system32\psqlpwd.dll
c:\program files\Fingerprint Reader Suite\homefus2.dll
c:\program files\Fingerprint Reader Suite\infra.dll

- - - - - - - > 'Explorer.exe'(2348)
c:\program files\Fingerprint Reader Suite\farchns.dll
c:\program files\Fingerprint Reader Suite\infra.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Fingerprint Reader Suite\upeksvr.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-02-18 01:16:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-18 01:16
ComboFix2.txt 2010-02-17 04:01
ComboFix3.txt 2010-02-17 03:33
ComboFix4.txt 2010-02-12 22:23
ComboFix5.txt 2010-02-18 01:04

Pre-Run: 192,886,935,552 bytes free
Post-Run: 192,843,612,160 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=16 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
- - End Of File - - FD097F3D1BFED1EF9D4A9191346C32D4


Report •

#38
February 17, 2010 at 17:31:50
Have done the latter..was there supposed to be a log? It asked to reboot so did. Do I still have a file problem? ie wasnt it about soemthing replacing files and we didnt know which one(s)? Thanks very much.

Report •

#39
February 17, 2010 at 17:40:00
The free trial prevx is now coming up with tfc.exe and otl.exe both on desktop...are these ok One says medium risk one high
Thanks

Report •

#40
February 17, 2010 at 17:51:54
I didn't see any indication of a corrupt system file.

The alert = no risk, no risk.

If you are not using Norton any longer you should run their uninstall tool to remove all the old files, you can do a google search for it and find it easily.

You need an antivirus program unless I have overlloked it there is not one running. You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

All the other programs you used prior to getting here should be removed also, such as:


superantispyware
a-squared
Trojan Remover
Trend Micro
Panda Security
Exterminate It!

Unless one of the is you antivirus.

Delete these from your desktop:


TDSSkiller
DDS
Rkill
TFC
otl


Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link yes, do it again different tool):
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.


How is the computer operating.


Report •

#41
February 17, 2010 at 17:55:06
Thanks will do that tomorrow. All seems well ...why am I still suspicious? How do we know its really gone...has it gone?

Also has it stolen my passwords...I havent seen any suspicious activity in a personal security sense. Should I be changing all my passowrds pre or post restore point?
Thanks, I do appreciate all your effort.


Report •

#42
February 17, 2010 at 18:07:51
Going to have to go to bed now...still struggling from lack of sleep last night. Thanks again

Report •

#43
February 17, 2010 at 18:12:30
It would be best to change you passwords.

If you do not have an antivirus let that be you first priority then change your passwords...then do the cleanup.


Report •

#44
February 18, 2010 at 03:37:23
Thanks very much for all your help. I will let you know if I run into problems.

Report •


Ask Question