Trojan.TDSS and Rogue.Installer and google redirect

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

5 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

Trojan.TDSS and Rogue.Installer and google redirect Can not delete Trojan TDSS or Rogue.Installer..All browsers redirected

#1 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 04 December 2009 - 05:59 AM

Hello. I have tried everything to remove above mentioned problems. I have run Malwarebytes numerous times. Have quarantined and deleted, have shut my system restore off to make a new clean point after reboot of removing trojans. As soon as new reboot, I run Malwarebytes again, and they are back. Files Infected:
C:\WINDOWS\system32\tdlclk.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdlcmd.dll (Rogue.Installer) -> Quarantined and deleted successfully.

I had the system32 folder open, watched as tdlclk.dll and tdlcmd.dll were deleted. Then also watched as they magically reappeared upon new scan of Malwarebytes.

Also, when I first installed Malwarebytes and ran for first time, it found 14 problems. Here is a cut and paste of them.

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleaner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03663F56-5A52-4397-857A-F7FF6F59EF9F}\RP1\A0000002.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03663F56-5A52-4397-857A-F7FF6F59EF9F}\RP1\A0000041.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03663F56-5A52-4397-857A-F7FF6F59EF9F}\RP2\A0000099.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03663F56-5A52-4397-857A-F7FF6F59EF9F}\RP2\A0000134.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03663F56-5A52-4397-857A-F7FF6F59EF9F}\RP3\A0000164.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03663F56-5A52-4397-857A-F7FF6F59EF9F}\RP3\A0000165.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03663F56-5A52-4397-857A-F7FF6F59EF9F}\RP3\A0000184.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{03663F56-5A52-4397-857A-F7FF6F59EF9F}\RP3\A0000185.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdlclk.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdlcmd.dll (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.

The other 12 problems seem to have been fixed, except these last 2 stubborn ones Trojan.TDDS and Rogue.Installer.

Also, when browsing, I get my search results but when I click on them, it redirects me to 5 or 6 different unrelated pages. It takes me 4 or 5 times clicking same link before I finally get the true link I want. I am at my wits end as to how to rectify this. Please help when you can. I understand you are all volunteers and it takes time. I have read the welcome introduction and I hope I have followed it correctly. Thank you in advance.

Here is copy of DDS report, as requested.

DDS (Ver_09-12-01.01) - NTFSx86
Run by My Pc at 4:13:43.89 on Fri 12/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.211 [GMT -6:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1249396505\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\RamBooster 2.0\Rambooster.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Blaze Media Pro\NMSAccess32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\My Pc\Local Settings\Application Data\Opera\Opera\temporary_downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [RamBooster] c:\program files\rambooster 2.0\Rambooster.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [HostManager] c:\program files\common files\aol\1249396505\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: &AOL Toolbar Search - c:\documents and settings\all users\application data\aol\ietoolbar\resources\en-us\local\search.html
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kathry~1\applic~1\mozilla\firefox\profiles\o8ql5spr.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\My Pc\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\My Pc\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\opera\program\plugins\NPMetaStream3.dll
FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-10-31 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-10-31 25160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-10-31 723632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql

server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-3 38224]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-4 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-4 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-4 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-4 40552]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql

server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2009-12-04 09:51:48 12800 ----a-w- c:\windows\system32\tdlclk.dll
2009-12-03 06:59:56 0 d-----w- c:\docume~1\kathry~1\applic~1\Malwarebytes
2009-12-03 06:59:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 06:59:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 06:59:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-03 06:59:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 03:53:42 0 d-----w- c:\windows\system32\Adobe
2009-12-03 03:44:59 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2009-11-28 17:20:05 0 d-----w- c:\program files\Veoh Networks
2009-11-26 20:50:58 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-26 20:38:24 0 d-----w- c:\program files\Trend Micro
2009-11-25 22:29:25 0 d-----w- c:\program files\Musicmatch
2009-11-24 20:15:00 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-24 20:14:33 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 20:14:33 0 d-----w- c:\docume~1\kathry~1\applic~1\SUPERAntiSpyware.com
2009-11-23 10:43:30 0 d-----w- c:\documents and settings\all users\968a850
2009-11-14 23:23:24 0 d-----w- c:\windows\system32\appmgmt
2009-11-14 08:18:01 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 08:18:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-14 07:36:57 0 d-----w- c:\windows\5C47C8B677FF4FC7A38866FCF9CFC24C.TMP
2009-11-13 13:45:31 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2009-11-13 11:48:53 0 d-----w- c:\program files\Blaze Media Pro
2009-11-13 11:48:28 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}
2009-11-12 18:02:17 0 d-----w- c:\program files\IrfanView
2009-11-05 15:49:21 0 d-----w- c:\program files\AOL 9.5

==================== Find3M ====================

2009-12-04 10:05:03 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-11-25 16:00:35 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-25 16:00:32 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-18 14:32:55 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 4:16:22.26 ===============

#2 thcbytes

Bleepin' Teacher

Group: Malware Response Instructor
Posts: 11,595
Joined: 09-December 08
Gender:Male

Posted 04 December 2009 - 09:28 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste al logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Viewpoint
Spybot

(Will interfere with our fix.)

Additional instructions can be found here if needed.

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Download Link #1.
Save it to your Desktop.
Double click the RKill desktop icon.
If you are using Vista please right click and run as Admin!
A black screen will briefly flash indicating a successful run.
If this does not occur please delete that application and download Link #2.
Continue process until the tool runs.
If the tool does not run from any of the links tell me about it.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
Double click on thcbytes.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

==========

We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

==========

With your next post please provide:

* Combofix.txt
* Gmer log
* OTL logs
* Still getting redirected?

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://organdonor.gov/index.html

#3 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 04 December 2009 - 03:12 PM

thcb. Hello and thank you for your assistance. I ran into a problem when trying to download ComboFix. I did rename file as requested. After download I got a pop up saying "Windows can not access specified path, device or file. You may not have the appropriate permissions to access item." And on top of pop up was "32788R22FWJFW\iexplore.exe. I am not sure why since I am the only user of pc and am administrator.

I have done everything up till this point. What now? Thanks for your help.

#4 thcbytes

Bleepin' Teacher

Group: Malware Response Instructor
Posts: 11,595
Joined: 09-December 08
Gender:Male

Posted 04 December 2009 - 04:35 PM

Ah yes. A permissions issue. Suggests a unique rootkit.

Do this....

Download and run Win32kDiag:

Download Win32kDiag from any of the following locations and save it to your Desktop.
Double-click Win32kDiag.exe to run Win32kDiag and let it finish. If you are using Vista please right click and run as Admin!
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Next......

