Jump to content

Badly Infected PC, Seems Really Nasty - Need Urgent Help


Recommended Posts

I have been having major computer issues for a few weeks now, and it seems pretty nasty. I'm starting to fear that our security has been badly compromised. Basically, my issues are:

*Random pop-up windows (full Firefox windows, not just tabs or small ads). These pop-up windows are usually ad sites (some will say that I've won a prize, qualified for something, etc).

*Redirects when I click on some links, even in Cooliris.

*Scrambled, buggy page on one of the forums I visit often (no one else on the site is experiencing any problems).

*SpySweeper continually blocks access to something called "MYROITTRACKING.COM" and "873HGF7XX60.COM"

*Windows XP Welcome screen won't show up despite making sure it is selected under User Accounts (same with Fast Switch). It uses the old login box with the username & password

*When I try to switch users in XP, I get the error message: "this computer is in use and has been locked. only [computer name\my name] or an administrator can unlock it." I am an administrator, however.

The pop-up window issue is definitely one of the worst, and I'm wondering if the Windows XP login/Welcome Screen issue is related to any of this. It just started suddenly one day, and no matter what we've tried it will not return to normal (I've tried most of the major fixes offered online to no avail). The redirected page problem just started a couple of hours ago.

I have Firefox as my browser (I have IE installed, but we never use it), and Webroot Antivirus with SpySweeper. I use ZoneAlarm for my firewall, along with Windows Firewall.

I tried running GMER four times, and it crashed each time. The first time it rebooted my computer, and the last time it switched my background to a frozen screensaver image and crashed the computer, so unfortunately I couldn't generate a log for it. I attached the Attach file, and also my latest logs from my anti-virus program.

My latest Malwarebytes scan (this evening; no infections found)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4167

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/5/2010 10:37:39 PM

mbam-log-2010-06-05 (22-37-39).txt

Scan type: Quick scan

Objects scanned: 176138

Time elapsed: 12 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

First Malwarebytes scan (June 3rd; some infections found)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4167

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/3/2010 11:14:36 AM

mbam-log-2010-06-03 (11-14-36).txt

Scan type: Quick scan

Objects scanned: 176836

Time elapsed: 13 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 25

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.

HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Dropper) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Melanie\Application Data\setup.exe (Trojan.Dropper) -> No action taken.

C:\WINDOWS\system32\csseqchk32.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\d3dx9_2932.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\d3dx9_2932.dllyynfbe5kn32.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\d3dx9_2932.dllyynfbe5kn32.dll8zqvosz780wrq032.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\d3dx9_2932.dllyynfbe5kn32.dll8zqvosz780wrq032.dllb1xebis0cs32.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\d3dx9_2932.dllyynfbe5kn32.dll8zqvosz780wrq032.dllb1xebis0cs32.dlloqdmhzsfpn

o32.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\dmband32.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\dmscript32.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\dpnhpast32.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\dpuGUI1132.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\d3d832.dll (Trojan.Tracur) -> No action taken.

C:\WINDOWS\system32\jbwonjm.dll (Malware.Packer.Gen) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temp\xwcranmseo.tmp (Trojan.Tracur) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temp\noaxwmcser.tmp (Trojan.FraudPack.Gen) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temp\setupv.exe (Trojan.Agent.Gen) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temp\sncawmrexo.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temp\KEXj.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temp\ldm.exe (Adware.BHO) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temp\rmwcoseanx.tmp (Malware.Packer.Gen) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temp\maoxwncers.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\DLDF7U3R\setup_lib_srl[1].exe (Spyware.Zbot) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\GXCJ8FXT\SearchToolbar-loudmo[1].exe (Adware.Zugo) -> No action taken.

C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\WZG2JW8F\cooler[1].aspx (Trojan.Agent) -> No action taken.

DDS Log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Melanie at 23:19:58.54 on Sat 06/05/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2011 [GMT -5:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

AV: avast! Internet Security *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\WINDOWS\system32\lxdwcoms.exe

C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Downloaded Programs\Security Related\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: {E8B9CF68-0CB7-3259-B545-F95B35439551} - No File

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"

mRun: [<NO NAME>]

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [avast5] "c:\progra~1\alwils~1\avast5\avastUI.exe" /nogui

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [spySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: Download with ImTOO Download YouTube Video - c:\program files\imtoo\download youtube video\upod_link.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: com.tw\asia.msi

Trusted Zone: com.tw\global.msi

Trusted Zone: com.tw\www.msi

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238541733873

DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\melanie\applic~1\mozilla\firefox\profiles\d9xds795.default\

FF - prefs.js: browser.startup.homepage - hxxp://roadrunner.com/

FF - component: c:\documents and settings\melanie\application data\mozilla\firefox\profiles\d9xds795.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\documents and settings\melanie\application data\mozilla\firefox\profiles\d9xds795.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\melanie\application data\mozilla\plugins\npcoolirisplugin.dll

FF - plugin: c:\documents and settings\melanie\local settings\application data\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\bittorrent_dna\npbtdna.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: google.toolbar.linkdoctor.enabled - false

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2010-5-15 307280]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-15 164048]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2009-11-10 244736]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-21 482696]

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2009-10-11 57344]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-15 19024]

R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]

R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]

R3 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-5-15 1201640]

S2 .1196306536SsTR;1196306536SsTR;c:\documents and settings\all users\application data\webroot\R Vasquez2181717.exe [2009-6-1 343435]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-15 40384]

S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [2009-4-3 98984]

S2 SessionLauncher;SessionLauncher;c:\docume~1\melanie\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\melanie\locals~1\temp\dx9\SessionLauncher.exe [?]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-15 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-15 40384]

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]

S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]

S3 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]

S3 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]

S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

S4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]

=============== Created Last 30 ================

2010-06-01 20:23:34 7106 ----a-w- c:\windows\system32\thqvmk

2010-06-01 20:21:54 64512 ----a-w- c:\windows\system32\klgd.bmp

2010-05-17 05:55:36 0 d-----w- c:\docume~1\melanie\applic~1\Office Genuine Advantage

2010-05-15 22:50:00 0 d-----w- c:\windows\system32\zh-TW

2010-05-15 22:50:00 0 d-----w- c:\windows\system32\zh-HK

2010-05-15 22:50:00 0 d-----w- c:\windows\system32\tr-TR

2010-05-15 22:17:52 1563008 ----a-w- c:\windows\WRSetup.dll

2010-05-15 22:17:52 0 d-----w- c:\docume~1\melanie\applic~1\Webroot

2010-05-15 22:17:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot

2010-05-15 19:42:12 0 d-----w- c:\program files\MSSOAP

2010-05-15 19:41:46 0 d-----w- c:\program files\Webroot

2010-05-15 05:14:44 307280 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2010-05-15 05:13:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

==================== Find3M ====================

2010-06-06 04:12:42 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-24 00:12:17 87608 ----a-w- c:\docume~1\melanie\applic~1\inst.exe

2010-04-24 00:12:17 47360 ----a-w- c:\docume~1\melanie\applic~1\pcouffin.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2008-03-12 21:08:36 0 ----a-w- c:\program files\temp01

2008-09-16 15:53:49 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091620080917\index.dat

============= FINISH: 23:22:49.76 ===============

Attach.zip

Webroot_Software_Session_Log_2010_06.zip

Link to post
Share on other sites

Hello ,

And :P My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

Please try to run GMER with only the Sections option checked.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • GMER log

Link to post
Share on other sites

Thank you for responding so quickly Elise.

Unfortunately, I have tried running GMER with only the Sections option checked 3 times now, and each time it stops scanning, but doesn't tell me that it's finished or anything else (is it supposed to?). When I try to save the log, GMER freezes, and my entire computer runs unbearably slow until it freezes altogether (can't surf online, open folders, minimize windows & tabs, etc.). At that point I have to hard-reboot.

The biggest problem seems to be the random pop-up windows (full-size Firefox windows) and now the redirects. It seems to happen randomly, but more often when I am on certain sites that I frequent. The page redirects started yesterday, but the pop-up windows have occurred for at least a week or so. The pages that pop up are usually sites like "work from home", "take a vacation", "you've won X amount of money", "claim a prize", etc., though they vary.

Whenever I start the PC and open Firefox, I keep getting the "Well, this is embarrassing" error, and I have to tell Firefox to try to load my tabs again. This happens probably 95% of the time, and has been occurring for the past couple of days or so.

We have always used the Welcome screen in Windows XP, but now when we turn the computer on, only the default login box appears. My name is in the username box, and the password box is blank, but I don't have to enter a password. Going into Control Panel > User Accounts > User Accounts > Change the way users log on or off does nothing at all -- both the Use the Welcome Screen and Use Fast User Switching boxes are checked. When I actually try to switch users, however, I get an error box (that looks exactly like the default login box) that states "This computer is in use and has been locked. Only [computer name\my name] or an administrator can unlock it." My husband and I are both administrators, and the same thing happens on his account when he tries to switch users. This has been happening since our last Windows XP Security Update, and no online fix has been able able to correct it. I'm not sure if this issue is related to this malware/virus problem, however.

