Jump to content

Browser redirect Virus


Recommended Posts

Hi there,

I believe you guys are doing a fantastic job.Thanks for being there for people like me.

I thought I was computer savvy but this recent phenomenon on my laptop has proved otherwise.I (or rather my laptop) has been plagued for the last 10 days or so by browser redirects.It happens when I'm browsing and I get taken to sites like www.legalhunting.com or www.decorsearch.com.

I've been through the usual run of Spybot,MalwareBytes Malware Removal,CCCLeaner etc but no luck so far.

So here I am seeking your help.Allow me to thank you in advance for investing your time and expertise in providing assistance.

Here's the OTL Log followed by RKUNHOOK Log.

OTL Log

-------------------------------------------------

OTL logfile created on: 10/2/2010 2:54:33 PM - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = D:\Misc\Comp CleanUp\BleepingComputerStuff

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free

10.00 Gb Paging File | 9.00 Gb Available in Paging File | 93.00% Paging File free

Paging file location(s): [binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 58.59 Gb Total Space | 35.70 Gb Free Space | 60.92% Space Free | Partition Type: NTFS

Drive D: | 53.19 Gb Total Space | 28.73 Gb Free Space | 54.01% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON

Current User Name: User

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/10/02 14:39:10 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\Misc\Comp CleanUp\BleepingComputerStuff\OTL.exe

PRC - [2010/09/26 18:50:25 | 000,864,624 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

PRC - [2010/09/26 18:50:24 | 001,355,928 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

PRC - [2010/09/21 11:10:50 | 000,977,976 | ---- | M] (Google Inc.) -- C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

PRC - [2010/08/24 21:41:52 | 001,032,704 | ---- | M] (tesla Corporation) -- C:\WINDOWS\ORCLOBI\MyDesktop\MyDesktopService.exe

PRC - [2010/03/10 10:06:00 | 000,398,768 | ---- | M] (Array Networks, Inc.) -- C:\Program Files\Array Networks\Common\8,4,0,264\arr_isrv.exe

PRC - [2010/03/10 10:05:48 | 000,239,024 | ---- | M] (Array Networks, Inc.) -- C:\Program Files\Array Networks\Array SSL VPN\8,4,0,264\arr_srvs.exe

PRC - [2010/02/16 14:20:20 | 000,035,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

PRC - [2010/02/16 14:20:16 | 001,498,224 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe

PRC - [2010/01/06 20:07:00 | 000,147,472 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

PRC - [2010/01/06 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe

PRC - [2010/01/06 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe

PRC - [2010/01/06 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

PRC - [2010/01/06 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

PRC - [2010/01/06 20:07:00 | 000,022,816 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

PRC - [2009/10/14 00:48:12 | 000,470,016 | ---- | M] (tesla) -- C:\WINDOWS\ORCLOBI\MyDesktop\MyDesktopQOS.exe

PRC - [2009/09/22 16:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

PRC - [2009/09/22 16:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe

PRC - [2009/09/22 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe

PRC - [2009/09/22 16:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe

PRC - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe

PRC - [2008/08/29 13:58:16 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) -- c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/05/23 23:59:36 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) -- C:\WINDOWS\system32\Crypserv.exe

========== Modules (SafeList) ==========

MOD - [2010/10/02 14:39:10 | 000,575,488 | ---- | M] (OldTimer Tools) -- D:\Misc\Comp CleanUp\BleepingComputerStuff\OTL.exe

MOD - [2009/07/12 01:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll

MOD - [2009/07/11 19:41:02 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll

MOD - [2009/03/06 04:33:26 | 000,961,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveUtil.dll

MOD - [2009/02/12 15:19:38 | 000,178,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

MOD - [2009/02/12 15:19:32 | 002,217,848 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

MOD - [2008/10/25 11:44:34 | 000,022,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveNew.dll

MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

MOD - [2008/04/13 23:07:58 | 000,208,384 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rsaenh.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)

SRV - [2010/09/26 18:50:24 | 001,355,928 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)

SRV - [2010/08/24 21:41:52 | 001,032,704 | ---- | M] (tesla Corporation) [Auto | Running] -- C:\WINDOWS\ORCLOBI\MyDesktop\MyDesktopService.exe -- (MyDesktopWindows)

SRV - [2010/03/10 10:06:00 | 000,398,768 | ---- | M] (Array Networks, Inc.) [Auto | Running] -- C:\Program Files\Array Networks\Common\8,4,0,264\arr_isrv.exe -- (Array_Utility_Service8.4.0.264)

SRV - [2010/03/10 10:05:48 | 000,239,024 | ---- | M] (Array Networks, Inc.) [Auto | Running] -- C:\Program Files\Array Networks\Array SSL VPN\8,4,0,264\arr_srvs.exe -- (ArraySSL_VPN_Service8.4.0.264)

SRV - [2010/02/16 14:20:20 | 000,035,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe -- (hips)

SRV - [2010/02/16 14:20:16 | 001,498,224 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe -- (enterceptAgent)

SRV - [2010/01/06 20:07:00 | 000,147,472 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)

SRV - [2010/01/06 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)

SRV - [2010/01/06 20:07:00 | 000,066,896 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)

SRV - [2010/01/06 20:07:00 | 000,022,816 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe -- (McAfeeEngineService)

SRV - [2009/10/15 10:48:52 | 000,016,152 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe -- (JTVNCProxy_11.0)

SRV - [2009/10/14 00:48:12 | 000,470,016 | ---- | M] (tesla) [Auto | Running] -- C:\WINDOWS\ORCLOBI\MyDesktop\MyDesktopQOS.exe -- (QOSMyDesktop)

