Jump to content

HeyUvaVT

Members
  • Posts

    14
  • Joined

  • Last visited

Reputation

0 Neutral
  1. here is the newest CF log...sorry it took so long! ComboFix 10-05-23.07 - Paladin User 05/24/2010 7:17.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.981.518 [GMT -4:00] Running from: c:\documents and settings\Paladin User\Desktop\ComboFix.exe Command switches used :: E:\CFScript.txt AV: Trend Micro Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\feed.txt . --------------- FCopy --------------- c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$NtServicePackUninstall$\user32.dll c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\$NtUninstallKB925902$\user32.dll c:\windows\ServicePackFiles\i386\ws2_32.dll --> c:\windows\system32\ws2_32.dll . ((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 ))))))))))))))))))))))))))))))) . 2010-06-22 16:28 . 2010-06-22 16:28 -------- d--h--w- c:\windows\system32\GroupPolicy 2010-05-24 11:23 . 2010-05-24 11:23 -------- d-----w- c:\windows\system32\Service 2010-05-23 15:50 . 2010-05-23 15:50 -------- d-----w- C:\_OTL 2010-05-07 12:08 . 2010-05-07 12:08 -------- d-----w- c:\documents and settings\Paladin User\Local Settings\Application Data\Roxio 2010-05-07 12:02 . 2010-05-07 12:02 -------- d-----w- c:\program files\Common Files\SureThing Shared 2010-05-07 12:02 . 2010-05-07 12:03 -------- d-----w- c:\program files\Common Files\Sonic Shared 2010-05-07 12:02 . 2010-05-07 12:03 -------- d-----w- c:\program files\Roxio . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-22 18:47 . 2010-01-09 15:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-12 15:21 . 2009-10-03 02:55 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-12 07:01 . 2009-06-10 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-05-07 12:03 . 2010-05-07 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall 2010-05-07 12:02 . 2008-03-17 15:02 -------- d-----w- c:\program files\Common Files\Roxio Shared 2010-05-07 12:02 . 2009-02-05 17:41 -------- d-----w- c:\documents and settings\Paladin User\Application Data\InstallShield 2010-05-07 12:02 . 2008-03-14 23:29 -------- d-----w- c:\program files\Common Files\InstallShield 2010-05-06 13:53 . 2009-05-06 15:27 -------- d-----w- c:\program files\Auction Client 2010-04-29 19:39 . 2010-01-09 15:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2010-01-09 15:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AdobeARM.exe 2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AdobeExtractFiles.dll 2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\ReaderUpdater.exe 2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AcrobatUpdater.exe 2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 137752] "ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2005-05-27 188416] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-05-05 21:44 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk] 2007-06-13 01:09 408344 ----a-w- c:\program files\Intel\AMT\atchk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LionClock Server] 2008-04-22 19:12 3412280 ----a-w- c:\program files\LionClock Server\LionClock Server.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\spoolsv.exe"= R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?] R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [5/11/2006 1:51 PM 95485] R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/11/2009 5:09 PM 50192] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/11/2009 5:06 PM 36368] R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [3/14/2008 7:47 PM 2521880] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 11:19 PM 13592] R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?] S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [3/11/2009 5:09 PM 677128] S3 PortEmulatorHSP7000;Port Emulator (HSP7000);c:\program files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe [7/1/2008 11:44 PM 163840] . Contents of the 'Scheduled Tasks' folder 2010-05-24 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] 2009-03-11 c:\windows\Tasks\Nightly Backup.job - c:\paladinpos\PaladinPOS.exe [2008-03-17 15:30] 2010-05-24 c:\windows\Tasks\Nightly Reboot.job - c:\windows\system32\shutdown.exe [2004-08-04 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://support.paladinpos.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 Trusted Zone: acehardware-acenet.com Trusted Zone: acehardware-aceonline.com Trusted Zone: acehardware-eaglevision.com Trusted Zone: acehardware-vendors.com Trusted Zone: aceservices.com Trusted Zone: acehardware-acenet.com Trusted Zone: acehardware-aceonline.com Trusted Zone: acehardware-eaglevision.com Trusted Zone: acehardware-vendors.com Trusted Zone: aceservices.com DPF: AceIESecuritySettings - hxxp://ww1.acehardware-acenet.com/Controls/AceIESecuritySettings.CAB DPF: {24B8CB65-C0D2-11D0-A523-444553540000} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/AceExpl/AceExpl.cab DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} - hxxp://ww1.acehardware-acenet.com/ACENET/controls/FarPoint60/fpspr60.cab DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/ACENET/ACECTL.CAB DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxp://onbase.aceservices.com/AppNet/activex/OBXPopup.cab DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/MCSi/McsiMenu.cab DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} - hxxp://imagemax.aceservices.com/appnet/activex/OBXWebViewer.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-24 07:24 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*] "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(724) c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll - - - - - - - > 'explorer.exe'(1184) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\wudfhost.exe c:\program files\Trend Micro\BM\TMBMSRV.exe c:\program files\Intel\AMT\atchksrv.exe c:\windows\system32\EpStsSrv.exe c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Intel\AMT\LMS.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe c:\windows\system32\wscntfy.exe c:\windows\system32\igfxsrvc.exe . ************************************************************************** . Completion time: 2010-05-24 07:30:12 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-24 11:30 ComboFix2.txt 2010-05-23 16:35 Pre-Run: 145,448,366,080 bytes free Post-Run: 145,413,873,664 bytes free - - End Of File - - D72F61F3476EC4A24929A38220BD4258
  2. here is the combo fix log ComboFix 10-05-22.03 - Paladin User 05/23/2010 12:22:22.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.981.635 [GMT -4:00] Running from: c:\documents and settings\Paladin User\Desktop\ComboFix.exe AV: Trend Micro Internet Security *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Paladin User\Application Data\Microsoft\HTML Help\hh.dat c:\documents and settings\Paladin User\GoToAssistDownloadHelper.exe c:\documents and settings\Paladin User\Recent\cb.dll c:\documents and settings\Paladin User\Recent\eb.dll c:\documents and settings\Paladin User\Recent\eb.exe c:\documents and settings\Paladin User\Recent\energy.tmp c:\documents and settings\Paladin User\Recent\exec.drv c:\documents and settings\Paladin User\Recent\FW.exe c:\documents and settings\Paladin User\Recent\kernel32.exe c:\documents and settings\Paladin User\Recent\pal.dll c:\documents and settings\Paladin User\Recent\PE.exe c:\documents and settings\Paladin User\Recent\PE.sys c:\documents and settings\Paladin User\Recent\ppal.drv c:\documents and settings\Paladin User\Recent\runddl.exe c:\documents and settings\Paladin User\Recent\snl2w.drv c:\documents and settings\Paladin User\Recent\tempdoc.dll c:\documents and settings\Paladin User\Recent\tjd.drv c:\documents and settings\Paladin User\Start Menu\Programs\Antimalware Doctor c:\documents and settings\Paladin User\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk c:\documents and settings\Paladin User\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk C:\feed.txt c:\windows\system32\driVERs\enworf.sys c:\windows\system32\service c:\windows\system32\service\01022010_TIS17_SfFniAU.log c:\windows\system32\service\01092009_TIS17_SfFniAU.log c:\windows\system32\service\02012010_TIS17_SfFniAU.log c:\windows\system32\service\02072009_TIS17_SfFniAU.log c:\windows\system32\service\04062009_TIS17_SfFniAU.log c:\windows\system32\service\09012010_TIS17_SfFniAU.log c:\windows\system32\service\11012010_TIS17_SfFniAU.log c:\windows\system32\service\12102009_TIS17_SfFniAU.log c:\windows\system32\service\13052010_TIS17_SfFniAU.log c:\windows\system32\service\13072009_TIS17_SfFniAU.log c:\windows\system32\service\14102009_TIS17_SfFniAU.log c:\windows\system32\service\16032009_TIS17_SfFniAU.log c:\windows\system32\service\16042009_TIS17_SfFniAU.log c:\windows\system32\service\17052010_TIS17_SfFniAU.log c:\windows\system32\service\18042010_TIS17_SfFniAU.log c:\windows\system32\service\19122009_TIS17_SfFniAU.log c:\windows\system32\service\20052010_TIS17_SfFniAU.log c:\windows\system32\service\22102009_TIS17_SfFniAU.log c:\windows\system32\service\23062009_TIS17_SfFniAU.log c:\windows\system32\service\23082009_TIS17_SfFniAU.log c:\windows\system32\service\26082009_TIS17_SfFniAU.log c:\windows\system32\service\26122009_TIS17_SfFniAU.log c:\windows\system32\service\27052009_TIS17_SfFniAU.log c:\windows\system32\service\27102009_TIS17_SfFniAU.log c:\windows\system32\service\29102009_TIS17_SfFniAU.log c:\windows\system32\service\30012010_TIS17_SfFniAU.log ----- BITS: Possible infected sites ----- hxxp://update.paladinpos.com Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected Restored copy from - Kitty had a snack c:\windows\system32\ws2_32.dll . . . is infected!