We are currently using Webroot Antivirus with SpySweeper, and it continually blocks access to something called "MYROITTRACKING.COM" and also "873HGF7XX60.COM". Also, one of the forums that I frequent has become very buggy and a little scrambled (text layered on top of other text, disappearing buttons, etc.). No one else on the forum is experiencing any issues, but the site admin often uses icons and smileys that have been purchased from questionable sites (my old ZoneAlarm antivirus actually blocked access to one of those sites in the past).

If there is any other info you need, please let me know. Whatever this is, it seems very very bad and seems to get worse nearly every day.

Link to post
Share on other sites

An ETA on my post above: I tried GMER again (with only the Sections option checked), and this time it did finish the scan (I had saved the .exe to a subfolder in C drive; this time I moved it to the Desktop and ran it from there).

GMER scan (Sections option only)

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-06 15:46:39

Windows 5.1.2600 Service Pack 3

Running: t13p8kfh.exe; Driver: C:\DOCUME~1\Melanie\LOCALS~1\Temp\kfnoipod.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C5C 805044F8 16 Bytes [FC, 28, 1B, AE, 54, 29, 1B, ...]

.text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80504524 12 Bytes JMP D7F0F35B

.text ntkrnlpa.exe!ZwCallbackReturn + 2CB0 8050454C 4 Bytes JMP 320EAE32

.text ntkrnlpa.exe!ZwCallbackReturn + 2D54 805045F0 12 Bytes [50, 16, 32, AE, 60, D9, 34, ...] {PUSH EAX; PUSH SS; XOR CH, [ESI-0x51cb26a0]; SBB BL, 0x34; SCASB }

.text ntkrnlpa.exe!ZwCallbackReturn + 2D98 80504634 16 Bytes [2C, 29, 1B, AE, 7C, 29, 1B, ...] {SUB AL, 0x29; SBB EBP, [ESI-0x51e4d684]; LOOPNZ 0xffffffffffffff8c; XOR CH, [ESI-0x51e4d56c]}

.text ...

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB2D22380, 0x550AF5, 0xE8000020]

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xADABC400, 0x7960C, 0xE8000020]

.protect

Link to post
Share on other sites

Hello there,

Sounds like its time to start some serious cleanup :)

P2P WARNING

-------------------

Going over your logs I noticed that you have uTorrent installed.

[*] Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

[*]They are a security risk which can make your computer susceptible to a sm

Link to post
Share on other sites

I just finished running ComboFix. It said that I had ZoneAlarm Security Suite running real-time monitoring, but I don't have that program installed anymore (just ZoneAlarm Pro now). I hope that didn't skew the results -- I couldn't find ZoneAlarm Security Suite anywhere on my computer.

ComboFix Scan

ComboFix 10-06-06.04 - Melanie 06/07/2010   4:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2642 [GMT -5:00]
Running from: c:\documents and settings\Melanie\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Melanie\Application Data\inst.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
C:\feed.txt
c:\program files\Internet Explorer\SET53.tmp
c:\program files\Internet Explorer\SET57.tmp
c:\program files\Internet Explorer\SET58.tmp
c:\program files\Internet Explorer\SET79.tmp
c:\program files\Internet Explorer\SET7A.tmp
c:\program files\Internet Explorer\SET7B.tmp
c:\windows\system32\hlp.dat
c:\windows\system32\klgd.bmp

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ws2_32.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-05-18 01:11 . 2010-05-18 01:11 -------- d-----w- c:\documents and settings\Ray\Application Data\Webroot
2010-05-17 05:55 . 2010-05-17 05:55 -------- d-----w- c:\documents and settings\Melanie\Application Data\Office Genuine Advantage
2010-05-16 20:04 . 2010-05-16 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-15 22:50 . 2010-05-15 22:50 -------- d-----w- c:\windows\system32\zh-TW
2010-05-15 22:50 . 2010-05-15 22:50 -------- d-----w- c:\windows\system32\zh-HK
2010-05-15 22:50 . 2010-05-15 22:50 -------- d-----w- c:\windows\system32\tr-TR
2010-05-15 22:17 . 2010-05-15 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-05-15 22:17 . 2010-05-15 22:17 -------- d-----w- c:\documents and settings\Melanie\Application Data\Webroot
2010-05-15 22:17 . 2009-11-06 20:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-05-15 19:42 . 2010-05-15 19:42 -------- d-----w- c:\program files\MSSOAP
2010-05-15 19:41 . 2010-05-15 19:41 -------- d-----w- c:\program files\Webroot
2010-05-15 05:13 . 2010-06-07 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-15 05:13 . 2010-05-15 05:13 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 09:48 . 2009-04-21 09:32 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-06-05 20:55 . 2007-11-29 07:18 -------- d-----w- c:\program files\QuickTime
2010-06-05 20:54 . 2009-01-03 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-05 20:53 . 2009-01-03 23:40 -------- d-----w- c:\program files\Common Files\Apple
2010-06-03 16:14 . 2009-10-29 22:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 06:45 . 2009-01-21 05:34 -------- d-----w- c:\program files\Coupons
2010-05-25 10:53 . 2009-08-16 20:10 -------- d-----w- c:\documents and settings\Melanie\Application Data\LimeWire
2010-05-25 10:02 . 2010-01-22 10:58 -------- d-----w- c:\documents and settings\Melanie\Application Data\uTorrent
2010-05-23 23:17 . 2007-11-29 08:57 461128 ----a-w- c:\documents and settings\Melanie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-15 17:15 . 2010-05-15 17:16 1752576 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2010-05-14 21:40 . 2010-01-22 10:59 -------- d-----w- c:\program files\uTorrent
2010-05-14 05:07 . 2010-02-02 21:13 -------- d-----w- c:\documents and settings\Melanie\Application Data\ZoomBrowser EX
2010-05-14 04:48 . 2010-02-02 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-12 07:15 . 2007-11-29 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-02 17:52 . 2009-06-18 00:36 28927682 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-05-02 00:28 . 2010-05-02 00:28 -------- d-----w- c:\program files\ExtractNow
2010-04-29 20:39 . 2009-10-29 22:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-29 22:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 23:31 . 2010-04-24 23:31 -------- d-----w- c:\program files\Trend Micro
2010-04-24 05:09 . 2010-04-24 05:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{654BBB15-6EFB-44E9-9E8B-F75DAF1B3B4C}
2010-04-24 02:35 . 2010-04-23 23:54 -------- d-----w- c:\program files\DVDFab 7
2010-04-24 00:37 . 2009-12-03 23:58 -------- d-----w- c:\documents and settings\Melanie\Application Data\DVDFab
2010-04-24 00:12 . 2009-12-03 20:24 -------- d-----w- c:\program files\DVDFab 6
2010-04-24 00:12 . 2008-03-19 03:19 -------- d-----w- c:\documents and settings\Melanie\Application Data\Vso
2010-04-24 00:12 . 2008-03-19 03:19 47360 ----a-w- c:\documents and settings\Melanie\Application Data\pcouffin.sys
2010-04-19 06:57 . 2008-02-19 20:38 -------- d-----w- c:\program files\Electronic Arts
2010-04-19 06:57 . 2007-11-29 03:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-09 17:25 . 2010-04-09 17:26 3725824 ----a-w- c:\windows\Internet Logs\xDB18.tmp
2010-04-09 10:11 . 2007-11-29 03:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-03 22:07 . 2010-04-03 22:07 163393 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_04_03_17_07_42_small.dmp.zip
2010-03-17 21:58 . 2010-03-17 21:59 3675648 ----a-w- c:\windows\Internet Logs\xDB17.tmp
2010-03-17 21:57 . 2010-03-17 21:59 2771456 ----a-w- c:\windows\Internet Logs\xDB16.tmp
2010-03-17 21:13 . 2010-03-17 21:13 15314338 ----a-w- c:\windows\Internet Logs\UpdClient_2nd_2010_03_17_15_03_55_full.dmp.zip
2010-03-17 21:13 . 2010-03-17 21:13 74712 ----a-w- c:\windows\Internet Logs\UpdClient_2nd_2010_03_17_15_03_54_small.dmp.zip
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-03-12 21:08 . 2008-03-12 21:08 0 ----a-w- c:\program files\temp01
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2006-02-28 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-09-22 1011080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk
backup=c:\windows\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Melanie^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Melanie\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 04:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2008-03-06 19:56 61440 ----a-r- c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2007-11-29 07:55 286016 ----a-w- c:\program files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 16:08 397312 ------w- c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-14 09:44 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 23:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 04:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 7600 Series Fax Server]
2008-05-21 15:45 311976 ----a-w- c:\program files\Lexmark 7600 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdwamon]
2008-05-21 15:45 16040 ----a-w- c:\program files\Lexmark 7600 Series\lxdwamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdwmon.exe]
2008-05-21 15:45 676520 ----a-w- c:\program files\Lexmark 7600 Series\lxdwmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-12 04:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 21:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-24 21:52 240112 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2009-11-06 20:19 6515784 ----a-w- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-11-25 06:53 2001648 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
2007-03-03 20:12 341488 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2007-08-02 16:59 292152 ------w- c:\program files\WinPatrol\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Roxio\\Creator Classic 10\\Creator10.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"e:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"e:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"<NO NAME>"=
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [11/10/2009 4:49 PM 244736]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 9:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 74480]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [10/11/2009 2:30 PM 57344]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R3 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [5/15/2010 5:19 PM 1201640]
S2 .1196306536SsTR;1196306536SsTR;c:\documents and settings\All Users\Application Data\Webroot\R Vasquez2181717.exe [6/1/2009 8:54 PM 343435]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [4/3/2009 4:46 PM 98984]
S2 SessionLauncher;SessionLauncher;c:\docume~1\Melanie\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Melanie\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S3 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 7408]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-06-04 c:\windows\Tasks\wrSpySweeper_L0A950A3EBEB7409694A43040B28E8735.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-05-15 20:19]