SRV - [2009/09/22 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)

SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)

SRV - [2008/08/29 13:58:16 | 001,528,608 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)

SRV - [2007/05/23 23:59:36 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\WINDOWS\System32\Crypserv.exe -- (Crypkey License)

SRV - [2006/09/02 16:36:33 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)

========== Driver Services (SafeList) ==========

DRV - [2010/08/12 17:45:20 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)

DRV - [2010/08/12 17:45:19 | 000,015,008 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Lavasoft\Ad-Aware\kernexplorer.sys -- (Lavasoft Kernexplorer)

DRV - [2010/02/16 14:20:18 | 000,107,896 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPK.sys -- (HIPK)

DRV - [2010/02/16 14:20:18 | 000,038,680 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPPSK.sys -- (HIPPSK)

DRV - [2010/02/16 14:20:18 | 000,035,584 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HIPQK.sys -- (HIPQK)

DRV - [2010/02/16 14:20:18 | 000,030,952 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\firelm01.sys -- (firelm01)

DRV - [2010/02/16 14:20:16 | 000,145,616 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\FireTDI.sys -- (FireTDI)

DRV - [2010/02/16 14:20:16 | 000,138,528 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\FirePM.sys -- (FirePM)

DRV - [2010/01/06 20:07:00 | 000,343,920 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)

DRV - [2010/01/06 20:07:00 | 000,091,832 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)

DRV - [2010/01/06 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)

DRV - [2010/01/06 20:07:00 | 000,066,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)

DRV - [2010/01/06 20:07:00 | 000,064,208 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)

DRV - [2010/01/06 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)

DRV - [2009/10/21 23:29:24 | 000,003,712 | ---- | M] (tesla Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\owcmirrorminiV1.sys -- (owcmirrorV1)

DRV - [2009/10/15 10:53:10 | 000,014,880 | ---- | M] (Freedom Scientific BLV Group, LLC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\powerbrl.sys -- (PowerBrl)

DRV - [2009/09/03 20:15:14 | 000,016,256 | ---- | M] (Array Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atpdrvr.sys -- (ATP)

DRV - [2009/04/09 17:52:59 | 001,123,328 | ---- | M] (Broadcom Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)

DRV - [2009/04/09 17:52:42 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)

DRV - [2009/04/09 17:52:42 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)

DRV - [2009/04/09 17:52:42 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)

DRV - [2008/10/17 15:26:24 | 000,044,680 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\firehk.sys -- (FirehkMP)

DRV - [2008/10/17 15:26:24 | 000,044,680 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\firehk.sys -- (Firehk)

DRV - [2008/08/29 13:57:18 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)

DRV - [2008/05/23 16:46:12 | 000,010,848 | ---- | M] (tesla Corp.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\dsload.sys -- (dsload)

DRV - [2008/04/14 12:45:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2008/03/29 17:36:28 | 000,125,328 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)

DRV - [2007/10/09 14:32:38 | 000,581,632 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAud.sys -- (HdAudAddService)

DRV - [2007/08/24 23:52:56 | 005,776,928 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)

DRV - [2007/05/02 02:45:54 | 000,016,896 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\ckldrv.sys -- (NetworkX)

DRV - [2007/01/18 18:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)

DRV - [2006/08/28 13:42:28 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)

DRV - [2006/08/28 13:41:08 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)

DRV - [2006/08/28 13:40:56 | 000,728,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

IE - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.pandion.im/#q=%s

IE - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.pandion.im/#q=%s

IE - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\..\URLSearchHook: {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - Reg Error: Key error. File not found

IE - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

========== FireFox ==========

FF - prefs.js..browser.search.update: false

FF - prefs.js..browser.startup.homepage: "http://search.pandion.im/"

FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.4.5

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220

FF - prefs.js..extensions.enabledItems: james.nurthen@tesla.com:0.3.6

FF - prefs.js..extensions.enabledItems: {a6fd85ed-e919-4a43-a5af-8da18bda539f}:1.0.7

FF - prefs.js..keyword.URL: "http://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q="

FF - prefs.js..network.proxy.autoconfig_url: "http://wpad/wpad.dat"

FF - prefs.js..network.proxy.ftp_port: 80

FF - prefs.js..network.proxy.gopher_port: 80

FF - prefs.js..network.proxy.http_port: 80

FF - prefs.js..network.proxy.no_proxies_on: "localhost,127.0.0.1"

FF - prefs.js..network.proxy.socks_port: 80

FF - prefs.js..network.proxy.ssl_port: 80

FF - prefs.js..network.proxy.type: 1

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/15 15:56:44 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/12 12:09:53 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/07 16:55:04 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/04/07 16:55:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions

[2010/04/07 16:55:12 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2010/09/27 20:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ciano7aq.default\extensions

[2010/07/08 13:32:18 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ciano7aq.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/10/12 17:04:38 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ciano7aq.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2010/09/02 13:50:47 | 000,000,000 | ---D | M] (Selenium IDE) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ciano7aq.default\extensions\{a6fd85ed-e919-4a43-a5af-8da18bda539f}

[2009/11/09 15:15:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ciano7aq.default\extensions\firebug@software.joehewitt.com

[2010/08/06 11:45:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\ciano7aq.default\extensions\james.nurthen@tesla.com

[2010/09/27 20:50:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2009/10/22 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll

O1 HOSTS File: ([2010/09/26 11:38:13 | 000,419,407 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 14474 more lines...

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O3 - HKLM\..\Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - No CLSID value found.

O3 - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\..\Toolbar\ShellBrowser: (no name) - {FE063DB9-4EC0-403E-8DD8-394C54984B2C} - No CLSID value found.