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_enworf -------\Service_enworf ((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 ))))))))))))))))))))))))))))))) . 2010-06-22 16:28 . 2010-06-22 16:28 -------- d--h--w- c:\windows\system32\GroupPolicy 2010-05-23 15:50 . 2010-05-23 15:50 -------- d-----w- C:\_OTL 2010-05-07 12:08 . 2010-05-07 12:08 -------- d-----w- c:\documents and settings\Paladin User\Local Settings\Application Data\Roxio 2010-05-07 12:02 . 2010-05-07 12:02 -------- d-----w- c:\program files\Common Files\SureThing Shared 2010-05-07 12:02 . 2010-05-07 12:03 -------- d-----w- c:\program files\Common Files\Sonic Shared 2010-05-07 12:02 . 2010-05-07 12:03 -------- d-----w- c:\program files\Roxio . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-22 18:47 . 2010-01-09 15:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-12 15:21 . 2009-10-03 02:55 221568 ------w- c:\windows\system32\MpSigStub.exe 2010-05-12 07:01 . 2009-06-10 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-05-07 12:03 . 2010-05-07 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall 2010-05-07 12:02 . 2008-03-17 15:02 -------- d-----w- c:\program files\Common Files\Roxio Shared 2010-05-07 12:02 . 2009-02-05 17:41 -------- d-----w- c:\documents and settings\Paladin User\Application Data\InstallShield 2010-05-07 12:02 . 2008-03-14 23:29 -------- d-----w- c:\program files\Common Files\InstallShield 2010-05-06 13:53 . 2009-05-06 15:27 -------- d-----w- c:\program files\Auction Client 2010-04-29 19:39 . 2010-01-09 15:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2010-01-09 15:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AdobeARM.exe 2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AdobeExtractFiles.dll 2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\ReaderUpdater.exe 2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\30168\AcrobatUpdater.exe 2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ------- Sigcheck ------- [7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll [-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll [-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll [-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll [7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll [7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll [-] 2008-04-14 . 5D567A625ECB5B4728130E4B31CA87EF . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll [7] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162328] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 137752] "ESDUSBMon.exe"="c:\windows\system32\ESDUSBMon.exe" [2005-05-27 188416] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] 2009-05-05 21:44 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Paladin User^Start Menu^Programs^Startup^Antimalware Doctor.lnk] path=c:\documents and settings\Paladin User\Start Menu\Programs\Startup\Antimalware Doctor.lnk backup=c:\windows\pss\Antimalware Doctor.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk] 2007-06-13 01:09 408344 ----a-w- c:\program files\Intel\AMT\atchk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LionClock Server] 2008-04-22 19:12 3412280 ----a-w- c:\program files\LionClock Server\LionClock Server.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\spoolsv.exe"= R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?] R2 Esdpdx01;Esdpdx01;c:\windows\system32\drivers\ESDPDX01.SYS [5/11/2006 1:51 PM 95485] R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?] R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/11/2009 5:09 PM 50192] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/11/2009 5:06 PM 36368] R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [3/14/2008 7:47 PM 2521880] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 11:19 PM 13592] R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?] S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [3/11/2009 5:09 PM 677128] S3 PortEmulatorHSP7000;Port Emulator (HSP7000);c:\program files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe [7/1/2008 11:44 PM 163840] . Contents of the 'Scheduled Tasks' folder 2010-05-23 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20] 2009-03-11 c:\windows\Tasks\Nightly Backup.job - c:\paladinpos\PaladinPOS.exe [2008-03-17 15:30] 2010-06-23 c:\windows\Tasks\Nightly Reboot.job - c:\windows\system32\shutdown.exe [2004-08-04 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://support.paladinpos.com/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 Trusted Zone: acehardware-acenet.com Trusted Zone: acehardware-aceonline.com Trusted Zone: acehardware-eaglevision.com Trusted Zone: acehardware-vendors.com Trusted Zone: aceservices.com Trusted Zone: acehardware-acenet.com Trusted Zone: acehardware-aceonline.com Trusted Zone: acehardware-eaglevision.com Trusted Zone: acehardware-vendors.com Trusted Zone: aceservices.com DPF: AceIESecuritySettings - hxxp://ww1.acehardware-acenet.com/Controls/AceIESecuritySettings.CAB DPF: {24B8CB65-C0D2-11D0-A523-444553540000} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/AceExpl/AceExpl.cab DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} - hxxp://ww1.acehardware-acenet.com/ACENET/controls/FarPoint60/fpspr60.cab DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/ACENET/ACECTL.CAB DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxp://onbase.aceservices.com/AppNet/activex/OBXPopup.cab DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} - hxxp://ww1.acehardware-acenet.com/ACENET/Controls/MCSi/McsiMenu.cab DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} - hxxp://imagemax.aceservices.com/appnet/activex/OBXWebViewer.cab . - - - - ORPHANS REMOVED - - - - WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKLM-Run-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe AddRemove-Free Invoicer_is1 - c:\program files\Citrusware\unins000.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-23 12:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*] "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(724) c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll - - - - - - - > 'explorer.exe'(2528) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\wudfhost.exe c:\program files\Trend Micro\BM\TMBMSRV.exe c:\program files\Intel\AMT\atchksrv.exe c:\windows\system32\EpStsSrv.exe c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Intel\AMT\LMS.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe c:\windows\system32\wscntfy.exe c:\windows\system32\igfxsrvc.exe . ************************************************************************** . Completion time: 2010-05-23 12:35:35 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-23 16:35 Pre-Run: 145,558,949,888 bytes free Post-Run: 145,462,886,400 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - DF5E2DEEFB24E5B72AE44C141D0A27C4
  3. here is the otl log the combo fix is coming in a second All processes killed ========== OTL ========== HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully! HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully! HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully! Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\3c1807pd deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\USRpdA deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Application Data\cjubqgwcb folder moved successfully. C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia folder moved successfully. C:\Documents and Settings\All Users\Application Data\MSTMJVEE folder moved successfully. C:\Documents and Settings\All Users\Application Data\0d9c71d\Quarantine Items folder moved successfully. C:\Documents and Settings\All Users\Application Data\0d9c71d\MSESys folder moved successfully. C:\Documents and Settings\All Users\Application Data\0d9c71d\BackUp folder moved successfully. C:\Documents and Settings\All Users\Application Data\0d9c71d folder moved successfully. C:\Documents and Settings\Paladin User\Local Settings\Application Data\Windows Server folder moved successfully. C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885 folder moved successfully. C:\WINDOWS\Vhuqyb.exe moved successfully. File move failed. C:\WINDOWS\system32\drivers\enworf.sys scheduled to be moved on reboot. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 25226 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 41620 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 143662 bytes User: NetworkService ->Temp folder emptied: 934364 bytes ->Temporary Internet Files folder emptied: 6163350 bytes ->Flash cache emptied: 8090 bytes User: Paladin User ->Temp folder emptied: 289444558 bytes ->Temporary Internet Files folder emptied: 28179837 bytes ->Java cache emptied: 56569488 bytes ->Flash cache emptied: 307366 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2195181 bytes %systemroot%\System32 .tmp files removed: 2577 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 145328812 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 10947822 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 143650163 bytes Total Files Cleaned = 652.00 mb C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully OTL by OldTimer - Version 3.2.5.0 log created on 05232010_115056 Files\Folders moved on Reboot... File move failed. C:\WINDOWS\system32\drivers\enworf.sys scheduled to be moved on reboot. Registry entries deleted on Reboot...