2010-06-04 c:\windows\Tasks\wrSpySweeper_L0A950A3EBEB7409694A43040B28E8735.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-05-15 20:19]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\
FF - prefs.js: browser.startup.homepage - hxxp://roadrunner.com/
FF - component: c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Melanie\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Melanie\Local Settings\Application Data\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pre
f", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{E8B9CF68-0CB7-3259-B545-F95B35439551} - (no file)
HKLM-Run-nwiz - nwiz.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-ojgvdvpfievrefto - c:\windows\system32\ojgvdvpfievrefto.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 04:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AD21EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7eb6852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(804)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1752)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\hnetcfg.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\lxdwcoms.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2010-06-07 05:02:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-07 10:01

Pre-Run: 130,904,190,976 bytes free
Post-Run: 137,660,772,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 06AAD827E648204B811C2E3ADFF9BF45

Link to post
Share on other sites

Hi there,

TWO ANTIVIRUS PROGRAMS

---------------------------------------

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Webroot or ZoneAlarm.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

FCopy::
c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

I REALLY need help with this:

We always remember to keep only one anti-virus program running, and for the past couple of weeks we have been running Webroot AntiVirus with SpySweeper. I had ZoneAlarm Security Suite before that, and I made sure to disable it before installing Webroot. I ended up installing ZoneAlarm Pro for use as my firewall, and I must have installed it over ZSS. Even though ZSS has been disabled/uninstalled for a while and is not supposed to be monitoring, all of my scans (and Windows Firewall) show that it IS still monitoring.

I have used the standard manual ZoneAlarm cleaning tutorial and have used the cleaning .exe program to remove ALL traces of ZoneAlarm (including ZoneAlarm Pro) from my computer. Even after all of that, Windows Firewall shows ZoneAlarm as actively monitoring my computer.

Whenever I need to run a ComboFix scan, it always shows ZoneAlarm as being active, but no matter WHAT I try, I simply cannot disable it. All traces should be completely removed from my computer, including the registry (which I poured over myself). How can I possibly remove this for good? I have tried doing all of this in Safe Mode also.

Here is my latest ComboFix scan with CFScript (I'm particularly concerned with the Other Deletions section, "Restored copy from - Kitty had a snack : p " That sounds AWFUL.)

ComboFix 10-06-06.04 - Melanie 06/07/2010  17:13:14.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2678 [GMT -5:00]
Running from: c:\documents and settings\Melanie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Melanie\Desktop\CFScript.txt
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\WudfPf.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-07 21:28 . 2010-06-07 21:28 -------- d-----w- c:\windows\Internet Logs
2010-05-18 01:11 . 2010-05-18 01:11 -------- d-----w- c:\documents and settings\Ray\Application Data\Webroot
2010-05-17 05:55 . 2010-05-17 05:55 -------- d-----w- c:\documents and settings\Melanie\Application Data\Office Genuine Advantage
2010-05-16 20:04 . 2010-05-16 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-15 22:50 . 2010-05-15 22:50 -------- d-----w- c:\windows\system32\zh-TW
2010-05-15 22:50 . 2010-05-15 22:50 -------- d-----w- c:\windows\system32\zh-HK
2010-05-15 22:50 . 2010-05-15 22:50 -------- d-----w- c:\windows\system32\tr-TR
2010-05-15 22:17 . 2010-05-15 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-05-15 22:17 . 2010-05-15 22:17 -------- d-----w- c:\documents and settings\Melanie\Application Data\Webroot
2010-05-15 22:17 . 2009-11-06 20:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-05-15 19:42 . 2010-05-15 19:42 -------- d-----w- c:\program files\MSSOAP
2010-05-15 19:41 . 2010-05-15 19:41 -------- d-----w- c:\program files\Webroot
2010-05-15 05:13 . 2010-06-07 08:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-15 05:13 . 2010-05-15 05:13 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 20:55 . 2007-11-29 07:18 -------- d-----w- c:\program files\QuickTime
2010-06-05 20:54 . 2009-01-03 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-05 20:53 . 2009-01-03 23:40 -------- d-----w- c:\program files\Common Files\Apple
2010-06-03 16:14 . 2009-10-29 22:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-01 06:45 . 2009-01-21 05:34 -------- d-----w- c:\program files\Coupons
2010-05-31 20:36 . 2009-11-25 06:51 117760 ----a-w- c:\documents and settings\Melanie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-27 00:10 . 2010-06-03 15:34 57856 ----a-w- c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-05-27 00:10 . 2010-06-03 15:34 545280 ----a-w- c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-05-27 00:10 . 2010-06-03 15:34 4687360 ----a-w- c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-05-27 00:10 . 2010-06-03 15:34 153088 ----a-w- c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2010-05-27 00:10 . 2010-06-03 15:34 103424 ----a-w- c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-05-27 00:10 . 2010-06-03 15:34 425984 ----a-w- c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-05-25 10:53 . 2009-08-16 20:10 -------- d-----w- c:\documents and settings\Melanie\Application Data\LimeWire
2010-05-25 10:02 . 2010-01-22 10:58 -------- d-----w- c:\documents and settings\Melanie\Application Data\uTorrent
2010-05-23 23:17 . 2007-11-29 08:57 461128 ----a-w- c:\documents and settings\Melanie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-14 21:40 . 2010-01-22 10:59 -------- d-----w- c:\program files\uTorrent
2010-05-14 05:07 . 2010-02-02 21:13 -------- d-----w- c:\documents and settings\Melanie\Application Data\ZoomBrowser EX
2010-05-14 04:48 . 2010-02-02 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-12 07:15 . 2007-11-29 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-02 00:28 . 2010-05-02 00:28 -------- d-----w- c:\program files\ExtractNow
2010-04-29 20:39 . 2009-10-29 22:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-29 22:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 23:31 . 2010-04-24 23:31 388096 ----a-r- c:\documents and settings\Melanie\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-24 23:31 . 2010-04-24 23:31 -------- d-----w- c:\program files\Trend Micro
2010-04-24 05:09 . 2010-04-24 05:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{654BBB15-6EFB-44E9-9E8B-F75DAF1B3B4C}
2010-04-24 02:35 . 2010-04-23 23:54 -------- d-----w- c:\program files\DVDFab 7
2010-04-24 00:37 . 2009-12-03 23:58 -------- d-----w- c:\documents and settings\Melanie\Application Data\DVDFab
2010-04-24 00:12 . 2009-12-03 20:24 -------- d-----w- c:\program files\DVDFab 6
2010-04-24 00:12 . 2008-03-19 03:19 -------- d-----w- c:\documents and settings\Melanie\Application Data\Vso
2010-04-24 00:12 . 2008-03-19 03:19 47360 ----a-w- c:\documents and settings\Melanie\Application Data\pcouffin.sys
2010-04-24 00:12 . 2008-03-19 03:19 47360 ----a-w- c:\documents and settings\Melanie\Application Data\pcouffin.sys
2010-04-19 06:57 . 2008-02-19 20:38 -------- d-----w- c:\program files\Electronic Arts
2010-04-19 06:57 . 2007-11-29 03:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-13 21:40 . 2010-04-13 21:40 52224 ----a-w- c:\documents and settings\Melanie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-09 10:11 . 2007-11-29 03:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-03-12 21:08 . 2008-03-12 21:08 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((( SnapShot@2010-06-07_09.49.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-28 12:00 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Mask Pro 3.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Register Mask Pro 3.0.lnk
backup=c:\windows\pss\Register Mask Pro 3.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Melanie^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Melanie\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Ray^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Ray\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 04:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2008-03-06 19:56 61440 ----a-r- c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2007-11-29 07:55 286016 ----a-w- c:\program files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTCheck]
2007-11-06 16:08 397312 ------w- c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-08-14 09:44 113136 ----a-w- c:\program files\Roxio\CinePlayer\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2007-03-15 23:16 454784 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 04:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 7600 Series Fax Server]
2008-05-21 15:45 311976 ----a-w- c:\program files\Lexmark 7600 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdwamon]
2008-05-21 15:45 16040 ----a-w- c:\program files\Lexmark 7600 Series\lxdwamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdwmon.exe]
2008-05-21 15:45 676520 ----a-w- c:\program files\Lexmark 7600 Series\lxdwmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 21:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-12 04:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 21:10 56928 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-24 21:52 240112 ----a-w- c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2009-11-06 20:19 6515784 ----a-w- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-11-25 06:53 2001648 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
2007-03-03 20:12 341488 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2007-08-02 16:59 292152 ------w- c:\program files\WinPatrol\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Roxio\\Digital Home 10\\RoxioUPnPRenderer10.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Roxio\\Creator Classic 10\\Creator10.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\StreamCast\\Morpheus\\MorphEXE.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"e:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"e:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"<NO NAME>"=
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [11/10/2009 4:49 PM 244736]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 9:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 9:43 AM 74480]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [10/11/2009 2:30 PM 57344]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
S2 .1196306536SsTR;1196306536SsTR;c:\documents and settings\All Users\Application Data\Webroot\R Vasquez2181717.exe [6/1/2009 8:54 PM 343435]
S2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [4/3/2009 4:46 PM 98984]
S2 SessionLauncher;SessionLauncher;c:\docume~1\Melanie\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\Melanie\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [5/27/2009 3:27 AM 29262680]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [8/24/2007 4:53 PM 72176]
S3 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [8/24/2007 4:53 PM 362992]
S3 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [8/24/2007 4:52 PM 309744]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [8/24/2007 4:52 PM 1083888]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 9:43 AM 7408]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [5/15/2010 5:19 PM 1201640]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [8/24/2007 4:52 PM 166384]
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
FF - ProfilePath - c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\
FF - prefs.js: browser.startup.homepage - hxxp://roadrunner.com/
FF - component: c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Melanie\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Melanie\Local Settings\Application Data\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pre
f", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-07 17:36:28
ComboFix-quarantined-files.txt 2010-06-07 22:36
ComboFix2.txt 2010-06-07 10:02