O3 - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {FE063DB9-4EC0-403E-8DD8-394C54984B2C} - No CLSID value found.

O4 - HKU\.DEFAULT..\RunOnce: [_nltide_2] File not found

O4 - HKU\S-1-5-18..\RunOnce: [_nltide_2] File not found

O4 - HKU\S-1-5-19..\RunOnce: [_nltide_2] File not found

O4 - HKU\S-1-5-20..\RunOnce: [_nltide_2] File not found

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-73586283-1425521274-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} http://picasaweb.google.com/s/v/59.08/uploader2.cab (UploadListView Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} https://adc-tele-sslvpn.tesla.com/prx/000/h...lhost/arr_x.cab (ArrVPNAX Control)

O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 125.22.47.125 202.56.250.5

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\User\Application Data\rmhzb.exe) - C:\Documents and Settings\User\Application Data\rmhzb.exe ()

O20 - HKU\S-1-5-21-73586283-1425521274-1417001333-1003 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKU\S-1-5-21-73586283-1425521274-1417001333-1003 Winlogon: Shell - (C:\Documents and Settings\User\Application Data\rmhzb.exe) - C:\Documents and Settings\User\Application Data\rmhzb.exe ()

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\System32\NavLogon.dll File not found

O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/10/01 06:47:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{1cf29988-3694-11df-84fe-001a7387ad81}\Shell\AutoRun\command - "" = Empty/autorun.exe

O33 - MountPoints2\{1cf29988-3694-11df-84fe-001a7387ad81}\Shell\explore\command - "" = Empty/autorun.exe

O33 - MountPoints2\{1cf29988-3694-11df-84fe-001a7387ad81}\Shell\open\command - "" = Empty/autorun.exe

O33 - MountPoints2\{9eedfe4c-0fc1-11df-84dc-001a7387ad81}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{9eedfe4c-0fc1-11df-84dc-001a7387ad81}\Shell\AutoRun\command - "" = F:\sejo\\kalac.exe -- File not found

O33 - MountPoints2\{9eedfe4c-0fc1-11df-84dc-001a7387ad81}\Shell\explore\command - "" = F:\sejo\kalac.exe -- File not found

O33 - MountPoints2\{9eedfe4c-0fc1-11df-84dc-001a7387ad81}\Shell\open\command - "" = F:\sejo\\kalac.exe -- File not found

O33 - MountPoints2\{e86dcaea-ae2a-11de-845d-001a7387ad81}\Shell\AutoRun\command - "" = F:\My_Personal_Data.exe -- File not found

O33 - MountPoints2\{e86dcaea-ae2a-11de-845d-001a7387ad81}\Shell\MENU\command - "" = F:\My_Personal_Data.exe -- File not found

O33 - MountPoints2\{e86dcaeb-ae2a-11de-845d-001a7387ad81}\Shell\AutoRun\command - "" = G:\My_Personal_Data.exe -- File not found

O33 - MountPoints2\{e86dcaeb-ae2a-11de-845d-001a7387ad81}\Shell\MENU\command - "" = G:\My_Personal_Data.exe -- File not found

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/12/14 09:11:51 | 000,000,000 | ---D | C] -- C:\Program Files\PuTTY

[2010/12/13 14:51:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Array NetWorks

[2010/12/13 14:50:26 | 000,000,000 | ---D | C] -- C:\Program Files\Array Networks

[2010/12/13 14:50:12 | 000,247,216 | ---- | C] (Array Networks, Inc.) -- C:\WINDOWS\System32\ArrayApi.dll

[2010/12/13 14:50:12 | 000,079,280 | ---- | C] (Array Networks, Inc.) -- C:\WINDOWS\System32\arr_getp.exe

[2010/12/13 14:50:11 | 000,090,112 | ---- | C] (Array Networks, Inc.) -- C:\WINDOWS\System32\arr_ndjni.dll

[2010/10/01 08:16:38 | 000,040,328 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\HIPIS0e011b3.dll

[2010/09/28 19:19:45 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/09/28 19:10:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Spyware Toolkit

[2010/09/26 18:50:47 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/09/26 18:33:25 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys

[2010/09/26 12:48:43 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}

[2010/09/26 12:48:19 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft

[2010/09/26 12:48:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft

[2010/09/26 10:35:07 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2010/09/26 10:35:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2010/09/26 09:49:26 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2010/09/26 07:58:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/09/26 07:58:17 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/09/26 07:58:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/09/26 07:58:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/09/24 16:12:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\FF

[2010/08/23 09:43:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Help

[2010/08/23 09:43:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Help

[2010/08/17 10:00:10 | 002,612,568 | ---- | C] (tesla) -- C:\Documents and Settings\User\Desktop\BeehiveConferencingSetup,dfbeehive#tesla#com,443.exe

[2010/08/02 09:43:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

[2010/08/02 09:43:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Office Genuine Advantage

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK

[2010/08/01 18:35:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA

[2010/07/25 11:36:11 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight

[2010/07/08 08:22:08 | 000,000,000 | ---D | C] -- C:\ae2da6ac8a6cfdb119051fd4da05a9

[2010/07/07 09:21:49 | 000,000,000 | ---D | C] -- C:\55071c33244ace9564073d6de6a0

[2010/07/06 09:00:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474

[2010/07/06 08:50:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates

[2010/07/06 08:49:54 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0

[2010/07/05 09:15:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall

[2010/07/05 09:15:43 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$

[4 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/12/13 15:45:42 | 000,000,020 | ---- | M] () -- C:\WINDOWS\TestSupp.ini