Download and run a batch file (peek.bat):

Download peek.bat from the download link below and save it to your Desktop.
Double-click peek.bat to run it.
Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#5 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 04 December 2009 - 05:30 PM

I downloaded win32diag. MAJOR PROBLEM. disabled both my wireless mouse and keyboard. can barely access anything. took me many tries just to get logged on where I could actually navigate. Machine wouldnt boot up in safe mode either. I am afraid to try and run that win32diag. I did try 2x but same result each time. I have done everything to the letter but 2 big stumbling blocks. Any more idea? Thanks in advance.

#6 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 04 December 2009 - 05:50 PM

Ok finally. I think I have what you requested. The first two mirrors of Win32Diag are bad copies, at least for me. But I took a deep breath and went for the 3rd and it worked, no problems. Goes for peekbat too. So here are the two logs. Thank you again.

Win32Diag log as follows

Starting up...
Running from: C:\Documents and Settings\My PC\My Documents\Win32k3rdD
iag.exe
Log file at : C:\Documents and Settings\My PC\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\drivers\sfi.dat
[1] 2009-12-04 15:27:35 1474832 C:\WINDOWS\system32\drivers\sfi.dat ()

Finished! Press any key to exit...

Peekbat log as follows

Volume in drive C has no label.
Volume Serial Number is A4E2-7553

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 06:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 185,952,530,432 bytes free

#7 thcbytes

Bleepin' Teacher

Group: Malware Response Instructor
Posts: 11,595
Joined: 09-December 08
Gender:Male

Posted 04 December 2009 - 09:12 PM

This is not going to be easy so be patient and hang in there!

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Next......

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Re-run Rkill

==========

Right click and delete your copy of Combofix.

Try running Combofix again. If it fails then repeat all the steps in safe mode!

This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
Double click on thcbytes.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

With your next post please provide:

* Exehelper log
* Combofix.txt

Kind regards,
~t

This post has been edited by thcbytes: 04 December 2009 - 09:13 PM

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#8 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 04 December 2009 - 11:44 PM

Greetings tchbytes. Well, I think we are gettin gthere

Let me know next step and thank you soooo very much for all the help and patience

Copy of requested logs

COMBOFIX Log

ComboFix 09-12-04.02 - My PC 12/04/2009 22:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.662 [GMT -6:00]
Running from: c:\documents and settings\My PC\Desktop\thcbytes.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ATI Technologies\ATI.ACE\atIAcmxx.dll
c:\recycler\S-1-5-21-2142332243-845272042-58525014-500
c:\recycler\S-1-5-21-3589890663-3171536018-3815453179-500
c:\windows\kb913800.exe
c:\windows\setup.exe
c:\windows\system32\Drivers\wwywttrbrmxjxt.sys
c:\windows\system32\skinboxer43.dll
c:\windows\system32\tdlclk.dll
c:\windows\system32\tdlcmd.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-04 22:35 . 2009-12-04 22:35 40448 ----a-w- c:\windows\system32\fvciacro5.dll
2009-12-04 20:15 . 2009-12-04 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-04 20:14 . 2009-12-04 20:39 -------- d-----w- C:\32788R22FWJFW.3.tmp
2009-12-04 20:10 . 2009-12-04 20:14 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-12-04 20:03 . 2009-12-04 20:10 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-12-04 10:19 . 2009-12-04 10:26 15 ----a-w- c:\documents and settings\My PC\settings.dat
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\documents and settings\My PC\Application Data\Malwarebytes
2009-12-03 06:59 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 06:59 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 03:53 . 2009-12-03 03:53 -------- d-----w- c:\windows\system32\Adobe
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-12-03 03:44 . 2009-12-03 03:44 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\program files\NOS
2009-11-28 17:20 . 2009-11-28 17:20 -------- d-----w- c:\program files\Veoh Networks
2009-11-27 18:24 . 2009-11-27 18:24 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\COMODO
2009-11-26 20:50 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-26 20:38 . 2009-11-26 20:38 -------- d-----w- c:\program files\Trend Micro
2009-11-25 22:29 . 2009-11-25 22:30 -------- d-----w- c:\program files\Musicmatch
2009-11-25 22:29 . 2009-11-25 22:29 -------- d-----w- c:\documents and settings\My PC\Application Data\Musicmatch
2009-11-25 22:26 . 2009-11-25 22:37 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\Musicmatch
2009-11-25 04:26 . 2009-11-25 04:26 1408376 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-11-24 20:15 . 2009-11-24 20:15 117760 ----a-w- c:\documents and settings\My PC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-24 20:15 . 2009-11-24 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-24 20:14 . 2009-12-04 20:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 20:14 . 2009-11-24 20:14 -------- d-----w- c:\documents and settings\My PC\Application Data\SUPERAntiSpyware.com
2009-11-23 10:43 . 2009-11-23 10:43 -------- d-----w- c:\documents and settings\All Users\968a850
2009-11-18 14:53 . 2009-11-18 14:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-14 08:18 . 2009-12-04 20:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 08:18 . 2009-12-04 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-14 07:54 . 2009-11-14 07:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2009-11-14 07:36 . 2009-11-26 20:58 -------- d-----w- c:\windows\5C47C8B677FF4FC7A38866FCF9CFC24C.TMP
2009-11-13 18:50 . 2009-11-13 18:50 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\Mozilla
2009-11-13 13:45 . 2009-11-13 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-11-13 11:49 . 2009-10-22 23:04 2903456 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\setup_blazemp.exe
2009-11-13 11:48 . 2009-11-13 11:49 -------- d-----w- c:\program files\Blaze Media Pro
2009-11-13 11:48 . 2009-11-13 11:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}
2009-11-12 18:02 . 2009-11-12 18:26 -------- d-----w- c:\program files\IrfanView
2009-11-05 15:49 . 2009-11-06 12:40 -------- d-----w- c:\program files\AOL 9.5
2009-11-05 15:46 . 2009-11-05 15:46 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-11-05 15:46 . 2009-11-05 15:46 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 21:27 . 2009-10-31 13:48 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-04 20:40 . 2009-10-29 16:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-04 19:50 . 2009-09-17 01:12 -------- d-----w- c:\documents and settings\My PC\Application Data\Lavasoft
2009-12-03 03:47 . 2009-08-04 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 23:40 . 2009-09-15 22:44 -------- d-----w- c:\documents and settings\My PC\Application Data\LimeWire
2009-11-25 22:30 . 2005-09-06 20:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-25 16:00 . 2009-10-31 13:44 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-25 16:00 . 2009-10-31 13:44 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-25 04:26 . 2009-10-01 03:03 -------- d-----w- c:\documents and settings\My PC\Application Data\Move Networks
2009-11-25 04:26 . 2009-10-01 03:03 127325 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\uninstall.exe
2009-11-25 04:26 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-24 05:29 . 2009-08-04 14:39 -------- d-----w- c:\program files\Opera
2009-11-19 12:35 . 2009-07-24 23:16 -------- d-----w- c:\program files\Wireless Desktop
2009-11-18 14:32 . 2009-10-31 13:44 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-18 14:32 . 2009-10-31 13:44 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-10 16:20 . 2009-09-15 22:43 -------- d-----w- c:\program files\LimeWire
2009-11-05 15:52 . 2009-08-04 14:36 -------- d-----w- c:\documents and settings\My PC\Application Data\AOL
2009-11-05 15:51 . 2009-08-04 14:35 -------- d-----w- c:\program files\Common Files\aol
2009-11-05 15:50 . 2009-08-04 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-05 15:50 . 2009-08-04 14:35 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-05 15:46 . 2009-08-04 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-11-03 21:24 . 2005-09-06 20:53 -------- d-----w- c:\program files\Java
2009-11-03 21:22 . 2009-11-03 21:22 152576 ----a-w- c:\documents and settings\My PC\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 04:45 . 2009-11-02 03:54 -------- d-----w- c:\program files\CamStudio
2009-10-31 13:48 . 2009-10-31 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-10-31 13:44 . 2009-10-31 13:44 -------- d-----w- c:\program files\COMODO
2009-10-29 17:32 . 2009-10-29 17:32 -------- d-----w- c:\documents and settings\My PC\Application Data\FastStone
2009-10-29 17:01 . 2009-10-29 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-10-29 17:01 . 2009-10-29 17:01 -------- d-----w- c:\program files\TechSmith
2009-10-26 23:48 . 2009-10-26 22:59 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-26 23:34 . 2009-10-26 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-26 23:34 . 2009-10-26 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-26 23:12 . 2009-10-26 23:12 -------- d-----w- c:\documents and settings\My PC\Application Data\PCToolsFirewallPlus
2009-10-26 23:12 . 2009-10-26 23:12 -------- d-----w- c:\documents and settings\My PC\Application Data\Spam Monitor
2009-10-22 23:04 . 2009-11-13 11:47 3579904 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\59F37AFC\8917324D\BMP.exe
2009-10-11 10:17 . 2009-08-06 21:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 03:03 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-16 03:59 . 2009-11-13 11:47 1411584 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\3D2919A7\32F7A4D1\AdjMmsEng.dll
2009-09-15 22:44 . 2009-09-15 22:44 98304 ----a-w- c:\documents and settings\My PC\Application Data\LimeWire\browser\xulrunner\smime3.dll
2009-09-11 14:18 . 2005-09-06 19:30 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48F6221C-7CBF-480D-94B5-1FBEDE7AF9EC}]
2009-12-04 22:35 40448 ----a-w- c:\windows\system32\fvciacro5.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
"RamBooster"="c:\program files\RamBooster 2.0\Rambooster.exe" [2005-11-17 561664]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AOL Fast Start"="c:\program files\AOL 9.5\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HostManager"="c:\program files\Common Files\AOL\1249396505\ee\AOLSoftware.exe" [2009-07-20 41264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-18 1800464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup=c:\windows\pss\VAIO Action Setup (Server).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"WZCSVC"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1249396505\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [10/31/2009 7:44 AM 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/31/2009 7:44 AM 25160]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-24 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-09-06 00:12]