  4. thank you thank you thank you for the response kahdah! here is the log OTL logfile created on: 5/23/2010 10:55:18 AM - Run 2 OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Paladin User\Desktop\New Folder Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 981.00 Mb Total Physical Memory | 598.00 Mb Available Physical Memory | 61.00% Memory free 3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 149.01 Gb Total Space | 135.00 Gb Free Space | 90.60% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive P: | 232.81 Gb Total Space | 158.52 Gb Free Space | 68.09% Space Free | Partition Type: NTFS Computer Name: TERMINAL-4 Current User Name: Paladin User Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Paladin User\Desktop\New Folder\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.) PRC - C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.) PRC - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.) PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) PRC - C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation) PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) PRC - C:\Program Files\Intel\AMT\UNS.exe (Intel) PRC - C:\Program Files\Intel\AMT\atchksrv.exe (Intel Corporation) PRC - C:\Program Files\Intel\AMT\LMS.exe (Intel) PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation) PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) PRC - C:\WINDOWS\system32\EpStsSrv.exe (SEIKO EPSON Corp.) PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project) PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project) PRC - C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Paladin User\Desktop\New Folder\OTL.exe (OldTimer Tools) MOD - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEHook.dll () MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (SfCtlCom) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.) SRV - (TmProxy) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.) SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.) SRV - (TMBMServer) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.) SRV - (PortEmulatorHSP7000) Port Emulator (HSP7000) -- C:\Program Files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe (Star Micronics Co., Ltd.) SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) SRV - (UNS) Intel® -- C:\Program Files\Intel\AMT\UNS.exe (Intel) SRV - (atchksrv) Intel® -- C:\Program Files\Intel\AMT\atchksrv.exe (Intel Corporation) SRV - (LMS) Intel® -- C:\Program Files\Intel\AMT\LMS.exe (Intel) SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation) SRV - (EPSON ESCPOS Status Service) -- C:\WINDOWS\System32\EpStsSrv.exe (SEIKO EPSON Corp.) SRV - (FirebirdServerDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project) SRV - (FirebirdGuardianDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project) ========== Driver Services (SafeList) ========== DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.) DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.) DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.) DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.) DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys (Trend Micro Inc.) DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.) DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.) DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (iastor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation) DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.) DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio) DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio) DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio) DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio) DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio) DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio) DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio) DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio) DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions) DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio) DRV - (DLACDBHM) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Roxio) DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Roxio) DRV - (HECI) Intel® -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation) DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation) DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation) DRV - (Esdpdx01) -- C:\WINDOWS\system32\drivers\ESDPDX01.SYS (MK Systems CO., LTD.) DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura) DRV - (3c1807pd) -- C:\WINDOWS\system32\drivers\3c1807pd.sys (U.S. Robotics Corporation) DRV - (USRpdA) -- C:\WINDOWS\system32\drivers\USRpdA.sys (U.S. Robotics Corporation) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://support.paladinpos.com/ IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555 FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:17 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/19 16:46:43 | 000,000,000 | ---D | M] O1 HOSTS File: ([2010/06/22 07:09:06 | 000,262,631 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.1001-search.info O1 - Hosts: 127.0.0.1 1001-search.info O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.123topsearch.com O1 - Hosts: 127.0.0.1 123topsearch.com O1 - Hosts: 127.0.0.1 www.132.com O1 - Hosts: 127.0.0.1 132.com O1 - Hosts: 127.0.0.1 www.136136.net O1 - Hosts: 127.0.0.1 136136.net O1 - Hosts: 127.0.0.1 www.139mm.com O1 - Hosts: 127.0.0.1 139mm.com O1 - Hosts: 127.0.0.1 www.163ns.com O1 - Hosts: 127.0.0.1 163ns.com O1 - Hosts: 127.0.0.1 171203.com O1 - Hosts: 9098 more lines... O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.) O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation) O4 - HKLM..\Run: [3c1807pd] File not found O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe File not found O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.) O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation) O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation) O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation) O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.) O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) O4 - HKLM..\Run: [synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation) O4 - HKLM..\Run: [ufSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.) O4 - HKLM..\Run: [uSRpdA] File not found O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation) O4 - HKCU..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O15 - HKLM\..Trusted Domains: acehardware-acenet.com ([]* in Trusted sites) O15 - HKLM\..Trusted Domains: acehardware-aceonline.com ([]* in Trusted sites) O15 - HKLM\..Trusted Domains: acehardware-eaglevision.com ([]* in Trusted sites) O15 - HKLM\..Trusted Domains: acehardware-vendors.com ([]* in Trusted sites) O15 - HKLM\..Trusted Domains: aceservices.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: acehardware-acenet.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: acehardware-aceonline.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: acehardware-eaglevision.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: acehardware-vendors.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: aceservices.com ([]* in Trusted sites) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} http://ww1.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab (AceExplorer Control) O16 - DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} http://ww1.acehardware-acenet.com/ACENET/c...t60/fpspr60.cab (FarPoint Spread 6.0 (OLEDB)) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1233855965781 (WUWebControl Class) O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab (Java Plug-in 1.6.0_13) O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} http://ww1.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB (ACENET Control) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} http://onbase.aceservices.com/AppNet/activex/OBXPopup.cab (OBXPopupBlockerAssistant Control) O16 - DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} http://ww1.