[2010/12/13 14:16:00 | 000,002,240 | ---- | M] () -- C:\WINDOWS\System32\esnecil.ind

[2010/12/13 14:16:00 | 000,000,004 | ---- | M] () -- C:\WINDOWS\vx86036.dat

[2010/10/02 14:26:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1425521274-1417001333-1003UA.job

[2010/10/02 13:42:18 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\User\defogger_reenable

[2010/10/02 10:26:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1425521274-1417001333-1003Core.job

[2010/10/02 08:51:02 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/10/02 08:51:02 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/10/02 08:51:02 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/10/02 08:49:49 | 000,002,433 | ---- | M] () -- C:\Documents and Settings\User\Desktop\VPN Client.lnk

[2010/10/02 08:49:27 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job

[2010/10/02 08:49:26 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job

[2010/10/02 07:39:02 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/10/02 07:38:06 | 000,040,866 | ---- | M] () -- C:\WINDOWS\System32\api_hook_list.dat

[2010/10/02 07:37:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/10/02 07:37:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/10/01 23:04:39 | 009,699,328 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT

[2010/10/01 23:04:39 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini

[2010/09/30 08:36:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/09/29 23:16:56 | 002,108,714 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db

[2010/09/27 15:26:38 | 070,908,864 | ---- | M] () -- C:\Documents and Settings\User\WebCenterICSetup.zip

[2010/09/26 18:50:46 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys

[2010/09/26 12:48:41 | 000,000,885 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk

[2010/09/26 11:38:13 | 000,419,407 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/09/26 07:49:38 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/09/25 20:31:35 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini

[2010/09/25 20:31:35 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/09/25 20:31:35 | 000,000,211 | R--- | M] () -- C:\boot.ini

[2010/09/24 18:50:57 | 000,001,746 | -H-- | M] () -- C:\Documents and Settings\User\My Documents\Default.rdp

[2010/09/24 14:36:21 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\User\Application Data\winscp.rnd

[2010/09/24 08:27:17 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Google Chrome.lnk

[2010/09/24 08:27:17 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

[2010/09/22 17:01:00 | 000,136,192 | RHS- | M] () -- C:\Documents and Settings\User\Application Data\rmhzb.exe

[2010/09/20 15:36:02 | 000,000,094 | ---- | M] () -- C:\Documents and Settings\User\Desktop\test.html

[2010/09/18 09:21:51 | 000,012,340 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Ticket Reservation_PAPA.docx

[2010/09/11 21:11:45 | 000,077,824 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/09/09 01:22:30 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\KevlarSigs.dll

[2010/09/01 20:00:42 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\User\.recently-used.xbel

[2010/08/17 10:00:48 | 002,612,568 | ---- | M] (tesla) -- C:\Documents and Settings\User\Desktop\BeehiveConferencingSetup,dfbeehive#tesla#com,443.exe

[2010/08/12 17:45:20 | 000,064,288 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys

[2010/08/12 11:49:29 | 000,313,968 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/08/10 22:44:59 | 000,003,656 | -HS- | M] () -- C:\WINDOWS\System32\drivers\OneNote Table Of Contents.onetoc2

[2010/08/10 22:44:56 | 000,003,656 | -HS- | M] () -- C:\WINDOWS\System32\OneNote Table Of Contents.onetoc2

[2010/08/08 11:02:16 | 000,074,184 | ---- | M] () -- C:\Documents and Settings\User\My Documents\RISHI2010.TAX

[2010/08/08 10:22:13 | 000,073,000 | ---- | M] () -- C:\Documents and Settings\User\My Documents\RISHI2010.BAK

[2010/08/08 10:09:25 | 000,001,704 | ---- | M] () -- C:\Documents and Settings\User\Desktop\e-tax 2010.lnk

[2010/08/04 13:18:05 | 000,002,330 | ---- | M] () -- C:\Documents and Settings\User\Desktop\tesla Beehive Conferencing.lnk

[2010/08/04 12:04:20 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\PUTTY.RND

[2010/07/29 17:33:59 | 000,083,904 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/07/26 17:17:10 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin

[2010/07/05 09:24:02 | 000,001,686 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk

[4 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/14 09:30:43 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\PUTTY.RND

[2010/12/13 15:32:51 | 000,001,593 | ---- | C] () -- C:\WINDOWS\VPNUnInstall.MIF

[2010/10/02 13:42:18 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\defogger_reenable

[2010/10/02 07:38:06 | 000,040,866 | ---- | C] () -- C:\WINDOWS\System32\api_hook_list.dat

[2010/09/27 14:59:28 | 070,908,864 | ---- | C] () -- C:\Documents and Settings\User\WebCenterICSetup.zip

[2010/09/26 18:37:08 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[2010/09/26 12:48:41 | 000,000,885 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Ad-Aware.lnk

[2010/09/22 17:01:03 | 000,136,192 | RHS- | C] () -- C:\Documents and Settings\User\Application Data\rmhzb.exe

[2010/09/20 15:28:36 | 000,000,094 | ---- | C] () -- C:\Documents and Settings\User\Desktop\test.html

[2010/09/18 09:21:50 | 000,012,340 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Ticket Reservation_PAPA.docx

[2010/09/01 20:00:42 | 000,000,218 | ---- | C] () -- C:\Documents and Settings\User\.recently-used.xbel

[2010/08/10 22:44:59 | 000,003,656 | -HS- | C] () -- C:\WINDOWS\System32\drivers\OneNote Table Of Contents.onetoc2

[2010/08/10 22:44:55 | 000,003,656 | -HS- | C] () -- C:\WINDOWS\System32\OneNote Table Of Contents.onetoc2