2009-07-24 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-09-06 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\My PC\Application Data\Mozilla\Firefox\Profiles\o8ql5spr.default\
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\My PC\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\My PC\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Opera\program\plugins\NPMetaStream3.dll
FF - plugin: c:\program files\Opera\program\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Blaze Media Pro - c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\setup_blazemp.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-mIRC - c:\program files\mIRC\uninstall.exe _?=c:\program files\mIRC
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-12-04 22:18
ComboFix-quarantined-files.txt 2009-12-05 04:17

Pre-Run: 178,909,528,064 bytes free
Post-Run: 178,921,897,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 2B60E97A5DD8BE67BCF1F2AE438BD4B7

EXEHELPER Log

exeHelper by Raktor
Build 20091204
Run at 21:26:08 on 12/04/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

#9 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 04 December 2009 - 11:51 PM

Oh Dear... I forgot to mention that when you said rerun Rkill, with each of the 4 links, once opened, screen would flash and all desktop icons would disappear, as well as taskbar then come right back with no rkill program running. I did get to see the program screen of rkill saying it was preparing to remove malware. and then ZAP, as I stated above would happen.

#10 thcbytes

Bleepin' Teacher

Group: Malware Response Instructor
Posts: 11,595
Joined: 09-December 08
Gender:Male

Posted 05 December 2009 - 07:54 AM

Well done.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Viewpoint

Additional instructions can be found here if needed.

==========

P2P Warning

Your log indicates that you have Limewire installed.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall Limwire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

You have Norton remnants. Please run this uninstaller.
ftp://ftp.symantec.com/public/english_us_...emoval_Tool.exe

==========

Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!!

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

File::
c:\windows\system32\fvciacro5.dll
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
c:\windows\5C47C8B677FF4FC7A38866FCF9CFC24C.TMP
c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\setup_blazemp.exe

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Blaze Media Pro

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"navapsvc"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

==========

We need to create an OTL Report

Please download OTL from one of the following mirrors:
- This is THE Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTListIt.txt <-- Will be opened
- Extra.txt <-- Will be minimized

===========

With your next post please provide:

* Combofix.txt
* ESET log
* OTL.txt
* Extra.txt
* How is your computer running?

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#11 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 05 December 2009 - 12:09 PM

Greetings thcbytes. Well, this was not too painful at all. Everything went smooth. Last night I surfed and clicked on about 10-12 search links. Each and everyone worked the first time!!! That in itself is a small miracle.

Ok, here are the requested reports. I am ready when you are. Thank you SO much for your invaluable help!!