Pre-Run: 137,915,621,376 bytes free
Post-Run: 137,876,373,504 bytes free

- - End Of File - - 97FF18B1E5460B64A4A69311E7DFF368

I will try to be online later tonight to receive your reply soon after you send it.

Link to post
Share on other sites

Hello again,

Yes, you can install the security update.

I'm particularly concerned with the Other Deletions section, "Restored copy from - Kitty had a snack : p " That sounds AWFUL.
This was a rootkit that had infected a driver file. "Kitty had a snack" means its actually been disinfected, so that is a good thing :)

However, this was a nasty rootkit, so please consider the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please let me know how things are running now (what problems are still left). Launch MBAM, update it and run a full scan. Please post me the scan results.

Link to post
Share on other sites

So far so good -- I haven't had any pop-up windows or redirecting today. I ran a Malwarebytes full scan and it came up empty for C drive, and found a couple of infections on two other drives (very old unused keygens that may or may not be false positives). An antivirus scan also came up clean. Good news! :)

While we DO want to clean this PC, we are accepting the fact that we'll most likely format C drive and reinstall Windows XP. This is a home PC used for everything from playing games & music to doing banking, online bill paying, and online purchasing. It is very important to us that this PC be secure as possible.

We do have a few questions about formatting the hard drive:

* If we go ahead and format C drive, would we need to format our other two hard drives as well? They are both internals (E: and G:), and used mainly for storage space.

* Could our other hard drives be in any way compromised the way C drive was?

* To save our data, would we just copy everything to another drive? Like an external hard drive, or one of our other internal drives? Our C drive is 500GB (465GB readable) with 128GB free.

* Will it be safe to copy our old saved data back onto a freshly formatted C drive?

In the meantime, we do want to go forward with any other steps needed to clean this computer.

Malwarebytes Full Scan (C drive)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4167

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/8/2010 8:01:48 AM
mbam-log-2010-06-08 (08-01-48).txt

Scan type: Full scan (C:\|)
Objects scanned: 811017
Time elapsed: 3 hour(s), 42 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes Full Scan (E and G drives)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4167

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/8/2010 7:42:50 PM
mbam-log-2010-06-08 (19-42-50).txt

Scan type: Full scan (E:\|G:\|)
Objects scanned: 456172
Time elapsed: 1 hour(s), 25 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\Computer Miscellany\Computer Appearance Miscellany\Desktop Themes\reset\reset-shoot.exe (Joke.Winshoot) -> Quarantined and deleted successfully.
G:\Other Programs\EMULATION & ZIP PROGRAMS\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\CRACK\LOADER exe\Alcohol.exe (Trojan.Agent) -> Quarantined and deleted successfully.
G:\Other Programs\River Past Products Pack 2008\Booster Packs\Keygen.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
G:\Other Programs\VSO PhotoOnWeb Fixed\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

Link to post
Share on other sites

And also, I am still not able to use the Windows XP Welcome screen, and I can't switch between users. It still says that the computer is locked, and only and administrator can unlock it. My husband and I are both administrators.

Link to post
Share on other sites

First lets answer your questions and then proceed with fixing the welcome screen/user switching :)

If we go ahead and format C drive, would we need to format our other two hard drives as well? They are both internals (E: and G:), and used mainly for storage space.
It would be good, however you can scan your drives with for example MBAM (as you did) to make sure no bad files are left there.
* Could our other hard drives be in any way compromised the way C drive was?
Its not the C drive that is compromised, its the Windows installation on that C drive ;)

That is the reason a reformat/reinstall is recommended.

To save our data, would we just copy everything to another drive? Like an external hard drive, or one of our other internal drives? Our C drive is 500GB (465GB readable) with 128GB free.
If this is about personal files, like documents, pics, music, video's, than yes. You cannot save applications this way. You could make a complete backup (there are various free programs to do this), however, that would backup also the changes the rootkit made. As said, the problem is with the windows installation.
* Will it be safe to copy our old saved data back onto a freshly formatted C drive?
Again, yes, as long as this data is verified (scanned) and is only personal data (pics/music and so on).

Now, to fix the welcome screen and user switching features I first need to see a new log. Be sure to follow the instructions carefully!

OTL

-----

Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the runscanbutton.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Link to post
Share on other sites

Thank you so much for answering those questions. This process has gone pretty smoothly so far. :)

One quick question: is there any possibility that there could be a backdoor vulnerability on our router (Linksys WRT 54G v8), and if so, how can we protect ourselves against it? Since we switched to a faster cable modem (from a 1.5Mbps), we haven't been able to connect our laptop to our wireless network. Many of our security issues began not long after the switch also.

OTListIt Log

OTL logfile created on: 6/9/2010 1:42:16 PM - Run 1
OTL by OldTimer - Version 3.2.6.0     Folder = C:\Documents and Settings\Melanie\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 128.14 Gb Free Space | 27.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 298.09 Gb Total Space | 254.87 Gb Free Space | 85.50% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 931.51 Gb Total Space | 342.85 Gb Free Space | 36.81% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: R-092D61DFCD9F4
Current User Name: Melanie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2010/06/09 13:41:28 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Melanie\Desktop\OTL.exe
PRC - [2010/05/15 17:19:36 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
PRC - [2010/04/02 17:25:50 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/06 15:19:58 | 006,515,784 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
PRC - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
PRC - [2009/11/06 12:00:22 | 000,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/10/07 15:28:28 | 000,589,824 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\lxdwcoms.exe
PRC - [2008/05/19 12:13:20 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) -- C:\WINDOWS\system32\ASTSRV.EXE
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/26 16:04:10 | 004,354,048 | ---- | M] (SRS Labs, Inc.) -- C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2010/06/09 13:41:28 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Melanie\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Auto | Stopped] --  -- (SessionLauncher)
SRV - [2010/05/15 17:19:36 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [On_Demand | Running] -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2009/09/08 13:55:15 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/06/01 06:06:52 | 000,343,435 | R--- | M] () [Auto | Stopped] -- C:\Documents and Settings\All Users\Application Data\Webroot\R Vasquez2181717.exe -- (.1196306536SsTR)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR2) SQL Server (SONY_MEDIAMGR2)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/10/14 18:17:38 | 000,611,664 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/10/07 15:28:28 | 000,589,824 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\System32\lxdwcoms.exe -- (lxdw_device)
SRV - [2008/05/19 12:13:20 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\WINDOWS\system32\ASTSRV.EXE -- (ASTSRV)
SRV - [2008/05/16 10:32:56 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe -- (lxdwCATSCustConnectService)
SRV - [2007/08/24 16:53:16 | 000,362,992 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe -- (Roxio Upnp Server 10)
SRV - [2007/08/24 16:53:14 | 000,072,176 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe -- (Roxio UPnP Renderer 10)
SRV - [2007/08/24 16:52:48 | 000,309,744 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2007/08/24 16:52:46 | 000,166,384 | ---- | M] (Sonic Solutions) [Disabled | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2007/08/24 16:52:38 | 001,083,888 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/03/20 17:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2007/03/06 11:35:02 | 000,198,168 | ---- | M] (InterVideo Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service)
SRV - [2007/03/03 14:48:28 | 000,067,056 | ---- | M] (Ulead Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [On_Demand | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2010/01/11 23:03:33 | 010,276,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/11/23 09:43:30 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 09:43:30 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 09:43:28 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/06 12:00:36 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys -- (ssidrv)
DRV - [2009/11/06 12:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys -- (sshrmd)
DRV - [2009/11/06 12:00:34 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/14 02:21:50 | 000,017,920 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\Ntaccess.sys -- (NTACCESS)
DRV - [2008/01/20 02:07:58 | 000,033,292 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2007/08/18 04:09:04 | 000,057,328 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2007/07/26 09:25:12 | 000,039,808 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys -- (SRS_SSCFilter) SRS Labs Audio Sandbox (WDM)
DRV - [2007/04/17 20:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\regi.sys -- (regi)
DRV - [2007/03/22 12:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 12:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2007/01/10 07:00:00 | 000,244,736 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\c2scsi.sys -- (c2scsi)
DRV - [2006/06/16 06:56:38 | 000,083,968 | R--- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/12/29 18:04:24 | 000,024,064 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ATITool.sys -- (ATITool)
DRV - [2005/09/20 17:27:20 | 000,010,368 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi)
DRV - [2005/07/28 09:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1078081533-413027322-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://roadrunner.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6
FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.12.0.36605
FF - prefs.js..extensions.enabledItems: {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}:3.1.0521
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.8
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: noia2_option@kk.noia:3.76
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.3
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76
FF - prefs.js..extensions.enabledItems: {F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}:3.6
FF - prefs.js..extensions.enabledItems: {33A8946C-B859-4f7d-8382-ADAB29623DEE}:3.6