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab (MCSiMenuCtl Class) O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {EAE50EB0-4A62-11CE-BED6-00AA00611080} http://ww1.acehardware-acenet.com/ACEnet/c...ft/MSpert10.cab (Microsoft Forms 2.0 TabStrip) O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} http://imagemax.aceservices.com/appnet/act...BXWebViewer.cab (OBXWebViewer Control) O16 - DPF: AceIESecuritySettings http://ww1.acehardware-acenet.com/Controls...itySettings.CAB (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation) O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation) O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation) O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation) O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation) O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation) O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O24 - Desktop Components:0 (My Current Home Page) - About:Home O24 - Desktop WallPaper: C:\Documents and Settings\Paladin User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paladin User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation) O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () - P:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2010/06/22 19:18:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\cjubqgwcb [2010/06/22 16:00:23 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Paladin User\Desktop\HijackThis.exe [2010/06/22 12:28:08 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy [2010/06/21 18:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia [2010/06/21 16:42:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/06/21 16:42:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/06/21 16:14:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\MSTMJVEE [2010/06/21 16:12:50 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\0d9c71d [2010/06/21 16:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\Windows Server [2010/06/21 16:09:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885 [2010/05/14 10:27:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Desktop\denis cimaf [2010/05/07 08:08:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\Roxio [2010/05/07 08:03:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Uninstall [2010/05/07 08:03:05 | 000,099,808 | ---- | C] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\DRVMCDB.SYS [2010/05/07 08:03:05 | 000,098,448 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAUDF_M.SYS [2010/05/07 08:03:05 | 000,093,552 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAUDFAM.SYS [2010/05/07 08:03:05 | 000,052,000 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DRVNDDM.SYS [2010/05/07 08:03:05 | 000,037,360 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLABMFSM.SYS [2010/05/07 08:03:05 | 000,032,848 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLABOIOM.SYS [2010/05/07 08:03:05 | 000,027,216 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAOPIOM.SYS [2010/05/07 08:03:05 | 000,016,304 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAPoolM.SYS [2010/05/07 08:03:04 | 000,108,752 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLAIFS_M.SYS [2010/05/07 08:03:04 | 000,030,064 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLARTL_M.SYS [2010/05/07 08:03:04 | 000,014,576 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLACDBHM.SYS [2010/05/07 08:03:04 | 000,009,104 | ---- | C] (Roxio) -- C:\WINDOWS\System32\drivers\DLADResM.SYS [2010/05/07 08:02:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SureThing Shared [2010/05/07 08:02:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Sonic Shared [2010/05/07 08:02:00 | 000,000,000 | ---D | C] -- C:\Program Files\Roxio [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/06/23 01:15:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\Nightly Reboot.job [2010/06/22 15:53:17 | 000,262,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.new [2010/06/22 07:09:06 | 000,262,631 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010/06/21 15:36:52 | 000,184,832 | ---- | M] () -- C:\WINDOWS\Vhuqyb.exe [2010/05/23 10:57:12 | 000,823,808 | ---- | M] () -- C:\WINDOWS\System32\drivers\enworf.sys [2010/05/23 10:57:07 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2010/05/23 10:54:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/05/23 10:54:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/05/23 10:53:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/05/23 10:53:29 | 006,029,312 | -H-- | M] () -- C:\Documents and Settings\Paladin User\NTUSER.DAT [2010/05/23 10:53:29 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Paladin User\ntuser.ini [2010/05/23 10:53:28 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\IconCache.db [2010/05/23 10:53:27 | 000,000,552 | ---- | M] () -- C:\WINDOWS\win.ini [2010/05/23 10:53:27 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/05/23 10:53:27 | 000,000,211 | -HS- | M] () -- C:\boot.ini [2010/05/22 13:36:40 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Paladin User\Desktop\HijackThis.exe [2010/05/21 10:39:43 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\Paladin User\Desktop\ACENET Default1.url [2010/05/18 13:23:40 | 000,017,301 | ---- | M] () -- C:\Documents and Settings\Paladin User\My Documents\Stan Barry.docx [2010/05/12 11:21:16 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe [2010/05/11 09:30:21 | 000,017,317 | ---- | M] () -- C:\Documents and Settings\Paladin User\My Documents\Stan Berry.docx [2010/05/11 09:29:53 | 000,066,127 | ---- | M] () -- C:\Documents and Settings\Paladin User\My Documents\IMG00151-20100510-0951.jpg [2010/05/07 08:03:05 | 000,000,554 | ---- | M] () -- C:\WINDOWS\wininit.ini [2010/04/30 16:12:03 | 000,011,232 | ---- | M] () -- C:\Documents and Settings\Paladin User\My Documents\ivyclassic.docx [2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/06/22 19:18:47 | 000,823,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\enworf.sys [2010/06/21 16:31:12 | 000,184,832 | ---- | C] () -- C:\WINDOWS\Vhuqyb.exe [2010/05/18 13:23:40 | 000,017,301 | ---- | C] () -- C:\Documents and Settings\Paladin User\My Documents\Stan Barry.docx [2010/05/11 09:30:21 | 000,017,317 | ---- | C] () -- C:\Documents and Settings\Paladin User\My Documents\Stan Berry.docx [2010/05/11 09:29:55 | 000,066,127 | ---- | C] () -- C:\Documents and Settings\Paladin User\My Documents\IMG00151-20100510-0951.jpg [2010/05/07 08:09:00 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameD.txt [2010/05/07 08:03:04 | 000,001,109 | ---- | C] () -- C:\WINDOWS\System32\drivers\PConfig.DCF [2010/04/30 16:12:03 | 000,011,232 | ---- | C] () -- C:\Documents and Settings\Paladin User\My Documents\ivyclassic.docx [2009/11/02 12:56:07 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll [2009/10/31 12:59:27 | 000,001,244 | ---- | C] () -- C:\WINDOWS\RegalRailing.INI [2008/03/20 16:15:35 | 000,000,539 | ---- | C] () -- C:\WINDOWS\label.ini [2008/03/19 00:36:30 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\EpsStmEW.DLL [2008/03/19 00:36:30 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SharpImg.dll [2008/03/19 00:31:22 | 000,001,345 | ---- | C] () -- C:\WINDOWS\LMAAT2DD.ini [2008/03/19 00:24:34 | 000,466,944 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll [2008/03/19 00:24:34 | 000,344,064 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll [2008/03/18 18:14:34 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll [2008/03/17 16:37:29 | 000,004,746 | ---- | C] () -- C:\WINDOWS\SigPlus.ini [2008/03/17 16:33:55 | 000,000,052 | ---- | C] () -- C:\WINDOWS\odbcddp.ini [2008/03/17 16:33:54 | 000,001,429 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2008/03/17 16:33:32 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll [2008/03/17 11:02:35 | 000,000,554 | ---- | C] () -- C:\WINDOWS\wininit.ini [2006/08/31 12:46:13 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini ========== Alternate Data Streams ========== @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 < End of report >
  5. as of this morning it is back to doing the same thing that it was doing yesterday except that I have internet access on it...i really need help with this...there have been plenty of views on this thread but no responses....i hate to be the whiney new guy but i am in a jam here.... Ryan