ComboFix 09-12-04.04 - My PC 12/05/2009 7:22.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.487 [GMT -6:00]
Running from: c:\documents and settings\My PC\Desktop\CombonFix.exe
Command switches used :: c:\documents and settings\My PC\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"C:\32788R22FWJFW.1.tmp"
"C:\32788R22FWJFW.2.tmp"
"C:\32788R22FWJFW.3.tmp"
"c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\setup_blazemp.exe"
"c:\windows\5C47C8B677FF4FC7A38866FCF9CFC24C.TMP"
"c:\windows\system32\fvciacro5.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\setup_blazemp.exe
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
c:\documents and settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
c:\program files\Blaze Media Pro
c:\program files\Blaze Media Pro\AffCreatorDLL.dll
c:\program files\Blaze Media Pro\Audio Editing\AdjMmsEng.dll
c:\program files\Blaze Media Pro\Audio Editing\amp3dj.ocx
c:\program files\Blaze Media Pro\Audio Editing\Asoedmms.ocx
c:\program files\Blaze Media Pro\Audio Editing\asrecmms.ocx
c:\program files\Blaze Media Pro\BMP.exe
c:\program files\Blaze Media Pro\BMP.exe.manifest
c:\program files\Blaze Media Pro\cp.exe
c:\program files\Blaze Media Pro\DVD Ripper\dvdripper.ocx
c:\program files\Blaze Media Pro\DVD Ripper\lame_enc.dll
c:\program files\Blaze Media Pro\DVD Ripper\videocore.dll
c:\program files\Blaze Media Pro\DVD Ripper\videoformat.dll
c:\program files\Blaze Media Pro\DVD Ripper\videotrans.dll
c:\program files\Blaze Media Pro\DVD Ripper\viscomaudiodata.dll
c:\program files\Blaze Media Pro\DVD Ripper\viscomaudioencoder.dll
c:\program files\Blaze Media Pro\DVD Ripper\viscomdvds.dll
c:\program files\Blaze Media Pro\DVD Ripper\viscommpgdecrip.dll
c:\program files\Blaze Media Pro\DVD Ripper\viscommpgenc.dll
c:\program files\Blaze Media Pro\DVD Ripper\viscomwave.dll
c:\program files\Blaze Media Pro\ExControl.dll
c:\program files\Blaze Media Pro\Help\Blazemp.chm
c:\program files\Blaze Media Pro\IsDRM.dll
c:\program files\Blaze Media Pro\lame_enc.dll
c:\program files\Blaze Media Pro\Lyrics.mdb
c:\program files\Blaze Media Pro\NMSAccess32.exe
c:\program files\Blaze Media Pro\players\mediaplayer01.swf
c:\program files\Blaze Media Pro\players\mediaplayer02.swf
c:\program files\Blaze Media Pro\players\mediaplayer03.swf
c:\program files\Blaze Media Pro\players\mediaplayer04.swf
c:\program files\Blaze Media Pro\players\mediaplayer05.swf
c:\program files\Blaze Media Pro\players\player.html
c:\program files\Blaze Media Pro\players\skin01.swf
c:\program files\Blaze Media Pro\players\skin02.swf
c:\program files\Blaze Media Pro\players\skin03.swf
c:\program files\Blaze Media Pro\players\skin04.swf
c:\program files\Blaze Media Pro\players\skin05.swf
c:\program files\Blaze Media Pro\players\skin06.swf
c:\program files\Blaze Media Pro\players\skin07.swf
c:\program files\Blaze Media Pro\players\skin08.swf
c:\program files\Blaze Media Pro\players\skin09.swf
c:\program files\Blaze Media Pro\players\skin10.swf
c:\program files\Blaze Media Pro\players\skin11.swf
c:\program files\Blaze Media Pro\players\video.flv
c:\program files\Blaze Media Pro\presets\Default.settings
c:\program files\Blaze Media Pro\presets\FLV_300K_Broadband.settings
c:\program files\Blaze Media Pro\presets\FLV_512K_BroadbandHigh.settings
c:\program files\Blaze Media Pro\presets\FLV_56K_Modem.settings
c:\program files\Blaze Media Pro\presets\FLV_Audio_128K_BroadbandLow.settings
c:\program files\Blaze Media Pro\presets\FLV_Audio_256K_BroadbandHigh.settings
c:\program files\Blaze Media Pro\presets\FLV_Audio_56K_Modem.settings
c:\program files\Blaze Media Pro\presets\FLV_AudioOnly.settings
c:\program files\Blaze Media Pro\presets\FLV_CD_PerfectQuality.settings
c:\program files\Blaze Media Pro\presets\FLV_Default.settings
c:\program files\Blaze Media Pro\presets\FLV_HighQuality.settings
c:\program files\Blaze Media Pro\presets\FLV_HighQualityVBR2.settings
c:\program files\Blaze Media Pro\presets\FLV_Lossless.settings
c:\program files\Blaze Media Pro\presets\FLV_LowQuality.settings
c:\program files\Blaze Media Pro\presets\FLV_LowQualityVBR2.settings
c:\program files\Blaze Media Pro\presets\FLV_MediumQuality.settings
c:\program files\Blaze Media Pro\presets\FLV_MediumQualityVBR2.settings
c:\program files\Blaze Media Pro\presets\FLV_PerfectQuality.settings
c:\program files\Blaze Media Pro\presets\FLV_VideoOnly.settings
c:\program files\Blaze Media Pro\presets\ISO_300K_Broadband.settings
c:\program files\Blaze Media Pro\presets\ISO_512K_BroadbandHigh.settings
c:\program files\Blaze Media Pro\presets\ISO_56K_Modem.settings
c:\program files\Blaze Media Pro\presets\ISO_Audio_128K_BroadbandLow.settings
c:\program files\Blaze Media Pro\presets\ISO_Audio_256K_BroadbandHigh.settings
c:\program files\Blaze Media Pro\presets\ISO_Audio_56K_Modem.settings
c:\program files\Blaze Media Pro\presets\ISO_AudioOnly.settings
c:\program files\Blaze Media Pro\presets\ISO_CD_PerfectQuality.settings
c:\program files\Blaze Media Pro\presets\ISO_HighQuality.settings.settings
c:\program files\Blaze Media Pro\presets\ISO_HighQualityVBR2.settings
c:\program files\Blaze Media Pro\presets\ISO_LowQuality.settings
c:\program files\Blaze Media Pro\presets\ISO_LowQualityVBR2.settings
c:\program files\Blaze Media Pro\presets\ISO_MediumQuality.settings
c:\program files\Blaze Media Pro\presets\ISO_MediumQualityVBR2.settings
c:\program files\Blaze Media Pro\presets\ISO_PerfectQuality.settings
c:\program files\Blaze Media Pro\presets\ISO_VideoOnly.settings
c:\program files\Blaze Media Pro\presets\MP3.settings
c:\program files\Blaze Media Pro\presets\SWF_300K_Broadband.settings
c:\program files\Blaze Media Pro\presets\SWF_512K_BroadbandHigh.settings
c:\program files\Blaze Media Pro\presets\SWF_56K_Modem.settings
c:\program files\Blaze Media Pro\presets\SWF_CD_PerfectQuality.settings
c:\program files\Blaze Media Pro\Profiles\1024x768.prx
c:\program files\Blaze Media Pro\Profiles\1280x1024.prx
c:\program files\Blaze Media Pro\Profiles\320x240.prx
c:\program files\Blaze Media Pro\Profiles\352x240NTSC.prx
c:\program files\Blaze Media Pro\Profiles\352x288PAL.prx
c:\program files\Blaze Media Pro\Profiles\640x480 video.prx
c:\program files\Blaze Media Pro\Profiles\640x480.prx
c:\program files\Blaze Media Pro\Profiles\720x480NTSC.prx
c:\program files\Blaze Media Pro\Profiles\720x576PAL.prx
c:\program files\Blaze Media Pro\Profiles\800x600.prx
c:\program files\Blaze Media Pro\Profiles\Dial-up Modems (28,8 kbps).prx
c:\program files\Blaze Media Pro\Profiles\Dial-up Modems (56 kbps).prx
c:\program files\Blaze Media Pro\Profiles\Dial-up Modems or LAN (28,8 to 100 kbps).prx
c:\program files\Blaze Media Pro\Profiles\LAN, Cable Modem, or xDSL (100 to 768kbps).prx
c:\program files\Blaze Media Pro\Profiles\Local Network (100 kbps).prx
c:\program files\Blaze Media Pro\Profiles\Local Network (256 kbps).prx
c:\program files\Blaze Media Pro\Profiles\Local Network (384 kbps).prx
c:\program files\Blaze Media Pro\Profiles\Local Network (768 kbps).prx
c:\program files\Blaze Media Pro\Profiles\Pocket PC (225kbps).prx
c:\program files\Blaze Media Pro\Turbine.TVE4.dll
c:\program files\Blaze Media Pro\TVE4.dll
c:\program files\Blaze Media Pro\TVE4COM.dll
c:\program files\Blaze Media Pro\Unzip32.dll
c:\program files\Blaze Media Pro\Video Processing\videocore.dll
c:\program files\Blaze Media Pro\Video Processing\VideoEdit.ocx
c:\program files\Blaze Media Pro\Video Processing\videoformat.dll
c:\program files\Blaze Media Pro\Video Processing\videotrans.dll
c:\program files\Blaze Media Pro\Video Processing\viscom3gpenc.dll
c:\program files\Blaze Media Pro\Video Processing\viscomaudiodata.dll
c:\program files\Blaze Media Pro\Video Processing\viscomaudioencoder.dll
c:\program files\Blaze Media Pro\Video Processing\viscomdata1.dll
c:\program files\Blaze Media Pro\Video Processing\viscomdata2.dll
c:\program files\Blaze Media Pro\Video Processing\viscomdata3.dll
c:\program files\Blaze Media Pro\Video Processing\viscomflvdec_licenseto_MystikMedia.dll
c:\program files\Blaze Media Pro\Video Processing\viscomflvenc_licenseto_MystikMedia.dll
c:\program files\Blaze Media Pro\Video Processing\viscomframe.dll
c:\program files\Blaze Media Pro\Video Processing\viscomgifenc.dll
c:\program files\Blaze Media Pro\Video Processing\viscommpgdec.dll
c:\program files\Blaze Media Pro\Video Processing\viscommpgenc.dll
c:\program files\Blaze Media Pro\Video Processing\viscomqtde.dll
c:\program files\Blaze Media Pro\Video Processing\viscomqtenc.dll