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/05 15:53:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/05 15:53:02 | 000,000,000 | ---D | M]

[2009/08/16 15:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Extensions
[2009/08/16 15:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/08 15:14:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions
[2010/05/08 17:10:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2009/04/21 00:29:12 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}(2)
[2010/03/12 15:09:10 | 000,000,000 | ---D | M] (Scribblies Kids) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{33A8946C-B859-4f7d-8382-ADAB29623DEE}
[2010/01/21 16:27:51 | 000,000,000 | ---D | M] (FoxyTunes) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2010/02/27 15:03:34 | 000,000,000 | ---D | M] (FoxyTunes Skin - Aqua Bubbles Purple) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{469CEB59-8266-438b-91D9-82F56D595E15}
[2007/11/29 04:16:08 | 000,000,000 | ---D | M] (Aquatint Black) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{526fd696-27a0-11dc-8314-0800200c9a66}
[2009/06/04 13:39:39 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010/02/27 08:43:22 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/04/16 14:52:24 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/08/23 21:11:15 | 000,000,000 | ---D | M] (MushroomKingdom) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{BF32D2C8-9C75-404b-ACF4-880DB4679236}
[2010/05/24 00:33:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
[2009/04/21 00:29:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}(2)
[2010/05/17 20:15:09 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/12 13:46:19 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/03/12 15:08:56 | 000,000,000 | ---D | M] (Scribblies Brite) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}
[2010/02/27 15:03:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\noia2_option@kk.noia
[2010/05/01 14:53:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\personas@christopher.beard
[2010/06/03 10:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com
[2010/06/03 10:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com-trash
[2008/09/30 18:34:54 | 000,000,983 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\cnet-reviews.xml
[2008/06/19 21:02:31 | 000,000,908 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\imdb.xml
[2010/05/25 01:54:40 | 000,001,597 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\the-pirate-bay.xml
[2010/06/08 13:44:23 | 000,001,084 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\thesauruscom.xml
[2008/06/19 21:02:30 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\wikipedia-en.xml
[2010/06/08 15:14:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/12/04 21:05:02 | 000,086,016 | ---- | M] (SpiralFrog Inc.) -- C:\Program Files\Mozilla Firefox\plugins\NPSFDMGR.dll

O1 HOSTS File: ([2010/06/07 04:47:39 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKU\S-1-5-21-1078081533-413027322-839522115-1004..\Run: [SRS Audio Sandbox] C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe (SRS Labs, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Download with ImTOO Download YouTube Video - C:\Program Files\ImTOO\Download YouTube Video\upod_link.HTM ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKU\S-1-5-21-1078081533-413027322-839522115-1004\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238541733873 (MUWebControl Class)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Melanie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Melanie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (EM) -  File not found
O30 - LSA: Security Packages - (DDS UTILITIES) -  File not found
O30 - LSA: Security Packages - (LShared\ecurit) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/28 22:20:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/11/28 04:40:36 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/06/09 13:41:36 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Melanie\Desktop\OTL.exe
[2010/06/09 00:54:41 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/09 00:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/06/07 17:36:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/06/07 16:28:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/06/07 03:52:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/07 03:43:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/07 03:43:33 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/07 03:43:33 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/07 03:43:33 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/07 03:43:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/07 03:26:33 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/31 21:04:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/31 21:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/17 00:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Melanie\Application Data\Office Genuine Advantage
[2010/05/16 15:04:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/05/15 17:50:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/05/15 17:50:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/05/15 17:50:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/05/15 17:19:35 | 000,511,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\capicom.dll
[2010/05/15 17:17:52 | 001,563,008 | ---- | C] (Webroot Software, Inc.) -- C:\WINDOWS\WRSetup.dll
[2010/05/15 17:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Melanie\Application Data\Webroot
[2010/05/15 17:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2010/05/15 15:46:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/05/15 14:42:12 | 000,000,000 | ---D | C] -- C:\Program Files\MSSOAP
[2010/05/15 14:41:46 | 000,000,000 | ---D | C] -- C:\Program Files\Webroot
[2010/05/15 00:13:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/15 00:13:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/04/03 16:33:45 | 000,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/04/03 16:33:45 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/04/03 16:33:44 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/04/03 16:33:43 | 000,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/04/03 16:33:42 | 001,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/04/03 16:33:41 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/04/03 16:33:37 | 000,679,936 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/04/03 16:33:31 | 000,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll
[2009/04/03 16:33:30 | 000,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[99 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[90 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010/06/09 13:41:28 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Melanie\Desktop\OTL.exe
[2010/06/09 13:19:16 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/09 13:18:54 | 000,267,641 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/09 13:18:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
[2010/06/09 13:18:50 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/06/09 13:18:45 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/09 13:18:43 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/09 13:18:41 | 3220,623,360 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/09 04:25:19 | 016,515,072 | ---- | M] () -- C:\Documents and Settings\Melanie\ntuser.dat
[2010/06/08 23:26:36 | 041,524,736 | ---- | M] () -- C:\Documents and Settings\Melanie\Desktop\zaSetup_92_044_000_en.exe
[2010/06/08 23:19:14 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/08 19:43:58 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Melanie\ntuser.ini
[2010/06/07 17:30:25 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/07 15:44:00 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Melanie\defogger_reenable
[2010/06/07 04:47:39 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/07 03:52:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/07 03:28:36 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/06 02:01:09 | 000,065,536 | ---- | M] () -- C:\Documents and Settings\Melanie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/05 07:05:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/01 15:23:34 | 000,007,106 | ---- | M] () -- C:\WINDOWS\System32\thqvmk
[2010/05/26 05:01:53 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/23 18:17:10 | 000,461,128 | ---- | M] () -- C:\Documents and Settings\Melanie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/19 13:09:24 | 003,210,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/15 15:33:22 | 000,000,628 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/15 15:33:22 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/14 22:20:38 | 000,002,550 | ---- | M] () -- C:\rollback.ini
[99 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[90 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010/06/08 23:26:12 | 041,524,736 | ---- | C] () -- C:\Documents and Settings\Melanie\Desktop\zaSetup_92_044_000_en.exe
[2010/06/07 15:44:00 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Melanie\defogger_reenable
[2010/06/07 15:38:42 | 3220,623,360 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/07 03:52:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/07 03:52:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/07 03:43:33 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/07 03:43:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/07 03:43:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/07 03:43:33 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/07 03:43:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/01 15:23:34 | 000,007,106 | ---- | C] () -- C:\WINDOWS\System32\thqvmk
[2010/05/15 17:50:00 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/08 17:25:11 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/04/03 16:46:29 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/04/03 16:46:23 | 000,360,448 | ---- | C] () -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/04/03 16:45:31 | 001,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/04/03 16:45:31 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/04/03 16:45:30 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/04/03 16:45:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDWPMON.DLL
[2009/04/03 16:45:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDWFXPU.DLL
[2009/04/03 16:44:40 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxdwoem.dll
[2009/04/03 16:38:17 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/04/03 16:33:47 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/04/03 16:33:36 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2008/12/23 05:26:16 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/11/06 11:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 11:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/06 11:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/06 11:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/10/30 18:35:19 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\nvRegDev.dll
[2008/04/06 00:18:56 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/03/22 02:05:06 | 000,047,360 | R--- | C] () -- C:\WINDOWS\System32\drivers\Surroundhp_kern_i386.sys
[2008/03/22 02:05:06 | 000,047,104 | R--- | C] () -- C:\WINDOWS\System32\drivers\tshd4_kern_i386.sys
[2008/03/22 02:05:06 | 000,042,112 | R--- | C] () -- C:\WINDOWS\System32\drivers\csiidecoder_kern_i386.sys
[2008/03/22 02:05:06 | 000,039,808 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_SSCFilter_i386.sys
[2008/03/02 18:26:20 | 000,210,456 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/03/02 18:26:20 | 000,206,360 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/03/02 18:26:20 | 000,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/03/02 18:26:20 | 000,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/03/02 18:26:20 | 000,194,072 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/03/02 18:26:20 | 000,026,136 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/02/26 01:22:27 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/02/01 08:18:14 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2008/01/20 04:29:54 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/01/20 04:29:54 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/01/20 04:01:15 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/12/07 17:42:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2007/12/01 21:06:44 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2007/12/01 20:51:01 | 000,000,070 | ---- | C] () -- C:\WINDOWS\morphexe.INI
[2007/11/29 03:14:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/11/28 22:47:27 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/11/28 22:47:20 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/11/28 22:32:32 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/08/21 06:22:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2007/03/27 09:45:22 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[2007/02/26 00:42:22 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\ArmAccess.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\w5lmp7o.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/02/28 07:00:00 | 000,000,204 | ---- | C] () -- C:\WINDOWS\System32\roava3y.dll
[2006/02/28 07:00:00 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2006/02/28 07:00:00 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2006/02/28 07:00:00 | 000,000,016 | -H-- | C] () -- C:\WINDOWS\System32\t4spbxv.dll
[2005/12/29 18:04:24 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATITool.sys
[2005/09/15 17:40:22 | 000,160,768 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2004/01/30 16:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 953 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:24721E3C
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Melanie\My Documents\Dinosaur DVD.dmsd:Roxio EMC Stream
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
< End of report >