[2010/08/04 13:18:05 | 000,002,330 | ---- | C] () -- C:\Documents and Settings\User\Desktop\tesla Beehive Conferencing.lnk

[2010/08/01 18:35:49 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job

[2010/07/06 09:00:20 | 000,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job

[2010/07/05 09:24:02 | 000,001,686 | ---- | C] () -- C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk

[2010/04/12 13:30:47 | 000,000,046 | ---- | C] () -- C:\WINDOWS\Crypkey.ini

[2010/04/12 13:30:44 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\Ckldrv.sys

[2010/04/12 13:30:43 | 000,018,432 | ---- | C] () -- C:\WINDOWS\Setup_ck.dll

[2010/04/12 13:27:52 | 000,000,020 | ---- | C] () -- C:\WINDOWS\TestSupp.ini

[2009/12/25 13:22:19 | 000,077,824 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/11/09 14:00:45 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\User\Application Data\winscp.rnd

[2009/10/15 11:08:08 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\wa4jfw.dll

[2009/10/03 06:12:23 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(10).dll

[2009/10/03 02:56:57 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2009/10/03 02:56:21 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(9).dll

[2009/10/03 00:23:49 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(8).dll

[2009/10/02 20:07:16 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(7).dll

[2009/10/02 07:24:26 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(6).dll

[2009/10/02 06:26:50 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(5).dll

[2009/10/01 19:59:46 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(4).dll

[2009/10/01 07:24:03 | 000,000,192 | ---- | C] () -- C:\WINDOWS\winamp.ini

[2009/10/01 07:18:18 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(3).dll

[2009/10/01 07:12:20 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll

[2009/10/01 07:11:57 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(2).dll

[2009/10/01 07:11:50 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\DPP(1).dll

[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll

[2009/04/09 17:52:42 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll

[2008/08/29 13:58:26 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll

[2008/08/29 13:58:16 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll

[2008/04/14 05:41:58 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\amyrngd.dll

[2008/04/14 05:41:58 | 000,000,204 | ---- | C] () -- C:\WINDOWS\System32\rvcia11.dll

[2008/04/14 05:41:58 | 000,000,016 | -H-- | C] () -- C:\WINDOWS\System32\wjqhj2y.dll

[2007/06/20 12:17:44 | 000,000,380 | ---- | C] () -- C:\WINDOWS\dcmuser.ini

========== LOP Check ==========

[2010/01/02 18:43:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Azureus

[2010/03/31 10:31:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Freedom Scientific

[2010/09/26 12:48:44 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}

[2010/10/02 09:36:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\.purple

[2010/04/05 07:26:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\.purple.bak.1

[2010/05/17 09:33:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\.purple.bak.2

[2010/07/26 06:36:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Azureus

[2010/09/27 21:04:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\EditPlus 3

[2010/03/31 10:35:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Freedom Scientific

[2010/09/06 12:29:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\gtk-2.0

[2010/05/05 15:48:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\tesla

[2010/04/07 15:56:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Pandion

[2010/04/17 14:48:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Research In Motion

[2010/04/07 16:55:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Thunderbird

[2010/10/02 07:39:02 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

[2010/10/02 08:49:27 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

[2010/10/02 08:49:26 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========

< End of report >

---------------------------------

EXTRAS LOG

----------------------------

OTL Extras logfile created on: 10/2/2010 2:54:33 PM - Run 1

OTL by OldTimer - Version 3.2.14.1 Folder = D:\Misc\Comp CleanUp\BleepingComputerStuff

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free

10.00 Gb Paging File | 9.00 Gb Available in Paging File | 93.00% Paging File free

Paging file location(s): [binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 58.59 Gb Total Space | 35.70 Gb Free Space | 60.92% Space Free | Partition Type: NTFS

Drive D: | 53.19 Gb Total Space | 28.73 Gb Free Space | 54.01% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DON

Current User Name: User

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-73586283-1425521274-1417001333-1003\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\ZoomText 9.1\Zt.exe" = C:\Program Files\ZoomText 9.1\Zt.exe:LocalSubNet:Enabled:ZoomText 9.1 -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)

"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- File not found

"C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" = C:\Program Files\Microsoft Office\Office12\WINWORD.EXE:*:Enabled:Microsoft Office Word -- (Microsoft Corporation)

"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)

"C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)

"C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\User\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)

"C:\Program Files\Psi\Psi.exe" = C:\Program Files\Psi\Psi.exe:*:Enabled:Psi -- ()

"C:\Program Files\Freedom Scientific\Activator\1.1\FSACTIVATE.EXE" = C:\Program Files\Freedom Scientific\Activator\1.1\FSACTIVATE.EXE:*:Enabled:Client Activator -- (Rainbow Technologies, Inc.)

"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze -- (Vuze Inc.)

"C:\Program Files\ZoomText 9.1\Zt.exe" = C:\Program Files\ZoomText 9.1\Zt.exe:LocalSubNet:Enabled:ZoomText 9.1 -- File not found

"C:\Program Files\RealVNC\VNC4\vncviewer.exe" = C:\Program Files\RealVNC\VNC4\vncviewer.exe:*:Enabled:VNC Viewer Free Edition for Win32 -- (RealVNC Ltd.)