c:\program files\Blaze Media Pro\Video Processing\viscomtran.dll
c:\program files\Blaze Media Pro\Video Processing\viscomwave.dll
c:\program files\Blaze Media Pro\Video Processing\WMVProfileEditor.ocx
c:\windows\system32\fvciacro5.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-05 05:35 . 2009-12-05 05:35 -------- d-----w- c:\program files\FastStone Capture
2009-12-05 03:55 . 2009-12-05 04:18 -------- d-----w- C:\thcbytes
2009-12-04 20:14 . 2009-12-04 20:39 -------- d-----w- C:\32788R22FWJFW.3.tmp
2009-12-04 20:10 . 2009-12-04 20:14 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-12-04 20:03 . 2009-12-04 20:10 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-12-04 10:19 . 2009-12-04 10:26 15 ----a-w- c:\documents and settings\My PC\settings.dat
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\documents and settings\My PC\Application Data\Malwarebytes
2009-12-03 06:59 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 06:59 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 03:53 . 2009-12-03 03:53 -------- d-----w- c:\windows\system32\Adobe
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-12-03 03:44 . 2009-12-03 03:44 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\program files\NOS
2009-11-28 17:20 . 2009-11-28 17:20 -------- d-----w- c:\program files\Veoh Networks
2009-11-27 18:24 . 2009-11-27 18:24 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\COMODO
2009-11-26 20:50 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-26 20:38 . 2009-11-26 20:38 -------- d-----w- c:\program files\Trend Micro
2009-11-25 22:29 . 2009-11-25 22:30 -------- d-----w- c:\program files\Musicmatch
2009-11-25 22:29 . 2009-11-25 22:29 -------- d-----w- c:\documents and settings\My PC\Application Data\Musicmatch
2009-11-25 22:26 . 2009-11-25 22:37 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\Musicmatch
2009-11-25 04:26 . 2009-11-25 04:26 1408376 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-11-24 20:15 . 2009-11-24 20:15 117760 ----a-w- c:\documents and settings\My PC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-24 20:15 . 2009-11-24 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-24 20:14 . 2009-12-04 20:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 20:14 . 2009-11-24 20:14 -------- d-----w- c:\documents and settings\My PC\Application Data\SUPERAntiSpyware.com
2009-11-23 10:43 . 2009-11-23 10:43 -------- d-----w- c:\documents and settings\All Users\968a850
2009-11-18 14:53 . 2009-11-18 14:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-14 08:18 . 2009-12-04 20:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 08:18 . 2009-12-04 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-14 07:54 . 2009-11-14 07:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2009-11-14 07:36 . 2009-11-26 20:58 -------- d-----w- c:\windows\5C47C8B677FF4FC7A38866FCF9CFC24C.TMP
2009-11-13 18:50 . 2009-11-13 18:50 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\Mozilla
2009-11-13 13:45 . 2009-11-13 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-11-13 11:48 . 2009-12-05 13:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}
2009-11-12 18:02 . 2009-11-12 18:26 -------- d-----w- c:\program files\IrfanView
2009-11-05 15:49 . 2009-11-06 12:40 -------- d-----w- c:\program files\AOL 9.5
2009-11-05 15:46 . 2009-11-05 15:46 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-11-05 15:46 . 2009-11-05 15:46 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 21:27 . 2009-10-31 13:48 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-04 20:40 . 2009-10-29 16:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-04 19:50 . 2009-09-17 01:12 -------- d-----w- c:\documents and settings\My PC\Application Data\Lavasoft
2009-12-03 03:47 . 2009-08-04 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 23:40 . 2009-09-15 22:44 -------- d-----w- c:\documents and settings\My PC\Application Data\LimeWire
2009-11-25 22:30 . 2005-09-06 20:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-25 16:00 . 2009-10-31 13:44 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-25 16:00 . 2009-10-31 13:44 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-25 04:26 . 2009-10-01 03:03 -------- d-----w- c:\documents and settings\My PC\Application Data\Move Networks
2009-11-25 04:26 . 2009-10-01 03:03 127325 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\uninstall.exe
2009-11-25 04:26 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-24 05:29 . 2009-08-04 14:39 -------- d-----w- c:\program files\Opera
2009-11-19 12:35 . 2009-07-24 23:16 -------- d-----w- c:\program files\Wireless Desktop
2009-11-18 14:32 . 2009-10-31 13:44 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-18 14:32 . 2009-10-31 13:44 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-10 16:20 . 2009-09-15 22:43 -------- d-----w- c:\program files\LimeWire
2009-11-05 15:52 . 2009-08-04 14:36 -------- d-----w- c:\documents and settings\My PC\Application Data\AOL
2009-11-05 15:51 . 2009-08-04 14:35 -------- d-----w- c:\program files\Common Files\aol
2009-11-05 15:50 . 2009-08-04 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-05 15:50 . 2009-08-04 14:35 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-05 15:46 . 2009-08-04 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-11-03 21:24 . 2005-09-06 20:53 -------- d-----w- c:\program files\Java
2009-11-03 21:22 . 2009-11-03 21:22 152576 ----a-w- c:\documents and settings\My PC\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 04:45 . 2009-11-02 03:54 -------- d-----w- c:\program files\CamStudio
2009-10-31 13:48 . 2009-10-31 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-10-31 13:44 . 2009-10-31 13:44 -------- d-----w- c:\program files\COMODO
2009-10-29 17:32 . 2009-10-29 17:32 -------- d-----w- c:\documents and settings\My PC\Application Data\FastStone
2009-10-29 17:01 . 2009-10-29 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-10-29 17:01 . 2009-10-29 17:01 -------- d-----w- c:\program files\TechSmith
2009-10-26 23:48 . 2009-10-26 22:59 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-26 23:34 . 2009-10-26 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-26 23:34 . 2009-10-26 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-26 23:12 . 2009-10-26 23:12 -------- d-----w- c:\documents and settings\My PC\Application Data\PCToolsFirewallPlus
2009-10-26 23:12 . 2009-10-26 23:12 -------- d-----w- c:\documents and settings\My PC\Application Data\Spam Monitor
2009-10-22 23:04 . 2009-11-13 11:47 3579904 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\59F37AFC\8917324D\BMP.exe
2009-10-11 10:17 . 2009-08-06 21:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 03:03 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-16 03:59 . 2009-11-13 11:47 1411584 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\3D2919A7\32F7A4D1\AdjMmsEng.dll
2009-09-15 22:44 . 2009-09-15 22:44 98304 ----a-w- c:\documents and settings\My PC\Application Data\LimeWire\browser\xulrunner\smime3.dll
2009-09-11 14:18 . 2005-09-06 19:30 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-05_04.14.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 13:14 . 2009-12-05 13:14 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2009-12-05 13:14 . 2009-12-05 13:14 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2005-09-06 19:30 . 2009-12-05 04:44 78608 c:\windows\system32\perfc009.dat
- 2005-09-06 19:30 . 2009-11-03 03:08 78608 c:\windows\system32\perfc009.dat
+ 2005-09-06 19:30 . 2009-12-05 04:44 458954 c:\windows\system32\perfh009.dat
- 2005-09-06 19:30 . 2009-11-03 03:08 458954 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
"RamBooster"="c:\program files\RamBooster 2.0\Rambooster.exe" [2005-11-17 561664]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AOL Fast Start"="c:\program files\AOL 9.5\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HostManager"="c:\program files\Common Files\AOL\1249396505\ee\AOLSoftware.exe" [2009-07-20 41264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-18 1800464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup=c:\windows\pss\VAIO Action Setup (Server).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"WZCSVC"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1249396505\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [10/31/2009 7:44 AM 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/31/2009 7:44 AM 25160]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-24 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-09-06 00:12]