Extras Log

OTL Extras logfile created on: 6/9/2010 1:42:16 PM - Run 1

OTL by OldTimer - Version 3.2.6.0     Folder = C:\Documents and Settings\Melanie\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free

5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 465.75 Gb Total Space | 128.14 Gb Free Space | 27.51% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 298.09 Gb Total Space | 254.87 Gb Free Space | 85.50% Space Free | Partition Type: NTFS

F: Drive not present or media not loaded

Drive G: | 931.51 Gb Total Space | 342.85 Gb Free Space | 36.81% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: R-092D61DFCD9F4

Current User Name: Melanie

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

[color=#E56717]========== Extra Registry (SafeList) ==========[/color]

[color=#E56717]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-1078081533-413027322-839522115-1004\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=#E56717]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()

Directory [File Finder...] -- C:\Program Files\Avanquest\PowerDesk\pdfind.exe /PATH:%1 (Avanquest Software USA, Inc.)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[color=#E56717]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"" =

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"" =

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server

"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server

"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server

"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server

"" =

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[color=#E56717]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" = C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe:*:Enabled:RoxioUPnPRenderer10 -- (Sonic Solutions)

"C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Online Component -- ()

"C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 Application -- ()

"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Shell -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)

"C:\Program Files\BitTorrent_DNA\dna.exe" = C:\Program Files\BitTorrent_DNA\dna.exe:*:Enabled:BitTorrent DNA -- ()

"C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\game.dat" = C:\Program Files\EA GAMES\The Battle for Middle-earth (tm)\game.dat:*:Enabled:The Battle for Middle-earth (tm) -- ()

"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4 -- (Firaxis Games)

"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords -- (Firaxis Games)

"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss -- (Firaxis Games)

"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword -- (Firaxis Games)

"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe" = C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss -- (Firaxis Games)

"C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe" = C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe:*:Enabled:RoxioUPnPRenderer10 -- (Sonic Solutions)

"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" = C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server -- (Adobe Systems Incorporated)

"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe" = C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) -- ()

"C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3\RosettaStoneVersion3.exe:*:Enabled:Rosetta Stone V3 Application -- ()

"C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\RosettaStoneLtdServices.exe" = C:\Program Files\Rosetta Stone\Rosetta Stone V3\support\bin\RosettaStoneLtdServices.exe:*:Enabled:Rosetta Stone Online Component -- ()

"C:\Program Files\Roxio\Creator Classic 10\Creator10.exe" = C:\Program Files\Roxio\Creator Classic 10\Creator10.exe:*:Enabled:Creator10 -- (Sonic Solutions)

"C:\Program Files\BitTornado\btdownloadgui.exe" = C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- ()

"C:\WINDOWS\system32\lxdwcoms.exe" = C:\WINDOWS\system32\lxdwcoms.exe:*:Enabled:7600 Series Server -- (Lexmark International, Inc.)

"C:\Program Files\StreamCast\Morpheus\MorphEXE.exe" = C:\Program Files\StreamCast\Morpheus\MorphEXE.exe:*:Enabled:Morpheus -- (Streamcast)

"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)

"E:\Program Files\Dragon Age\bin_ship\daorigins.exe" = E:\Program Files\Dragon Age\bin_ship\daorigins.exe:*:Enabled:Dragon Age Origins Game -- (BioWare)

"E:\Program Files\Dragon Age\DAOriginsLauncher.exe" = E:\Program Files\Dragon Age\DAOriginsLauncher.exe:*:Enabled:Dragon Age Origins Launcher -- (BioWare)

"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)

"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)

"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)

"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:

Link to post
Share on other sites

Hi again,

I do not see any policies set to prevent the Welcome Screen or Fast User Switching. Do you get the error message when attempting to change those options in user accounts or when actually trying to switch users only?

Did you try to turn both options off, reboot, then turn them on and reboot again, does this still give the same issue?

Link to post
Share on other sites

I do not see any policies set to prevent the Welcome Screen or Fast User Switching. Do you get the error message when attempting to change those options in user accounts or when actually trying to switch users only?

I get the message when actually trying to switch user accounts only. If I try to un-check the options in Control Panel, I get no error whatsoever, and Fast User Switching is definitely turned off when I un-check it.

Did you try to turn both options off, reboot, then turn them on and reboot again, does this still give the same issue?

Yes, I've tried that method several times over the past couple of weeks. I have also tried doing it in Safe Mode. It still gives the same issue, and I still can't use the XP Welcome screen. The problem started immediately after our last major Windows XP update (a few weeks ago), and it's been happening consistently ever since.

Link to post
Share on other sites

At the logon screen, where you ahve to hit enter, enter Administrator as username and hit enter (if you have set an administrator password, make sure you enter that first).

This will start the administrator account. Please see if you can use Fast User Switch from within that account.

Link to post
Share on other sites

I just tried your suggestion, switching to the Administrator account. I tried using Fast Switching and it didn't work (still told me that the computer was locked). I turned off the Welcome Screen option and Fast Switching and rebooted the computer, then went back into the Admin account. I turned Welcome Screen and Fast Switching back on, and again neither worked. I rebooted the computer one more time, went into the Admin account once more, and tried them again, and they still don't work.

This is definitely a head scratcher!

Link to post
Share on other sites

Hello again, lets dig a bit deeper here.

OTL

-----

  1. Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

[*]Push runscanbutton.png

[*]A report will open. Copy and Paste that report in your next reply.

Link to post
Share on other sites

Latest OTL Scan (with the custom scan)

OTL logfile created on: 6/10/2010 10:07:45 PM - Run 2
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Melanie\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 126.98 Gb Free Space | 27.26% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 298.09 Gb Total Space | 255.14 Gb Free Space | 85.59% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 931.51 Gb Total Space | 342.65 Gb Free Space | 36.78% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: R-092D61DFCD9F4
Current User Name: Melanie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2010/06/09 13:41:28 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Melanie\Desktop\OTL.exe
PRC - [2010/05/15 17:19:36 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
PRC - [2010/04/02 17:25:50 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/06 15:19:58 | 006,515,784 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
PRC - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
PRC - [2009/11/06 12:00:22 | 000,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.exe
PRC - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/10/07 15:28:28 | 000,589,824 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\lxdwcoms.exe
PRC - [2008/05/19 12:13:20 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) -- C:\WINDOWS\system32\ASTSRV.EXE
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/10/26 16:04:10 | 004,354,048 | ---- | M] (SRS Labs, Inc.) -- C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2010/06/09 13:41:28 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Melanie\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - File not found [Auto | Stopped] -- -- (SessionLauncher)
SRV - [2010/05/15 17:19:36 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [On_Demand | Running] -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2009/09/08 13:55:15 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/06/01 06:06:52 | 000,343,435 | R--- | M] () [Auto | Stopped] -- C:\Documents and Settings\All Users\Application Data\Webroot\R Vasquez2181717.exe -- (.1196306536SsTR)
SRV - [2009/05/27 03:27:04 | 029,262,680 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR2) SQL Server (SONY_MEDIAMGR2)
SRV - [2008/11/24 22:31:12 | 000,087,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 000,239,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 000,045,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/10/14 18:17:38 | 000,611,664 | ---- | M] (Lavasoft) [Disabled | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/10/07 15:28:28 | 000,589,824 | ---- | M] (Lexmark International, Inc.) [Auto | Running] -- C:\WINDOWS\System32\lxdwcoms.exe -- (lxdw_device)
SRV - [2008/05/19 12:13:20 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\WINDOWS\system32\ASTSRV.EXE -- (ASTSRV)
SRV - [2008/05/16 10:32:56 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe -- (lxdwCATSCustConnectService)
SRV - [2007/08/24 16:53:16 | 000,362,992 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe -- (Roxio Upnp Server 10)
SRV - [2007/08/24 16:53:14 | 000,072,176 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe -- (Roxio UPnP Renderer 10)
SRV - [2007/08/24 16:52:48 | 000,309,744 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe -- (RoxLiveShare10)
SRV - [2007/08/24 16:52:46 | 000,166,384 | ---- | M] (Sonic Solutions) [Disabled | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe -- (RoxWatch10)
SRV - [2007/08/24 16:52:38 | 001,083,888 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/03/20 17:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)
SRV - [2007/03/06 11:35:02 | 000,198,168 | ---- | M] (InterVideo Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe -- (Capture Device Service)
SRV - [2007/03/03 14:48:28 | 000,067,056 | ---- | M] (Ulead Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2007/01/31 15:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Disabled | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [On_Demand | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2010/01/11 23:03:33 | 010,276,768 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2009/11/23 09:43:30 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 09:43:30 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 09:43:28 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/06 12:00:36 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys -- (ssidrv)
DRV - [2009/11/06 12:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys -- (sshrmd)
DRV - [2009/11/06 12:00:34 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2008/09/24 10:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\adfs.sys -- (adfs)
DRV - [2008/04/14 02:21:50 | 000,017,920 | ---- | M] (Your Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\Ntaccess.sys -- (NTACCESS)
DRV - [2008/01/20 02:07:58 | 000,033,292 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2007/08/18 04:09:04 | 000,057,328 | ---- | M] (Sonic Solutions) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2007/07/26 09:25:12 | 000,039,808 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys -- (SRS_SSCFilter) SRS Labs Audio Sandbox (WDM)
DRV - [2007/04/17 20:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\regi.sys -- (regi)
DRV - [2007/03/22 12:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 12:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2007/01/10 07:00:00 | 000,244,736 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\c2scsi.sys -- (c2scsi)
DRV - [2006/06/16 06:56:38 | 000,083,968 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/12/29 18:04:24 | 000,024,064 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ATITool.sys -- (ATITool)
DRV - [2005/09/20 17:27:20 | 000,010,368 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi)
DRV - [2005/07/28 09:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (Hardlock)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://roadrunner.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6
FF - prefs.js..extensions.enabledItems: piclens@cooliris.com:1.12.0.36605
FF - prefs.js..extensions.enabledItems: {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}:3.1.0521
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.8
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: noia2_option@kk.noia:3.76
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.3
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76
FF - prefs.js..extensions.enabledItems: {F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}:3.6
FF - prefs.js..extensions.enabledItems: {33A8946C-B859-4f7d-8382-ADAB29623DEE}:3.6