  6. here is the newest hijack this log...cant get rid of all those hosts even when i go in and manually delete them any ideas? Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:00:49 PM, on 6/22/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.17023) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Trend Micro\BM\TMBMSRV.exe C:\Program Files\Intel\AMT\atchksrv.exe C:\WINDOWS\system32\EpStsSrv.exe C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\AMT\LMS.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\ESDUSBMon.EXE C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\AMT\UNS.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Paladin User\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.paladinpos.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 O1 - Hosts: 74.125.45.100 4-open-davinci.com O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com O1 - Hosts: 74.125.45.100 privatesecuredpayments.com O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com O1 - Hosts: 74.125.45.100 getantivirusplusnow.com O1 - Hosts: 74.125.45.100 secure-plus-payments.com O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com O1 - Hosts: 74.125.45.100 www.getavplusnow.com O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com O1 - Hosts: 74.125.45.100 urs.microsoft.com O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com O1 - Hosts: 173.236.107.243 www.google.com O1 - Hosts: 173.236.107.243 google.com O1 - Hosts: 173.236.107.243 google.com.au O1 - Hosts: 173.236.107.243 www.google.com.au O1 - Hosts: 173.236.107.243 google.be O1 - Hosts: 173.236.107.243 www.google.be O1 - Hosts: 173.236.107.243 google.com.br O1 - Hosts: 173.236.107.243 www.google.com.br O1 - Hosts: 173.236.107.243 google.ca O1 - Hosts: 173.236.107.243 www.google.ca O1 - Hosts: 173.236.107.243 google.ch O1 - Hosts: 173.236.107.243 www.google.ch O1 - Hosts: 173.236.107.243 google.de O1 - Hosts: 173.236.107.243 www.google.de O1 - Hosts: 173.236.107.243 google.dk O1 - Hosts: 173.236.107.243 www.google.dk O1 - Hosts: 173.236.107.243 google.fr O1 - Hosts: 173.236.107.243 www.google.fr O1 - Hosts: 173.236.107.243 google.ie O1 - Hosts: 173.236.107.243 www.google.ie O1 - Hosts: 173.236.107.243 google.it O1 - Hosts: 173.236.107.243 www.google.it O1 - Hosts: 173.236.107.243 google.co.jp O1 - Hosts: 173.236.107.243 www.google.co.jp O1 - Hosts: 173.236.107.243 google.nl O1 - Hosts: 173.236.107.243 www.google.nl O1 - Hosts: 173.236.107.243 google.no O1 - Hosts: 173.236.107.243 www.google.no O1 - Hosts: 173.236.107.243 google.co.nz O1 - Hosts: 173.236.107.243 www.google.co.nz O1 - Hosts: 173.236.107.243 google.pl O1 - Hosts: 173.236.107.243 www.google.pl O1 - Hosts: 173.236.107.243 google.se O1 - Hosts: 173.236.107.243 www.google.se O1 - Hosts: 173.236.107.243 google.co.uk O1 - Hosts: 173.236.107.243 www.google.co.uk O1 - Hosts: 173.236.107.243 google.co.za O1 - Hosts: 173.236.107.243 www.google.co.za O1 - Hosts: 173.236.107.243 www.google-analytics.com O1 - Hosts: 173.236.107.243 www.bing.com O1 - Hosts: 173.236.107.243 search.yahoo.com O1 - Hosts: 173.236.107.243 www.search.yahoo.com O1 - Hosts: 173.236.107.243 uk.search.yahoo.com O1 - Hosts: 173.236.107.243 ca.search.yahoo.com O1 - Hosts: 173.236.107.243 de.search.yahoo.com O1 - Hosts: 173.236.107.243 fr.search.yahoo.com O1 - Hosts: 173.236.107.243 au.search.yahoo.com O1 - Hosts: 74.125.45.100 4-open-davinci.com O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com O1 - Hosts: 74.125.45.100 privatesecuredpayments.com O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com O1 - Hosts: 74.125.45.100 getantivirusplusnow.com O1 - Hosts: 74.125.45.100 secure-plus-payments.com O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com O1 - Hosts: 74.125.45.100 www.getavplusnow.com O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com O1 - Hosts: 74.125.45.100 urs.microsoft.com O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com O1 - Hosts: 173.236.107.243 www.google.com O1 - Hosts: 173.236.107.243 google.com O1 - Hosts: 173.236.107.243 google.com.au O1 - Hosts: 173.236.107.243 www.google.com.au O1 - Hosts: 173.236.107.243 google.be O1 - Hosts: 173.236.107.243 www.google.be O1 - Hosts: 173.236.107.243 google.com.br O1 - Hosts: 173.236.107.243 www.google.com.br O1 - Hosts: 173.236.107.243 google.ca O1 - Hosts: 173.236.107.243 www.google.ca O1 - Hosts: 173.236.107.243 google.ch O1 - Hosts: 173.236.107.243 www.google.ch O1 - Hosts: 173.236.107.243 google.de O1 - Hosts: 173.236.107.243 www.google.de O1 - Hosts: 173.236.107.243 google.dk O1 - Hosts: 173.236.107.243 www.google.dk O1 - Hosts: 173.236.107.243 google.fr O1 - Hosts: 173.236.107.243 www.google.fr O1 - Hosts: 173.236.107.243 google.ie O1 - Hosts: 173.236.107.243 www.google.ie O1 - Hosts: 173.236.107.243 google.it O1 - Hosts: 173.236.107.243 www.google.it O1 - Hosts: 173.236.107.243 google.co.jp O1 - Hosts: 173.236.107.243 www.google.co.jp O1 - Hosts: 173.236.107.243 google.nl O1 - Hosts: 173.236.107.243 www.google.nl O1 - Hosts: 173.236.107.243 google.no O1 - Hosts: 173.236.107.243 www.google.no O1 - Hosts: 173.236.107.243 google.co.nz O1 - Hosts: 173.236.107.243 www.google.co.nz O1 - Hosts: 173.236.107.243 google.pl O1 - Hosts: 173.236.107.243 www.google.pl O1 - Hosts: 173.236.107.243 google.se O1 - Hosts: 173.236.107.243 www.google.se O1 - Hosts: 173.236.107.243 google.co.uk O1 - Hosts: 173.236.107.243 www.google.co.uk O1 - Hosts: 173.236.107.243 google.co.za O1 - Hosts: 173.236.107.243 www.google.co.za O1 - Hosts: 173.236.107.243 www.google-analytics.com O1 - Hosts: 173.236.107.243 www.bing.com O1 - Hosts: 173.236.107.243 search.yahoo.com O1 - Hosts: 173.236.107.243 www.search.yahoo.com O1 - Hosts: 173.236.107.243 uk.search.yahoo.com O1 - Hosts: 173.236.107.243 ca.search.yahoo.com O1 - Hosts: 173.236.107.243 de.search.yahoo.com O1 - Hosts: 173.236.107.243 fr.search.yahoo.com O1 - Hosts: 173.236.107.243 au.search.yahoo.com O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd O4 - HKLM\..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.acehardware-acenet.com O15 - Trusted Zone: *.acehardware-aceonline.com O15 - Trusted Zone: *.acehardware-eaglevision.com O15 - Trusted Zone: *.acehardware-vendors.com O15 - Trusted Zone: *.aceservices.com O15 - Trusted Zone: *.acehardware-acenet.com (HKLM) O15 - Trusted Zone: *.acehardware-aceonline.com (HKLM) O15 - Trusted Zone: *.acehardware-eaglevision.com (HKLM) O15 - Trusted Zone: *.acehardware-vendors.com (HKLM) O15 - Trusted Zone: *.aceservices.com (HKLM) O16 - DPF: AceIESecuritySettings - http://ww1.acehardware-acenet.com/Controls...itySettings.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} (AceExplorer Control) - http://ww1.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab O16 - DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} (FarPoint Spread 6.0 (OLEDB)) - http://ww1.acehardware-acenet.com/ACENET/c...t60/fpspr60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1233855965781 O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} (ACENET Control) - http://ww1.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB O16 - DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} (OBXPopupBlockerAssistant Control) - http://onbase.aceservices.com/AppNet/activex/OBXPopup.cab O16 - DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} (MCSiMenuCtl Class) - http://ww1.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {EAE50EB0-4A62-11CE-BED6-00AA00611080} (Microsoft Forms 2.0 TabStrip) - http://ww1.acehardware-acenet.com/ACEnet/c...ft/MSpert10.cab O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} (OBXWebViewer Control) - http://imagemax.aceservices.com/appnet/act...BXWebViewer.cab O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe O23 - Service: Port Emulator (HSP7000) (PortEmulatorHSP7000) - Star Micronics Co., Ltd. - C:\Program Files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe -- End of file - 15978 bytes
  7. ok i am posting from the infected computer now..one of the programs had set me up to run through a fake proxy server...i am going to try hijack this again and post the log file here as I am sure there are remnants of files here and if someone could review all of this and let me know what they think it would be great!!