2009-07-24 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-09-06 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\My PC\Application Data\Mozilla\Firefox\Profiles\o8ql5spr.default\
FF - prefs.js: network.proxy.type - 2
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{48F6221C-7CBF-480D-94B5-1FBEDE7AF9EC} - fvciacro5.dll
AddRemove-{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA} - c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\setup_blazemp.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 07:30
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-12-05 07:33
ComboFix-quarantined-files.txt 2009-12-05 13:33
ComboFix2.txt 2009-12-05 04:18

Pre-Run: 178,908,897,280 bytes free
Post-Run: 178,841,128,960 bytes free

- - End Of File - - 16D6F93C84BD8A762D08F76F3A0AF9B1

Eset log

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.OF virus deleted - quarantined

OTL text log

OTL logfile created on: 12/5/2009 10:58:32 AM - Run 1
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Documents and Settings\My PC\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.36 Mb Total Physical Memory | 446.00 Mb Available Physical Memory | 43.58% Memory free
2.40 Gb Paging File | 1.84 Gb Available in Paging File | 76.56% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 226.88 Gb Total Space | 166.51 Gb Free Space | 73.39% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ME
Current User Name: My PC
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/05 10:57:19 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\My PC\Desktop\OTL.exe
PRC - [2009/11/20 19:01:18 | 00,832,296 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2009/11/18 08:32:38 | 01,800,464 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2009/11/18 08:32:36 | 00,723,632 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2009/10/28 08:38:50 | 00,039,272 | ---- | M] (AOL, LLC.) -- C:\Program Files\AOL 9.5\waol.exe
PRC - [2009/10/28 08:38:49 | 00,054,632 | ---- | M] (AOL, LLC.) -- C:\Program Files\AOL 9.5\shellmon.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/20 13:52:23 | 00,041,264 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\aol\1249396505\ee\aolsoftware.exe
PRC - [2009/01/30 10:34:44 | 01,347,584 | ---- | M] (AWS Convergence Technologies, Inc.) -- C:\Program Files\AWS\WeatherBug\Weather.exe
PRC - [2008/11/09 14:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 18:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/23 06:50:35 | 00,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\aol\acs\AOLacsd.exe
PRC - [2005/11/17 06:32:54 | 00,561,664 | ---- | M] (J.Pajula) -- C:\Program Files\RamBooster 2.0\Rambooster.exe
PRC - [2005/08/09 23:29:40 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/06/15 12:17:44 | 00,167,936 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
PRC - [2005/06/15 12:17:44 | 00,135,168 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
PRC - [2005/06/15 12:17:38 | 00,270,336 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
PRC - [2005/05/20 18:41:42 | 00,153,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2005/03/11 18:55:40 | 00,135,168 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
PRC - [2003/08/13 13:23:00 | 00,106,496 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
PRC - [2003/08/13 13:07:22 | 00,094,208 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe

========== Modules (SafeList) ==========

MOD - [2009/12/05 10:57:19 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\My PC\Desktop\OTL.exe
MOD - [2009/11/25 10:00:35 | 00,171,552 | ---- | M] (COMODO) -- C:\WINDOWS\system32\guard32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (NMSAccess)
SRV - [2009/11/18 08:32:36 | 00,723,632 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2009/11/06 09:18:50 | 00,051,168 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/09 14:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/23 06:50:35 | 00,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2005/08/09 23:29:40 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/06/15 12:17:46 | 00,073,728 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)
SRV - [2005/06/15 12:17:44 | 00,167,936 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)
SRV - [2005/06/15 12:17:44 | 00,135,168 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe -- (VzFw)
SRV - [2005/06/15 12:17:38 | 00,270,336 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)
SRV - [2005/06/07 10:58:28 | 01,851,392 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe -- (VAIOMediaPlatform-IntegratedServer-AppServer)
SRV - [2005/06/07 04:44:10 | 00,770,048 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-IntegratedServer-UPnP) VAIO Media Integrated Server (UPnP)
SRV - [2005/06/07 04:38:26 | 00,057,344 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-IntegratedServer-HTTP) VAIO Media Integrated Server (HTTP)
SRV - [2005/06/07 04:37:14 | 00,188,416 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe -- (VAIOMediaPlatform-Mobile-Gateway)
SRV - [2005/06/07 02:32:54 | 00,053,337 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2005/06/07 02:28:04 | 00,053,337 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/06/07 02:22:34 | 00,069,718 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2005/06/03 06:21:00 | 00,069,632 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2005/05/20 18:41:42 | 00,153,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2005/04/05 14:06:36 | 00,032,768 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Image Converter 2\IcVzMon.exe -- (Image Converter video recording monitor for VAIO Entertainment)
SRV - [2005/03/11 18:55:40 | 00,135,168 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe -- (SonicStageMonitoring)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/10/04 05:47:04 | 00,098,304 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor)
SRV - [2004/10/04 04:40:50 | 00,118,784 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -- (PhotoshopElementsDeviceConnect)
SRV - [2003/08/13 13:23:00 | 00,106,496 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe -- (Sony TVTA Manager)
SRV - [2003/08/13 13:10:04 | 00,118,784 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe -- (Sony TV Tuner Controller)
SRV - [2003/08/13 13:07:22 | 00,094,208 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe -- (Sony TV Tuner Manager)
SRV - [2002/11/22 13:49:22 | 00,077,824 | ---- | M] (HP) -- C:\WINDOWS\system32\hphipm11.exe -- (Pml Driver HPH11)

========== Driver Services (SafeList) ==========

DRV - File not found -- -- (catchme)
DRV - [2009/11/25 10:00:32 | 00,133,064 | ---- | M] (COMODO) -- C:\WINDOWS\system32\drivers\cmdguard.sys -- (cmdGuard)
DRV - [2009/11/18 08:32:55 | 00,087,104 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2009/11/18 08:32:55 | 00,025,160 | ---- | M] (COMODO) -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2009/05/13 22:25:06 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/05/13 22:25:06 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/05/13 22:25:06 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/05/13 22:25:06 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/05/13 22:24:34 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/04/13 12:45:34 | 00,046,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 10:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 10:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/02/03 09:25:56 | 01,075,360 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)
DRV - [2005/08/09 23:35:42 | 01,273,856 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/29 16:12:44 | 01,019,960 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/05/23 11:31:46 | 01,034,752 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/05/23 11:30:48 | 00,178,048 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/05/23 11:30:42 | 00,716,288 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/04/25 03:03:00 | 00,020,640 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/03/04 12:10:26 | 00,074,496 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2005/01/04 21:24:44 | 00,394,656 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\system32\drivers\ExpasAG.sys -- (LEX_AS_NIC_SERVICE_YNOS)
DRV - [2004/10/07 19:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/10 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/05 22:20:34 | 00,788,736 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\smrt.sys -- (smrt)
DRV - [2004/03/17 13:04:14 | 00,013,059 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2003/01/10 15:13:04 | 00,033,588 | R--- | M] (America Online, Inc.) -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2002/11/22 13:49:22 | 00,050,896 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\hphid411.sys -- (Dot4 HPH11)
DRV - [2002/11/22 13:49:22 | 00,018,928 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\hphius11.sys -- (Dot4Usb HPH11)
DRV - [2002/11/22 13:49:22 | 00,016,112 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\hphipr11.sys -- (Dot4Print HPH11)
DRV - [2002/06/10 13:20:12 | 00,012,112 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2002/06/10 13:16:34 | 00,371,766 | ---- | M] (Philips Semiconductors) -- C:\WINDOWS\system32\drivers\CamDrL21.sys -- (PhilCam8116) Logitech QuickCam Pro 3000(PID_08B0)
DRV - [2000/12/05 17:18:02 | 00,003,952 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000/11/09 21:15:08 | 00,048,896 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

IE - HKU\S-1-5-21-3962488618-778361740-41019675-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-3962488618-778361740-41019675-1005\..\URLSearchHook: {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
IE - HKU\S-1-5-21-3962488618-778361740-41019675-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-3962488618-778361740-41019675-1005\S-1-5-21-3962488618-778361740-41019675-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {64161300-e22b-11db-8314-0800200c9a66}:0.9.1
FF - prefs.js..network.proxy.type: 2

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/13 12:50:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/02 21:44:25 | 00,000,000 | ---D | M]