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/05 15:53:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/05 15:53:02 | 000,000,000 | ---D | M]

[2009/08/16 15:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Extensions
[2009/08/16 15:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/10 15:36:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions
[2010/05/08 17:10:14 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2009/04/21 00:29:12 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}(2)
[2010/03/12 15:09:10 | 000,000,000 | ---D | M] (Scribblies Kids) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{33A8946C-B859-4f7d-8382-ADAB29623DEE}
[2010/01/21 16:27:51 | 000,000,000 | ---D | M] (FoxyTunes) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2010/02/27 15:03:34 | 000,000,000 | ---D | M] (FoxyTunes Skin - Aqua Bubbles Purple) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{469CEB59-8266-438b-91D9-82F56D595E15}
[2007/11/29 04:16:08 | 000,000,000 | ---D | M] (Aquatint Black) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{526fd696-27a0-11dc-8314-0800200c9a66}
[2009/06/04 13:39:39 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010/02/27 08:43:22 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/04/16 14:52:24 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/08/23 21:11:15 | 000,000,000 | ---D | M] (MushroomKingdom) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{BF32D2C8-9C75-404b-ACF4-880DB4679236}
[2010/05/24 00:33:28 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
[2009/04/21 00:29:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}(2)
[2010/05/17 20:15:09 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/04/12 13:46:19 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/03/12 15:08:56 | 000,000,000 | ---D | M] (Scribblies Brite) -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\{F587B2D4-7C09-4a23-AC4A-8D6E3CE8C7DA}
[2010/02/27 15:03:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\noia2_option@kk.noia
[2010/05/01 14:53:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\personas@christopher.beard
[2010/06/03 10:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com
[2010/06/03 10:34:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\extensions\piclens@cooliris.com-trash
[2008/09/30 18:34:54 | 000,000,983 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\cnet-reviews.xml
[2008/06/19 21:02:31 | 000,000,908 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\imdb.xml
[2010/05/25 01:54:40 | 000,001,597 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\the-pirate-bay.xml
[2010/06/08 13:44:23 | 000,001,084 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\thesauruscom.xml
[2008/06/19 21:02:30 | 000,001,108 | ---- | M] () -- C:\Documents and Settings\Melanie\Application Data\Mozilla\Firefox\Profiles\d9xds795.default\searchplugins\wikipedia-en.xml
[2010/06/10 15:36:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/12/04 21:05:02 | 000,086,016 | ---- | M] (SpiralFrog Inc.) -- C:\Program Files\Mozilla Firefox\plugins\NPSFDMGR.dll

O1 HOSTS File: ([2010/06/07 04:47:39 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKCU..\Run: [SRS Audio Sandbox] C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe (SRS Labs, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Download with ImTOO Download YouTube Video - C:\Program Files\ImTOO\Download YouTube Video\upod_link.HTM ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKCU\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([www.msi] http in Trusted sites)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238541733873 (MUWebControl Class)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} http://liveupdate.msi.com.tw/autobios/LOnline/install.cab (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Melanie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Melanie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (EM) - File not found
O30 - LSA: Security Packages - (DDS UTILITIES) - File not found
O30 - LSA: Security Packages - (LShared\ecurit) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/28 22:20:26 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/11/28 04:40:36 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2010/06/10 16:55:31 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2010/06/09 13:41:36 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Melanie\Desktop\OTL.exe
[2010/06/09 00:54:41 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/06/09 00:14:25 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/06/07 17:36:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/06/07 16:28:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2010/06/07 03:52:18 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/07 03:43:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/06/07 03:43:33 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/06/07 03:43:33 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/06/07 03:43:33 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/06/07 03:43:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/06/07 03:26:33 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/31 21:04:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/31 21:03:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/17 00:55:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Melanie\Application Data\Office Genuine Advantage
[2010/05/16 15:04:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/05/15 17:50:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/05/15 17:50:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/05/15 17:50:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/05/15 17:49:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/05/15 17:19:35 | 000,511,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\capicom.dll
[2010/05/15 17:17:52 | 001,563,008 | ---- | C] (Webroot Software, Inc.) -- C:\WINDOWS\WRSetup.dll
[2010/05/15 17:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Melanie\Application Data\Webroot
[2010/05/15 17:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2010/05/15 15:46:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/05/15 14:42:12 | 000,000,000 | ---D | C] -- C:\Program Files\MSSOAP
[2010/05/15 14:41:46 | 000,000,000 | ---D | C] -- C:\Program Files\Webroot
[2010/05/15 00:13:44 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/15 00:13:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/04/03 16:33:45 | 000,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/04/03 16:33:45 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/04/03 16:33:44 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/04/03 16:33:43 | 000,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/04/03 16:33:42 | 001,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/04/03 16:33:41 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/04/03 16:33:37 | 000,679,936 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/04/03 16:33:31 | 000,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll
[2009/04/03 16:33:30 | 000,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[99 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[90 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2010/06/10 21:39:04 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Melanie\Desktop\Microsoft Office Word 2007.lnk
[2010/06/10 21:26:19 | 000,267,641 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/10 21:26:16 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/10 21:26:16 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/06/10 17:15:32 | 003,210,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/10 17:15:04 | 000,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
[2010/06/10 17:14:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/10 17:14:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/10 17:14:49 | 3220,623,360 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/10 17:13:44 | 016,515,072 | ---- | M] () -- C:\Documents and Settings\Melanie\ntuser.dat
[2010/06/10 17:11:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/10 17:02:58 | 000,571,342 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/10 17:02:58 | 000,490,626 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/10 17:02:58 | 000,089,932 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/10 14:09:04 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Melanie\ntuser.ini
[2010/06/10 03:11:27 | 000,066,048 | ---- | M] () -- C:\Documents and Settings\Melanie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/09 19:42:34 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/09 13:41:28 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Melanie\Desktop\OTL.exe
[2010/06/08 23:26:36 | 041,524,736 | ---- | M] () -- C:\Documents and Settings\Melanie\Desktop\zaSetup_92_044_000_en.exe
[2010/06/07 17:30:25 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/07 15:44:00 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Melanie\defogger_reenable
[2010/06/07 04:47:39 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/07 03:52:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/06/07 03:28:36 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/05 07:05:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/01 15:23:34 | 000,007,106 | ---- | M] () -- C:\WINDOWS\System32\thqvmk
[2010/05/23 18:17:10 | 000,461,128 | ---- | M] () -- C:\Documents and Settings\Melanie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/15 15:33:22 | 000,000,628 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/15 15:33:22 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/14 22:20:38 | 000,002,550 | ---- | M] () -- C:\rollback.ini
[99 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[90 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2010/06/08 23:26:12 | 041,524,736 | ---- | C] () -- C:\Documents and Settings\Melanie\Desktop\zaSetup_92_044_000_en.exe
[2010/06/07 15:44:00 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Melanie\defogger_reenable
[2010/06/07 15:38:42 | 3220,623,360 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/07 03:52:24 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/06/07 03:52:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/06/07 03:43:33 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/06/07 03:43:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/06/07 03:43:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/06/07 03:43:33 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/06/07 03:43:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/06/01 15:23:34 | 000,007,106 | ---- | C] () -- C:\WINDOWS\System32\thqvmk
[2010/05/15 17:50:00 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/08 17:25:11 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/04/03 16:46:29 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/04/03 16:46:23 | 000,360,448 | ---- | C] () -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/04/03 16:45:31 | 001,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/04/03 16:45:31 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/04/03 16:45:30 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/04/03 16:45:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDWPMON.DLL
[2009/04/03 16:45:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDWFXPU.DLL
[2009/04/03 16:44:40 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxdwoem.dll
[2009/04/03 16:38:17 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/04/03 16:33:47 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/04/03 16:33:36 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2008/12/23 05:26:16 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/11/06 11:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 11:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/06 11:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/06 11:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/10/30 18:35:19 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\nvRegDev.dll
[2008/04/06 00:18:56 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/03/22 02:05:06 | 000,047,360 | R--- | C] () -- C:\WINDOWS\System32\drivers\Surroundhp_kern_i386.sys
[2008/03/22 02:05:06 | 000,047,104 | R--- | C] () -- C:\WINDOWS\System32\drivers\tshd4_kern_i386.sys
[2008/03/22 02:05:06 | 000,042,112 | R--- | C] () -- C:\WINDOWS\System32\drivers\csiidecoder_kern_i386.sys
[2008/03/22 02:05:06 | 000,039,808 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_SSCFilter_i386.sys
[2008/03/02 18:26:20 | 000,210,456 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/03/02 18:26:20 | 000,206,360 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/03/02 18:26:20 | 000,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/03/02 18:26:20 | 000,198,168 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/03/02 18:26:20 | 000,194,072 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/03/02 18:26:20 | 000,026,136 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/02/26 01:22:27 | 002,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/02/01 08:18:14 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2008/01/20 04:29:54 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/01/20 04:29:54 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/01/20 04:01:15 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/12/07 17:42:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2007/12/01 21:06:44 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2007/12/01 20:51:01 | 000,000,070 | ---- | C] () -- C:\WINDOWS\morphexe.INI
[2007/11/29 03:14:11 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/11/28 22:47:27 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/11/28 22:47:20 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2007/11/28 22:32:32 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/08/21 06:22:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2007/03/27 09:45:22 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll
[2007/02/26 00:42:22 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\ArmAccess.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\w5lmp7o.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth2.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\grcauth1.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth2.dll
[2006/02/28 07:00:00 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\clauth1.dll
[2006/02/28 07:00:00 | 000,000,204 | ---- | C] () -- C:\WINDOWS\System32\roava3y.dll
[2006/02/28 07:00:00 | 000,000,100 | ---- | C] () -- C:\WINDOWS\System32\prsgrc.dll
[2006/02/28 07:00:00 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\ssprs.dll
[2006/02/28 07:00:00 | 000,000,016 | -H-- | C] () -- C:\WINDOWS\System32\t4spbxv.dll
[2005/12/29 18:04:24 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATITool.sys
[2005/09/15 17:40:22 | 000,160,768 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2004/01/30 16:07:46 | 000,245,408 | ---- | C] () -- C:\WINDOWS\System32\unicows.dll