"C:\Program Files\TightVNC\WinVNC.exe" = C:\Program Files\TightVNC\WinVNC.exe:*:Enabled:TightVNC Win32 Server -- (TightVNC Group)

"C:\Program Files\Pidgin\pidgin.exe" = C:\Program Files\Pidgin\pidgin.exe:*:Enabled:Pidgin -- (The Pidgin developer community)

"D:\Namrata\eclipse-SDK-3.3-win32\eclipse\eclipse.exe" = D:\Namrata\eclipse-SDK-3.3-win32\eclipse\eclipse.exe:*:Enabled:eclipse -- File not found

"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)

"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.)

"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Disabled:File Transfer Program -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{032794BC-0060-4B93-8B4E-7DE6D84610F7}" = Freedom Scientific Video Intercept

"{0DE2DBF4-A3D6-4C35-A66B-263367D56E65}" = Pandion

"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise

"{1F19423A-6072-44BC-8E03-3C645ED2301F}" = Freedom Scientific Utilities

"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)

"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java 6 Update 14

"{2DE9A2AC-4FF3-4687-ABF3-6F423A4D7BED}" = Freedom Scientific FSReader 2.0

"{34A350D1-64FB-36D8-9D0C-1CD8E392DBA5}" = Google Talk Plugin

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{393711FE-64EB-4DC7-909E-5FB26D1270AA}" = Microsoft Sapi 5.1

"{4A8ABF7C-0DBB-41D9-8456-9CFC16F9B4BA}" = tesla Beehive Conferencing

"{4D612FB2-1AE7-4E46-9377-35BB2F06A787}" = Roxio Media Manager

"{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}" = Cisco Systems VPN Client 5.0.04.0300

"{615F5916-6AC0-4793-A991-8F6B4AD26445}" = prerequisite

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry

Link to post
Share on other sites

Please run the following scan:

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Hi,

Thanks for your help.Following is the combofix log.Before that,however,I'd like to highlight some points:

1. There are several suspicious entries in my hosts file

2. I use a wireless connection to connect to internet via a router that is wired into the modem provided by the ISP.Could the router have been compromised here? Is there a way I can reset the router to fix possible infection?

Combofix Log

----------------------------------------------

ComboFix 10-10-03.03 - User 10/04/2010 21:03:51.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1268 [GMT 5.5:30]

Running from: d:\misc\Comp CleanUp\BleepingComputerStuff\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FW: McAfee Host Intrusion Prevention Firewall *enabled* {2F1275E3-2F4F-43E9-944B-3F63F9BDA5F5}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Application Data\rmhzb.exe

c:\documents and settings\User\Application Data\rmhzb.exe

c:\program files\cnsload_1276622722843.tmp

c:\program files\cnsload_1276623455468.tmp

c:\program files\cnsload_1276623683093.tmp

c:\program files\cnsload_1285736975843.tmp

c:\windows\system32\.log

.

((((((((((((((((((((((((( Files Created from 2010-09-04 to 2010-10-04 )))))))))))))))))))))))))))))))

.

2010-12-14 03:41 . 2010-12-14 03:42 -------- d-----w- c:\program files\PuTTY

2010-12-13 09:21 . 2010-12-13 09:21 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Array NetWorks

2010-12-13 09:20 . 2010-12-13 09:20 -------- d-----w- c:\program files\Array Networks

2010-12-13 09:20 . 2010-03-10 04:35 247216 ----a-w- c:\windows\system32\ArrayApi.dll

2010-12-13 09:20 . 2010-03-10 04:35 79280 ----a-w- c:\windows\system32\arr_getp.exe

2010-12-13 09:20 . 2010-03-10 04:33 90112 ----a-w- c:\windows\system32\arr_ndjni.dll

2010-10-04 04:01 . 2010-10-04 04:01 1713 ----a-w- c:\documents and settings\User\Application Data\.purple\certificates\x509\tls_peers\stbeehive.tesla.com

2010-10-03 03:45 . 2010-10-03 03:45 40866 ----a-w- c:\windows\system32\api_hook_list.dat

2010-10-03 03:45 . 2010-02-16 08:50 40328 ----a-w- c:\windows\system32\HIPIS0e011b3.dll

2010-10-01 02:49 . 2010-10-01 02:49 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

2010-09-28 13:49 . 2010-09-28 13:49 -------- d-----w- c:\program files\Trend Micro

2010-09-27 09:29 . 2010-09-27 09:56 70908864 ----a-w- c:\documents and settings\User\WebCenterICSetup.zip

2010-09-26 13:20 . 2010-09-26 13:20 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-09-26 13:08 . 2010-09-26 13:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-09-26 13:03 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-09-26 07:18 . 2010-09-26 07:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}

2010-09-26 07:18 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe

2010-09-26 07:18 . 2010-09-26 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-09-26 07:18 . 2010-09-26 07:18 -------- d-----w- c:\program files\Lavasoft

2010-09-26 05:05 . 2010-09-26 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-09-26 05:05 . 2010-09-26 05:10 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-09-26 04:19 . 2010-09-26 04:19 -------- d-----w- c:\program files\CCleaner

2010-09-26 03:59 . 2010-09-26 03:59 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2010-09-26 02:29 . 2010-09-26 02:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-26 02:28 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-26 02:28 . 2010-09-26 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-26 02:28 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-26 02:28 . 2010-09-26 02:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-26 02:20 . 2010-09-26 02:20 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-09-26 02:18 . 2010-10-03 10:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-09-23 04:58 . 2010-09-23 05:00 4819176 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\InstallFiles\5A074E06capm814B43124E566753E04400163E34794F0000002DEB09\BeehiveConferencingInstaller.exe

2010-09-17 06:02 . 2010-09-17 06:03 4819176 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\InstallFiles\0E54598Bcapm61956F59CF5F45B9E04057941723617F00002120193D\BeehiveConferencingInstaller.exe