  8. well after playing with this thing all day I have managed to get MBAM to update and i just ran it in safe mode where it detected about 125 problems and fixed most of them except for a few that it said would have to be fixed on reboot...i rebooted and still have internet connection in normal mode or in safe mode (meaning browser functions I can ping google in either safe mode with networking or in normal mode) i am assuming that I have something messing with the DNS entries? here is the MBAM log i really hope someone has time to help as I am sorta poking around in the dark on this still Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4131 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 7.0.5730.13 6/22/2010 3:22:40 PM mbam-log-2010-06-22 (15-22-40).txt Scan type: Full scan (C:\|) Objects scanned: 195573 Time elapsed: 27 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 23 Registry Values Infected: 9 Registry Data Items Infected: 8 Folders Infected: 1 Files Infected: 86 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\gwd7v3zw2f.dll (Trojan.Ertfor) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{c7ba40a1-74f2-52bd-f411-04b15a2c8953} (Trojan.Ertfor) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c7ba40a1-74f2-52bd-f411-04b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c7ba40a1-74f2-52bd-f411-04b15a2c8953} (Trojan.Ertfor) -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mswu-e505e9f9 (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mswu-f36decbb (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSSUI.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winssnotify.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winss.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OcHealthMon.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfwsvc.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrt.exe (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c7ba40a1-74f2-52bd-f411-04b15a2c8953} (Trojan.Ertfor) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeaensbk (Trojan.Agent.Gen) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent.Gen) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfg9w8gujsokgahi8gysgnsdgefshyjy (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\m5t8ql3yw3 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qzaib7kitk (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=7&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{833f0bb7-4f86-4cf6-a7f1-a4feae6d7a0c}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.167,93.188.161.171 -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\Paladin User\Application Data\My Security Engine (Rogue.MySecurityEngine) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\gwd7v3zw2f.dll (Trojan.Ertfor) -> Delete on reboot. C:\Documents and Settings\Paladin User\Local Settings\Temp\t5q2qr.dll (Trojan.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia\mqtiytgtssd.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Application Data\asam.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Application Data\syssvc.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\3A.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\ansewocxrm.tmp (Trojan.Tracur) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\arapj.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\b82umg05aah.exe (Trojan.Hatigh) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\cjxaymdn.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\cxgxdna.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\debug.exe (Trojan.Hatigh) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\gbcp4dp.exe (Trojan.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\RElB.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\rpyuhbu.exe (Trojan.Crypt) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\sitlpsqc.exe (Trojan.Ertfor) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temporary Internet Files\Content.IE5\2EO0VNI6\packupdate_build107_302[3].exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temporary Internet Files\Content.IE5\2EO0VNI6\packupdate_build107_302[4].exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temporary Internet Files\Content.IE5\2EO0VNI6\packupdate_build107_328[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\e505e9f9.exe (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\f36decbb.exe (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\a79317.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\AA55e.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\cE55k.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\cE9317.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\CE93k7.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\e79kUO.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\e9a17e3.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\gM555.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\i3qGMY1cE.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\I79317.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\I9q1w9u.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\iQ5wS.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\IQGMY.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\k9yWS93.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\KU317aA.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\M93wSKU.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\mY5cE.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\OC793y79.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\q7wSKU.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\qG31aAA.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\s5eIQ.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\S9eIQG3.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\UOCE9317s.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\W79y17.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\wS9eIQ.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\YW93yW.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\yWS179u.dll (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\3C.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\aA5k5y5c.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\aAA9k179.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\c55u5m5g.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\G1iQ3w.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\g5555555.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\G93a79.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\kUO5o5o5.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\KUOCEI.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\OCEIQ5.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\Q1w93y.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\Q55c5s.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\q9wS7eIQ.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\qG5i55q5.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\S3e793.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\sKU7m3gM.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\sKUOC3s7.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\u179a1k9.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\u5555kUO.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\U93iQ9.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\uO93m79w.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\w55y5c5s.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\w7uOC793.tmp (Trojan.Dropper.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\Vpx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Desktop\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Application Data\Microsoft\Internet Explorer\Quick Launch\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Start Menu\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Start Menu\Programs\My Security Engine.lnk (Rogue.MySecurityEngine) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully. C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Paladin User\Local Settings\Temp\iexplarer.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Vhuqya.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  9. another update when i try to run hijack this it says that the computer will not allow it to write to the hosts file and that i need to manually edit it in notepad which i have done and resave it as 'hosts.' with the quotes...i have done this and rebooted as it said to do and have gotten no results from it..... i am really getting desperate here as we are totally without a register until this is resolved
  10. here are my two log files the first is from the OTL scan and the second is from GMER OTL logfile created on: 6/22/2010 10:15:10 AM - Run 1 OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Paladin User\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 981.00 Mb Total Physical Memory | 703.00 Mb Available Physical Memory | 72.00% Memory free 3.00 Gb Paging File | 3.00 Gb Available in Paging File | 92.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 149.01 Gb Total Space | 134.96 Gb Free Space | 90.57% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.94% Space Free | Partition Type: FAT F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Drive P: | 232.81 Gb Total Space | 159.10 Gb Free Space | 68.34% Space Free | Partition Type: NTFS Computer Name: TERMINAL-4 Current User Name: Paladin User Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Paladin User\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Documents and Settings\Paladin User\Desktop\OTH.scr (OldTimer Tools) PRC - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.) PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\HP1006MC.EXE (Software 2000 Limited) PRC - C:\Program Files\Intel\AMT\UNS.exe (Intel) PRC - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Paladin User\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (MSWU-f36decbb) -- C:\WINDOWS\system32\f36decbb.exe () SRV - (MSWU-e505e9f9) -- C:\WINDOWS\system32\e505e9f9.exe () SRV - (SfCtlCom) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.) SRV - (TmProxy) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.) SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation) SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.) SRV - (TMBMServer) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.) SRV - (PortEmulatorHSP7000) Port Emulator (HSP7000) -- C:\Program Files\StarMicronics\HSP7000\Software\VirtualPortEmulator\Software\VSPEU\portemu_umdf.exe (Star Micronics Co., Ltd.) SRV - (IAANTMON) Intel® -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation) SRV - (UNS) Intel® -- C:\Program Files\Intel\AMT\UNS.exe (Intel) SRV - (atchksrv) Intel® -- C:\Program Files\Intel\AMT\atchksrv.exe (Intel Corporation) SRV - (LMS) Intel® -- C:\Program Files\Intel\AMT\LMS.exe (Intel) SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation) SRV - (EPSON ESCPOS Status Service) -- C:\WINDOWS\System32\EpStsSrv.exe (SEIKO EPSON Corp.) SRV - (FirebirdServerDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe (The Firebird Project) SRV - (FirebirdGuardianDefaultInstance) -- C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe (The Firebird Project) ========== Driver Services (SafeList) ========== DRV - (tmxpflt) -- C:\WINDOWS\system32\drivers\tmxpflt.sys (Trend Micro Inc.) DRV - (tmpreflt) -- C:\WINDOWS\system32\drivers\tmpreflt.sys (Trend Micro Inc.) DRV - (vsapint) -- C:\WINDOWS\system32\drivers\vsapint.sys (Trend Micro Inc.) DRV - (tmactmon) -- C:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.) DRV - (tmevtmgr) -- C:\WINDOWS\system32\drivers\tmevtmgr.sys (Trend Micro Inc.) DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.) DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.) DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (iastor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation) DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.) DRV - (DLADResM) -- C:\WINDOWS\system32\drivers\DLADResM.SYS (Roxio) DRV - (DLABMFSM) -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS (Roxio) DRV - (DLAUDF_M) -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS (Roxio) DRV - (DLAUDFAM) -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS (Roxio) DRV - (DLAOPIOM) -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS (Roxio) DRV - (DLABOIOM) -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS (Roxio) DRV - (DLAPoolM) -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS (Roxio) DRV - (DLAIFS_M) -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS (Roxio) DRV - (DRVMCDB) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS (Sonic Solutions) DRV - (DLARTL_M) -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS (Roxio) DRV - (DLACDBHM) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS (Roxio) DRV - (DRVNDDM) -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS (Roxio) DRV - (HECI) Intel® -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation) DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation) DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation) DRV - (Esdpdx01) -- C:\WINDOWS\system32\drivers\ESDPDX01.SYS (MK Systems CO., LTD.) DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura) DRV - (3c1807pd) -- C:\WINDOWS\system32\drivers\3c1807pd.sys (U.S. Robotics Corporation) DRV - (USRpdA) -- C:\WINDOWS\system32\drivers\USRpdA.sys (U.S. Robotics Corporation) ========== Standard Registry (All) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://support.paladinpos.com/ IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation) IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555 FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:17 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/19 16:46:43 | 000,000,000 | ---D | M] O1 HOSTS File: ([2010/06/22 07:09:06 | 000,262,631 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.1001-search.info O1 - Hosts: 127.0.0.1 1001-search.info O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.123topsearch.com O1 - Hosts: 127.0.0.1 123topsearch.com O1 - Hosts: 127.0.0.1 www.132.com O1 - Hosts: 127.0.0.1 132.com O1 - Hosts: 127.0.0.1 www.136136.net O1 - Hosts: 127.0.0.1 136136.net O1 - Hosts: 127.0.0.1 www.139mm.com O1 - Hosts: 127.0.0.1 139mm.com O1 - Hosts: 127.0.0.1 www.163ns.com O1 - Hosts: 127.0.0.1 163ns.com O1 - Hosts: 127.0.0.1 171203.com O1 - Hosts: 9098 more lines... O2 - BHO: (C:\WINDOWS\system32\gwd7v3zw2f.dll) - {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - C:\WINDOWS\system32\gwd7v3zw2f.dll () O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.) O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation) O4 - HKLM..\Run: [3c1807pd] File not found O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe File not found O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [ESDUSBMon.exe] C:\WINDOWS\system32\ESDUSBMon.exe (SEIKO EPSON Corp.) O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation) O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation) O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation) O4 - HKLM..\Run: [Microsoft Default Manager] C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corp.) O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) O4 - HKLM..\Run: [synchronization Manager] C:\WINDOWS\System32\mobsync.exe (Microsoft Corporation) O4 - HKLM..\Run: [ufSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.) O4 - HKLM..\Run: [uSRpdA] File not found O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKCU..\Run: [asam] C:\Documents and Settings\Paladin User\Local Settings\Application Data\asam.exe () O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation) O4 - HKCU..\Run: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] C:\Documents and Settings\Paladin User\Local Settings\Temp\mdm.exe () O4 - HKCU..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation) O4 - HKCU..\Run: [M5T8QL3YW3] C:\Documents and Settings\Paladin User\Local Settings\Temp\Vpx.exe () O4 - HKCU..\Run: [mcexecwin] C:\Documents and Settings\Paladin User\Local Settings\Temp\t5q2qr.dll () O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.) O4 - HKCU..\Run: [qeaensbk] C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia\mqtiytgtssd.exe () O4 - HKCU..\Run: [QZAIB7KITK] C:\WINDOWS\Vhuqya.exe () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) O15 - HKLM\..Trusted Domains: acehardware-acenet.com ([]* in Trusted sites) O15 - HKLM\..Trusted Domains: acehardware-aceonline.com ([]* in Trusted sites) O15 - HKLM\..Trusted Domains: acehardware-eaglevision.com ([]* in Trusted sites) O15 - HKLM\..Trusted Domains: acehardware-vendors.com ([]* in Trusted sites) O15 - HKLM\..Trusted Domains: aceservices.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: acehardware-acenet.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: acehardware-aceonline.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: acehardware-eaglevision.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: acehardware-vendors.com ([]* in Trusted sites) O15 - HKCU\..Trusted Domains: aceservices.com ([]* in Trusted sites) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {24B8CB65-C0D2-11D0-A523-444553540000} http://ww1.acehardware-acenet.com/ACENET/C...xpl/AceExpl.cab (AceExplorer Control) O16 - DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} http://ww1.acehardware-acenet.com/ACENET/c...t60/fpspr60.cab (FarPoint Spread 6.0 (OLEDB)) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1233855965781 (WUWebControl Class) O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab (Java Plug-in 1.6.0_13) O16 - DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} http://ww1.acehardware-acenet.com/ACENET/C...ENET/ACECTL.CAB (ACENET Control) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} http://onbase.aceservices.com/AppNet/activex/OBXPopup.cab (OBXPopupBlockerAssistant Control) O16 - DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} http://ww1.acehardware-acenet.com/ACENET/C...Si/McsiMenu.cab (MCSiMenuCtl Class) O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {EAE50EB0-4A62-11CE-BED6-00AA00611080} http://ww1.acehardware-acenet.com/ACEnet/c...ft/MSpert10.cab (Microsoft Forms 2.0 TabStrip) O16 - DPF: {F5876F16-5217-4B38-96F3-C2BB80215302} http://imagemax.aceservices.com/appnet/act...BXWebViewer.cab (OBXWebViewer Control) O16 - DPF: AceIESecuritySettings http://ww1.acehardware-acenet.com/Controls...itySettings.CAB (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.167,93.188.161.171 O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation) O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation) O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation) O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation) O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation) O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation) O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation) O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation) O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation) O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation) O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation) O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\570\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation) O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation) O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation) O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation) O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) O22 - SharedTaskScheduler: {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - har98fefiesjfs93s8i9sejsdf - C:\WINDOWS\system32\gwd7v3zw2f.dll () O24 - Desktop Components:0 (My Current Home Page) - About:Home O24 - Desktop WallPaper: C:\Documents and Settings\Paladin User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paladin User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O27 - HKLM IFEO\brastk.exe: Debugger - svchost.exe (Microsoft Corporation) O27 - HKLM IFEO\mrt.exe: Debugger - svchost.exe (Microsoft Corporation) O27 - HKLM IFEO\msfwsvc.exe: Debugger - svchost.exe (Microsoft Corporation) O27 - HKLM IFEO\MsMpEng.exe: Debugger - svchost.exe (Microsoft Corporation) O27 - HKLM IFEO\msseces.exe: Debugger - svchost.exe (Microsoft Corporation) O27 - HKLM IFEO\OcHealthMon.exe: Debugger - svchost.exe (Microsoft Corporation) O27 - HKLM IFEO\winss.exe: Debugger - svchost.exe (Microsoft Corporation) O27 - HKLM IFEO\winssnotify.exe: Debugger - svchost.exe (Microsoft Corporation) O27 - HKLM IFEO\WinSSUI.exe: Debugger - svchost.exe (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation) O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation) O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation) O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation) O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation) O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation) O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation) O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O32 - AutoRun File - [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () - P:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/03/14 11:24:47 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found CREATERESTOREPOINT Error starting restore point: System Restore is disabled. Error closing restore point: System Restore is disabled. ========== Files/Folders - Created Within 30 Days ========== [2010/06/22 09:54:14 | 000,258,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paladin User\Desktop\OTH.scr [2010/06/22 09:54:13 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Paladin