[color=#E56717]========== Custom Scans ==========[/color]


[color=#A23BEC]< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon >[/color]
"AutoRestartShell" = 1
"DefaultDomainName" = R-092D61DFCD9F4
"DefaultUserName" = Melanie
"LegalNoticeCaption" =
"LegalNoticeText" =
"PowerdownAfterShutdown" = 0
"ReportBootOk" = 1
"Shell" = Explorer.exe -- [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
"ShutdownWithoutLogon" = 0
"System" =
"Userinit" = C:\WINDOWS\system32\userinit.exe, -- File not found
"VmApplet" = rundll32 shell32,Control_RunDLL "sysdm.cpl" -- [2008/04/13 19:12:41 | 000,300,544 | ---- | M] (Microsoft Corporation)
"SfcQuota" = -1
"allocatecdroms" = 0
"allocatedasd" = 0
"allocatefloppies" = 0
"cachedlogonscount" = 10
"forceunlocklogon" = 0
"passwordexpirywarning" = 14
"scremoveoption" = 0
"AllowMultipleTSSessions" = 0
"LogonType" = 0
"DebugServerCommand" = no
"SFCDisable" = 0
"WinStationsDisabled" = 0
"HibernationPreviouslyEnabled" = 1
"ShowLogonOptions" = 1
"AltDefaultUserName" = Melanie
"AltDefaultDomainName" = R-092D61DFCD9F4
"ChangePasswordUseKerberos" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SCLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials]

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 953 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:24721E3C
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Melanie\My Documents\Dinosaur DVD.dmsd:Roxio EMC Stream
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
< End of report >

Link to post
Share on other sites

OTL Scan:

OTL logfile created on: 6/11/2010 11:11:11 PM - Run 3
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Melanie\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 75.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 126.98 Gb Free Space | 27.26% Space Free | Partition Type: NTFS
Drive D: | 3.10 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 298.09 Gb Total Space | 255.14 Gb Free Space | 85.59% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 931.51 Gb Total Space | 342.65 Gb Free Space | 36.78% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: R-092D61DFCD9F4
Current User Name: Melanie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Custom Scans ==========[/color]


[color=#A23BEC]< HKEY_USERS\.Default\Control Panel\Desktop >[/color]
"ActiveWndTrkTimeout" = 0
"AutoEndTasks" = 0
"CaretWidth" = 1
"CoolSwitch" = 1
"CoolSwitchColumns" = 7
"CoolSwitchRows" = 3
"CursorBlinkRate" = 530
"DragFullWindows" = 2
"DragHeight" = 4
"DragWidth" = 4
"FontSmoothing" = 2
"FontSmoothingOrientation" = 1
"FontSmoothingType" = 1
"ForegroundFlashCount" = 3
"ForegroundLockTimeout" = 200000
"GridGranularity" = 0
"HungAppTimeout" = 5000
"LowPowerActive" = 0
"LowPowerTimeOut" = 0
"MenuShowDelay" = 400
"PaintDesktopVersion" = 0
"Pattern" = (None)
"PowerOffActive" = 0
"PowerOffTimeOut" = 0
"ScreenSaverIsSecure" = 0
"ScreenSaveTimeOut" = 600
"ScreenSaveActive" = 1
"SCRNSAVE.EXE" = logon.scr -- [2008/04/13 19:12:43 | 000,220,672 | ---- | M] (Microsoft Corporation)
"TileWallpaper" = 0
"UserPreferencesMask" = 9E 3E 03 80 [binary data]
"WaitToKillAppTimeout" = 20000
"Wallpaper" = (None)
"WallpaperStyle" = 2
"OriginalWallpaper" =
"WheelScrollLines" = 3

[HKEY_USERS\.Default\Control Panel\Desktop\WindowMetrics]
< End of report >

We are having new browser concerns:

*The last site I visited last night was this site (this thread). When I first opened Firefox this evening, this page was trying to load, but in the statusbar, other site addresses flashed along with this one (Paypal, ebay, and something dentist related among others). I wasn't actually redirected to any sites (no new windows opened), but these other sites were trying to connect.

*Also, I ran a Webroot Quick Scan earlier today, and it found something called "winvestigator". I read about this program online and it seemed suspicious. After the Quick Scan, Webroot informed me that, due to the nature of this malware, I needed to run a Full Scan. I did that, and after a few attempts (the program crashed twice), two viruses were found: Mal/TDSSRt-A and Mal/WebStart-A. All three of these were listed as level 5 threats in Webroot (the two Mal's listed as viruses and the winvestigator listed as a System Monitor). All were quarantined.

This all sounds suspicious and possibly dangerous. Is it possible that all of our information, even from sites like ebay and Paypal, is jeopardized? This is the only computer we have access to, and getting to a clean non-public one would be VERY difficult. We have a laptop, but for some reason it cannot connect to our network. At this point it seems a re-install/reformat is imminent, but we still need to read info on how to do it all, and need to make sure all of our data is backed up. It's all so upsetting and frustrating...

Link to post
Share on other sites

In this case, I think the safest and most easy way of action would be this:

Lets make sure all your data is clean, and just leave this No Welcome screen/No Fast User switching problem out for now.

Once we know everything is clean, the next step is making backups.

Once that is done, we can concentrate on the reformat/reinstall.

If you want, BTW, we can have a quick look at the internet connection of your laptop (please let me know how it is connected, or supposed to connect to the network).

Please let me know what you think of this :P

Link to post
Share on other sites

The laptop had been connected through a wireless router, a Linksys WRT54g v8. After changing our ISP from a DSL to a cable modem, the laptop no longer connects to the net, though it shows a connection to the wireless network. I'm also worried about any possible vulnerability through the router. Is this something we should be worried about?

Link to post
Share on other sites

Please run a new scan with combofix on the infected computer.

On the laptop, please click start > run, type services.msc in the runbox and press enter. Scroll down to the DHCP service and verify if it is set to Automated and started. If not, please change it.

Post me the combofix log and let me know if the DHCP service was running on the laptop.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.