2010-09-09 10:57 . 2010-09-09 10:57 941 ----a-w- c:\documents and settings\User\Application Data\.purple\certificates\x509\tls_peers\adc2180764.us.tesla.com

2010-09-06 06:58 . 2010-09-06 06:58 1713 ----a-w- c:\documents and settings\User\Application Data\.purple\certificates\x509\tls_peers\dfbeehive.tesla.com

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-13 10:18 . 2010-04-12 08:01 -------- d-----w- c:\program files\ViaVoiceTTS

2010-12-13 08:46 . 2010-04-12 08:09 4 ----a-w- c:\windows\vx86036.dat

2010-10-04 14:36 . 2009-11-09 09:03 -------- d-----w- c:\documents and settings\User\Application Data\EditPlus 3

2010-10-04 14:24 . 2009-10-02 02:14 -------- d-----w- c:\documents and settings\User\Application Data\.purple

2010-10-02 17:30 . 2010-10-02 17:30 25022 ----a-w- c:\windows\RGI1B.tmp

2010-10-02 02:07 . 2010-07-25 06:06 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-28 13:14 . 2009-12-25 08:39 -------- d-----w- c:\documents and settings\User\Application Data\vlc

2010-09-16 00:30 . 2009-10-01 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-09-08 19:52 . 2009-12-02 09:11 136512 ----a-w- c:\windows\system32\KevlarSigs.dll

2010-09-06 06:59 . 2009-12-16 06:50 -------- d-----w- c:\documents and settings\User\Application Data\gtk-2.0

2010-08-31 06:41 . 2010-08-31 06:41 3401880 ----a-w- c:\documents and settings\User\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

2010-08-31 06:25 . 2010-08-31 06:25 275096 ----a-w- c:\documents and settings\User\Application Data\Mozilla\plugins\npgoogletalk.dll

2010-08-31 06:09 . 2010-08-31 06:09 3734536 ----a-w- c:\documents and settings\User\Application Data\Mozilla\plugins\Google Talk Plugin Extras\d3dx9_36.dll

2010-08-18 18:28 . 2010-08-18 18:28 289280 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\Conferencing\Versions\E3B1B9ED-2A9B-4BEC-909B-03A83218D3D7\beecomm.dll

2010-08-18 18:28 . 2010-08-18 18:28 289280 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\Conferencing\Versions\C27E6F6B-C62A-4F2C-81A0-42C1C9D16415\beecomm.dll

2010-08-18 18:28 . 2010-08-18 18:28 1083904 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\Conferencing\Versions\E3B1B9ED-2A9B-4BEC-909B-03A83218D3D7\bcpapi.dll

2010-08-18 18:28 . 2010-08-18 18:28 1083904 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\Conferencing\Versions\C27E6F6B-C62A-4F2C-81A0-42C1C9D16415\bcpapi.dll

2010-08-18 18:28 . 2010-08-18 18:28 6608792 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\Conferencing\Versions\E3B1B9ED-2A9B-4BEC-909B-03A83218D3D7\Conferencing.exe

2010-08-18 18:28 . 2010-08-18 18:28 6608792 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\Conferencing\Versions\C27E6F6B-C62A-4F2C-81A0-42C1C9D16415\Conferencing.exe

2010-08-18 18:28 . 2010-08-18 18:28 233472 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\Conferencing\Versions\E3B1B9ED-2A9B-4BEC-909B-03A83218D3D7\SharedWndSelection.dll

2010-08-18 18:28 . 2010-08-18 18:28 233472 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\Conferencing\Versions\C27E6F6B-C62A-4F2C-81A0-42C1C9D16415\SharedWndSelection.dll

2010-08-18 11:48 . 2010-04-07 11:24 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-08-17 13:17 . 2008-04-14 00:12 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-17 04:37 . 2010-08-17 04:34 4819096 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\InstallFiles\0E54598Bcapm61956F59CF5F45B9E04057941723617F0000202C5A6B\BeehiveConferencingInstaller.exe

2010-08-10 17:14 . 2010-08-10 17:14 3656 --sha-w- c:\windows\system32\drivers\OneNote Table Of Contents.onetoc2

2010-08-08 04:39 . 2010-07-03 17:33 -------- d-----w- c:\program files\etax2010

2010-08-05 09:32 . 2010-08-05 09:30 4819096 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\InstallFiles\334B3BF0capm38893C00F42F38A1E0404498C8A6612B0001DA81F79A\BeehiveConferencingInstaller.exe

2010-08-04 07:48 . 2010-08-04 07:48 81920 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{4A8ABF7C-0DBB-41D9-8456-9CFC16F9B4BA}\StartmenuShortcut_4A8ABF7C0DBB41D984569CFC16F9B4BA.exe

2010-08-04 07:48 . 2010-08-04 07:48 47948 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{4A8ABF7C-0DBB-41D9-8456-9CFC16F9B4BA}\ARPPRODUCTICON.exe

2010-08-04 07:48 . 2010-08-04 07:48 40692 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{4A8ABF7C-0DBB-41D9-8456-9CFC16F9B4BA}\DesktopShortcut_4A8ABF7C0DBB41D984569CFC16F9B4BA.exe

2010-08-04 07:42 . 2010-08-04 07:39 4820200 ----a-w- c:\documents and settings\User\Application Data\tesla\Beehive\InstallFiles\631F186Fcapm8CE827BCC21C33C6E040E50A6DBA3A8100000001AF5F\BeehiveConferencingInstaller.exe

2010-07-29 12:03 . 2009-10-01 01:52 83904 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-26 11:47 . 2010-04-17 09:19 256 ----a-w- c:\windows\system32\pool.bin