User\Desktop\OTL.exe [2010/06/21 18:15:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\nwbwlcvia [2010/06/21 16:42:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/06/21 16:42:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/06/21 16:14:41 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Paladin User\Application Data\My Security Engine [2010/06/21 16:14:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\MSTMJVEE [2010/06/21 16:12:50 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\0d9c71d [2010/06/21 16:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\Windows Server [2010/06/21 16:09:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885 [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/06/22 10:10:38 | 000,000,260 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job [2010/06/22 10:10:07 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/06/22 10:09:04 | 000,000,302 | -H-- | M] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job [2010/06/22 10:08:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/06/22 10:08:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/06/22 10:07:02 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\Paladin User\NTUSER.DAT [2010/06/22 10:07:02 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Paladin User\ntuser.ini [2010/06/22 09:57:15 | 000,000,024 | ---- | M] () -- C:\WINDOWS\herjek.config [2010/06/22 09:55:38 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\IconCache.db [2010/06/22 09:55:31 | 000,000,552 | ---- | M] () -- C:\WINDOWS\win.ini [2010/06/22 09:55:31 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/06/22 09:55:31 | 000,000,211 | -HS- | M] () -- C:\boot.ini [2010/06/22 07:09:14 | 000,001,867 | ---- | M] () -- C:\Documents and Settings\Paladin User\Desktop\My Security Engine.lnk [2010/06/22 07:09:06 | 000,262,631 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010/06/22 03:03:46 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job [2010/06/22 01:15:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\Nightly Reboot.job [2010/06/21 18:18:08 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\syssvc.exe [2010/06/21 18:18:08 | 000,060,160 | ---- | M] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\asam.exe [2010/06/21 16:11:16 | 000,001,264 | ---- | M] () -- C:\Documents and Settings\Paladin User\Desktop\Antimalware Doctor.lnk [2010/06/21 16:09:51 | 000,030,000 | ---- | M] () -- C:\WINDOWS\System32\gwd7v3zw2f.dll [2010/06/21 15:36:52 | 000,184,832 | ---- | M] () -- C:\WINDOWS\Vhuqyb.exe [2010/06/21 15:36:52 | 000,184,832 | ---- | M] () -- C:\WINDOWS\Vhuqya.exe [2010/06/21 15:36:50 | 000,075,264 | ---- | M] () -- C:\WINDOWS\System32\f36decbb.exe [2010/06/21 15:36:50 | 000,075,264 | ---- | M] () -- C:\WINDOWS\System32\e505e9f9.exe [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/06/22 10:06:10 | 000,000,260 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job [2010/06/22 09:57:15 | 000,000,024 | ---- | C] () -- C:\WINDOWS\herjek.config [2010/06/22 09:54:17 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Paladin User\Desktop\jrp97bg9.exe [2010/06/21 18:19:08 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\asam.exe [2010/06/21 18:18:07 | 000,060,160 | ---- | C] () -- C:\Documents and Settings\Paladin User\Local Settings\Application Data\syssvc.exe [2010/06/21 16:57:47 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\f36decbb.exe [2010/06/21 16:31:12 | 000,184,832 | ---- | C] () -- C:\WINDOWS\Vhuqyb.exe [2010/06/21 16:23:06 | 000,001,867 | ---- | C] () -- C:\Documents and Settings\Paladin User\Desktop\My Security Engine.lnk [2010/06/21 16:11:13 | 000,001,264 | ---- | C] () -- C:\Documents and Settings\Paladin User\Desktop\Antimalware Doctor.lnk [2010/06/21 16:09:51 | 000,030,000 | ---- | C] () -- C:\WINDOWS\System32\gwd7v3zw2f.dll [2010/06/21 15:37:03 | 000,000,302 | -H-- | C] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job [2010/06/21 15:36:56 | 000,184,832 | ---- | C] () -- C:\WINDOWS\Vhuqya.exe [2010/06/21 15:36:50 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\e505e9f9.exe [2009/11/02 12:56:07 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\HPPLVS.dll [2009/10/31 12:59:27 | 000,001,244 | ---- | C] () -- C:\WINDOWS\RegalRailing.INI [2008/03/20 16:15:35 | 000,000,539 | ---- | C] () -- C:\WINDOWS\label.ini [2008/03/19 00:36:30 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\EpsStmEW.DLL [2008/03/19 00:36:30 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\SharpImg.dll [2008/03/19 00:31:22 | 000,001,345 | ---- | C] () -- C:\WINDOWS\LMAAT2DD.ini [2008/03/19 00:24:34 | 000,466,944 | R--- | C] () -- C:\WINDOWS\System32\softcoin.dll [2008/03/19 00:24:34 | 000,344,064 | R--- | C] () -- C:\WINDOWS\System32\gencoin.dll [2008/03/18 18:14:34 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4837.dll [2008/03/17 16:37:29 | 000,004,746 | ---- | C] () -- C:\WINDOWS\SigPlus.ini [2008/03/17 16:33:55 | 000,000,052 | ---- | C] () -- C:\WINDOWS\odbcddp.ini [2008/03/17 16:33:54 | 000,001,429 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2008/03/17 16:33:32 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll [2008/03/17 11:02:35 | 000,000,554 | ---- | C] () -- C:\WINDOWS\wininit.ini [2006/08/31 12:46:13 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini ========== LOP Check ========== [2010/06/22 07:10:00 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\0d9c71d [2010/06/21 16:14:02 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\MSTMJVEE [2009/08/27 07:33:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games [2008/08/29 14:56:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2010/05/07 08:03:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall [2010/06/21 18:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\6565FAC67FD5EA98CB1770FD0F965885 [2010/01/11 15:32:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\Amazon [2010/03/20 13:50:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 [2009/02/05 13:45:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\MSNInstaller [2010/06/21 16:14:41 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\Paladin User\Application Data\My Security Engine [2008/04/28 10:49:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\Paladin Data Corp [2008/08/29 13:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paladin User\Application Data\Paladin Data Corporation [2010/06/22 03:03:46 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job [2009/03/11 15:47:16 | 000,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\Nightly Backup.job [2010/06/22 01:15:00 | 000,000,286 | ---- | M] () -- C:\WINDOWS\Tasks\Nightly Reboot.job [2010/06/22 10:10:38 | 000,000,260 | -H-- | M] () -- C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job [2010/06/22 10:09:04 | 000,000,302 | -H-- | M] () -- C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.* > [2010/04/12 07:10:03 | 000,000,817 | -H-- | M] () -- C:\AppUpdate.log [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT [2010/06/22 09:55:31 | 000,000,211 | -HS- | M] () -- C:\boot.ini [2008/03/14 19:34:49 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS [2010/06/22 09:47:46 | 000,003,024 | ---- | M] () -- C:\feed.txt [2008/03/14 19:34:49 | 000,000,000 | RHS- | M] () -- C:\IO.SYS [2008/03/14 19:34:49 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS [2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM [2008/06/04 18:25:40 | 000,250,048 | RHS- | M] () -- C:\ntldr [2010/06/22 10:08:32 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys [2008/05/06 12:24:38 | 009,362,088 | ---- | M] () -- C:\server_setup_5w.exe < %systemroot%\*./mp /s > < %systemroot%\system32\*.dll /lockedfiles > [1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\System32\config\*.sav > [2008/03/14 11:28:07 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav [2008/03/14 11:28:07 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav [2008/03/14 11:28:07 | 000,897,024 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav < %systemroot%\system32\drivers\*.sys /90 > ========== Alternate Data Streams ========== @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 < End of report > Here is the Second which is the GMER log GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-22 11:08:09 Windows 5.1.2600 Service Pack 3 Running: jrp97bg9.exe; Driver: C:\DOCUME~1\PALADI~1\LOCALS~1\Temp\pxrirpoc.sys ---- System - GMER 1.0.15 ---- SSDT 84EC7CC0 ZwCreateKey SSDT 84EC71C0 ZwCreateProcess SSDT 84EC7480 ZwCreateProcessEx SSDT 84EC8B20 ZwCreateThread SSDT 84EC8240 ZwDeleteKey SSDT 84EC8500 ZwDeleteValueKey SSDT 84EC8CC0 ZwLoadDriver SSDT 84EC7740 ZwOpenProcess SSDT 84EC7F80 ZwSetValueKey SSDT 84EC7A00 ZwTerminateProcess SSDT 84EC8980 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA9E1CA00] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D000A .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009E000A .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009C000C .text C:\WINDOWS\System32\svchost.exe[1240] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01C2000A .text C:\WINDOWS\System32\svchost.exe[1240] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0106000A ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio) ---- EOF - GMER 1.0.15 ---- I really appreciate any and all help with this. I am at a total loss with this as of now. Ryan
  11. ok i got the otl program to run and have also run gmer and will be posting the log files shortly...after that i dont know what the next step is
  12. ok something is reaalllllly wrong with this computer I downloaded and ran OTH from a flash drive and then tried to "start otl" and got a message that said that "otl.exe is infected and must be closed" and it wont let me run that or any other programs.... i really need help with this one..im close to format c:
  13. just as a side note when I try and update MBAM it gives this error code: 732(12029,0) I am following the instructions in the thread started by perutom as well so we shall see what happens
  14. I have no idea how or why but a computer that we use as a pos register in a paint store has contracted these two items...I have used MBAM in the past and it has worked like a charm every time but this problem seems a bit beyond me. There is a similar thread going on here now that I have read through and in addition to having no internet connection to update MBAM I am also unable to even run rkill or mbam or anything else because I get messages that the programs cant open because they are infected files. I have a clean PC right here next to it that I can use to DL files with but I am at a loss as to where to start. Any other time I just run Rkill then MBAM and voila! Its fixed but not this time!! Ryan
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.