2010-07-22 15:49 . 2008-04-14 00:12 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2010-07-05 09:54 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2009-10-22 14:37 . 2009-12-02 09:02 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

------- Sigcheck -------

[-] 2009-04-09 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-24 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-24 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-24 131072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk

backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\User\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-10-02 22:38 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]

2009-05-12 06:06 623888 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-01-26 07:35 135664 ----atw- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]

2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 06:14 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2009-08-24 17:36 123392 ----a-w- c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2008-10-24 03:44 206112 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Host Intrusion Prevention Tray]

2010-02-16 08:50 979104 ----a-w- c:\program files\McAfee\Host Intrusion Prevention\FireTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

2009-09-22 10:30 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2006-01-12 22:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

2003-12-09 00:35 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]

2009-04-11 08:47 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]

2010-01-06 14:37 124240 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-10-02 02:31 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"RoxWatch9"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"RoxLiveShare9"=2 (0x2)

"Roxio Upnp Server 9"=2 (0x2)

"Roxio UPnP Renderer 9"=3 (0x3)

"Microsoft Office Groove Audit Service"=3 (0x3)

"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Psi\\Psi.exe"=

"c:\\Program Files\\Freedom Scientific\\Activator\\1.1\\FSACTIVATE.EXE"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=

"c:\\Program Files\\TightVNC\\WinVNC.exe"=

"c:\\Program Files\\Pidgin\\pidgin.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]

"Enabled"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/26/2010 6:33 PM 64288]

R2 Array_Utility_Service8.4.0.264;Array Utility Service 8,4,0,264;c:\program files\Array Networks\Common\8,4,0,264\arr_isrv.exe [4/28/2010 4:33 PM 398768]

R2 ArraySSL_VPN_Service8.4.0.264;Array SSL VPN Service 8,4,0,264;c:\program files\Array Networks\Array SSL VPN\8,4,0,264\arr_srvs.exe [4/28/2010 4:34 PM 239024]

R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\McAfee\Host Intrusion Prevention\FireSvc.exe [2/16/2010 2:20 PM 1498224]

R2 hips;McAfee HIPSCore Service;c:\program files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe [4/20/2010 1:11 PM 35696]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [1/6/2010 8:07 PM 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/2/2009 2:32 PM 70728]

R2 MyDesktopWindows;MyDesktopService;c:\windows\ORCLOBI\MyDesktop\MyDesktopService.exe [8/24/2010 9:41 PM 1032704]

R2 QOSMyDesktop;QOS MyDesktop;c:\windows\ORCLOBI\MyDesktop\MyDesktopQOS.exe [10/14/2009 12:48 AM 470016]

R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [12/2/2009 2:40 PM 44680]

R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [12/2/2009 2:41 PM 107896]

R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [12/2/2009 2:41 PM 38680]

R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [12/2/2009 2:41 PM 35584]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 5:45 PM 15008]

R3 owcmirrorV1;owcmirrorV1;c:\windows\system32\drivers\owcmirrorminiV1.sys [1/8/2009 10:37 PM 3712]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 5:45 PM 1356952]

S3 ATP;ArrayNetworks SSL VPN Miniport Driver;c:\windows\system32\drivers\atpdrvr.sys [4/28/2010 4:34 PM 16256]

S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [12/2/2009 2:40 PM 44680]

S3 JTVNCProxy_11.0;JTVNCProxy_11.0;c:\program files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe [10/15/2009 10:48 AM 16152]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/2/2009 2:32 PM 66600]

S3 PowerBrl;powerBraille System Driver;c:\windows\system32\drivers\powerbrl.sys [10/15/2009 10:53 AM 14880]

UnknownUnknown dsload;dsload; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-10-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 13:23]

2010-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1425521274-1417001333-1003Core.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-26 07:35]

2010-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-1425521274-1417001333-1003UA.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-26 07:35]

2010-10-04 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 09:37]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://search.pandion.im/#q=%s

uSearchURL,(Default) = hxxp://search.pandion.im/#q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {510A3A41-3227-4B5A-91D3-D8F3D056E46D} = 144.20.190.70,130.35.249.41,130.35.249.52

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.08/uploader2.cab

DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://adc-tele-sslvpn.tesla.com/prx/000/http/localhost/arr_x.cab

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ciano7aq.default\

FF - prefs.js: browser.startup.homepage - hxxp://search.pandion.im/

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10615&gct=&gc=1&q=

FF - prefs.js: network.proxy.ftp_port - 80

FF - prefs.js: network.proxy.gopher_port - 80

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.socks_port - 80

FF - prefs.js: network.proxy.ssl_port - 80

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\User\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\User\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)

MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe

AddRemove-Array SSL VPN8,4,0,264 - c:\program files\Array Networks\Common\8

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1908)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1964)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

- - - - - - - > 'csrss.exe'(1884)

c:\windows\system32\HcApi.dll

c:\windows\system32\KevlarSigs.dll

.

Completion time: 2010-10-04 21:11:05

ComboFix-quarantined-files.txt 2010-10-04 15:41

Pre-Run: 42,173,165,568 bytes free

Post-Run: 42,747,285,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 38C33E8EE94D024800CB6CF297F0E567

Link to post
Share on other sites

Hi there,

Your hostsfile is okay; all these entries are there because spybot immunized your ssytem. :(

You can indeed reset your router. Your log shows you use certain IP settings, not a router, and it is entirely possible this is due to an infected router.

Most routers have a reset button, which needs to be pushed approx. 10 seconds when the router is powered off.

Please let me know how things are running when done.

Link to post
Share on other sites

  • 4 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.