[2009/11/13 12:51:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Mozilla\Extensions
[2009/09/15 16:45:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2009/11/29 22:07:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Mozilla\Firefox\Profiles\o8ql5spr.default\extensions
[2009/11/29 22:07:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Mozilla\Firefox\Profiles\o8ql5spr.default\extensions\{64161300-e22b-11db-8314-0800200c9a66}
[2009/11/13 14:55:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Mozilla\Firefox\Profiles\o8ql5spr.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/11/13 12:50:28 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (356633 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 12234 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll File not found
O2 - BHO: (AOL Toolbar Loader) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll File not found
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\aol\1249396505\ee\aolsoftware.exe (AOL LLC)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-3962488618-778361740-41019675-1005..\Run: [AOL Fast Start] C:\Program Files\AOL 9.5\AOL.EXE (AOL, LLC.)
O4 - HKU\S-1-5-21-3962488618-778361740-41019675-1005..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe (J.Pajula)
O4 - HKU\S-1-5-21-3962488618-778361740-41019675-1005..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe (AWS Convergence Technologies, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3962488618-778361740-41019675-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html ()
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-3962488618-778361740-41019675-1005\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll File not found
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/06 13:46:45 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2009/12/05 10:57:19 | 00,536,064 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\My PC\Desktop\OTL.exe
[2009/12/05 07:38:26 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/12/05 07:00:37 | 00,793,200 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\My PC\Desktop\Norton_Removal_Tool.exe
[2009/12/04 23:35:22 | 00,000,000 | ---D | C] -- C:\Program Files\FastStone Capture
[2009/12/04 21:59:24 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/12/04 21:56:21 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/12/04 21:56:21 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/12/04 21:56:21 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/12/04 21:56:21 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/12/04 21:55:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/12/04 21:55:50 | 00,000,000 | ---D | C] -- C:\thcbytes
[2009/12/04 21:55:05 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/04 14:14:59 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW.3.tmp
[2009/12/04 14:10:38 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW.2.tmp
[2009/12/04 14:03:03 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW.1.tmp
[2009/12/04 04:19:13 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\My PC\My Documents\RootRepeal.exe
[2009/12/03 00:59:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\Application Data\Malwarebytes
[2009/12/03 00:59:48 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 00:59:46 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/03 00:59:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/12/03 00:59:40 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/03 00:58:58 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\My PC\My Documents\mbam-setup.exe
[2009/12/02 21:53:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/12/02 21:44:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2009/12/02 21:44:22 | 00,000,000 | ---D | C] -- C:\Program Files\NOS
[2009/12/02 21:44:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/12/02 12:51:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\My Documents\Ocean
[2009/11/30 14:23:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\My Documents\Amylynn
[2009/11/28 11:20:05 | 00,000,000 | ---D | C] -- C:\Program Files\Veoh Networks
[2009/11/27 12:24:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\Local Settings\Application Data\COMODO
[2009/11/26 14:52:56 | 01,839,984 | ---- | C] (Trend Micro) -- C:\Documents and Settings\My PC\My Documents\HousecallLauncher.exe
[2009/11/26 14:50:58 | 00,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/11/26 14:38:24 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/25 16:29:25 | 00,000,000 | ---D | C] -- C:\Program Files\Musicmatch
[2009/11/25 16:29:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\Application Data\Musicmatch
[2009/11/25 16:26:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\Local Settings\Application Data\Musicmatch
[2009/11/24 14:15:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/11/24 14:14:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\Application Data\SUPERAntiSpyware.com
[2009/11/24 14:14:33 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/23 04:43:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\968a850
[2009/11/14 17:25:20 | 06,886,504 | ---- | C] (Opera Software ASA ) -- C:\Documents and Settings\My PC\My Documents\Opera_1001_en_Setup.exe
[2009/11/14 17:23:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2009/11/14 02:18:01 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/11/14 02:18:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/11/14 01:36:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\5C47C8B677FF4FC7A38866FCF9CFC24C.TMP
[2009/11/13 12:50:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\Local Settings\Application Data\Mozilla
[2009/11/13 12:50:25 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/11/13 09:44:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\My Documents\SFShiba
[2009/11/13 07:45:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\XoftSpySE
[2009/11/13 05:48:28 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}
[2009/11/13 05:47:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\My PC\Local Settings\Application Data\PackageAware
[2009/11/13 05:47:16 | 20,092,336 | ---- | C] (Mystik Media ) -- C:\Documents and Settings\My PC\My Documents\blazemp.exe
[2009/11/12 12:07:09 | 08,036,352 | ---- | C] (Irfan Skiljan) -- C:\Documents and Settings\My PC\My Documents\irfanview_plugins_425_setup.exe
[2009/11/12 12:02:17 | 00,000,000 | ---D | C] -- C:\Program Files\IrfanView
[2009/11/12 12:01:12 | 01,359,360 | ---- | C] (Irfan Skiljan) -- C:\Documents and Settings\My PC\My Documents\IrfanViewer.exe
[2009/11/10 10:19:04 | 18,665,720 | ---- | C] (Lime Wire LLC) -- C:\Documents and Settings\My PC\My Documents\LimeWireWin2.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\*.tmp files -> C:\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/05 10:57:19 | 00,536,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\My PC\Desktop\OTL.exe
[2009/12/05 07:38:17 | 02,672,312 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\esetsmartinstaller_enu.exe
[2009/12/05 07:33:42 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/05 07:30:56 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/05 07:19:41 | 03,580,660 | R--- | M] () -- C:\Documents and Settings\My PC\Desktop\CombonFix.exe
[2009/12/05 07:14:50 | 00,000,708 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/05 07:11:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/05 07:11:40 | 10,731,39712 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/05 07:10:26 | 06,553,600 | -H-- | M] () -- C:\Documents and Settings\My PC\NTUSER.DAT
[2009/12/05 07:10:26 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\My PC\ntuser.ini
[2009/12/05 07:05:26 | 00,793,200 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\My PC\Desktop\Norton_Removal_Tool.exe
[2009/12/04 23:46:06 | 00,000,557 | ---- | M] () -- C:\hpfr5550.xml
[2009/12/04 23:35:23 | 00,000,750 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FastStone Capture.lnk
[2009/12/04 22:44:41 | 00,547,896 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/04 22:44:41 | 00,458,954 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/04 22:44:41 | 00,078,608 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/04 21:59:35 | 00,000,279 | RHS- | M] () -- C:\boot.ini
[2009/12/04 21:54:13 | 03,580,291 | R--- | M] () -- C:\Documents and Settings\My PC\Desktop\thcbytes.exe
[2009/12/04 21:50:32 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\rkill.exe
[2009/12/04 21:49:41 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\rkill.com
[2009/12/04 21:49:03 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\rkill.scr
[2009/12/04 21:48:04 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\rkill.pif
[2009/12/04 21:36:00 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\Win32kDiag.exe
[2009/12/04 21:25:59 | 00,289,792 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\exeHelper.com
[2009/12/04 21:14:51 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Win32kDiag.exe
[2009/12/04 16:35:12 | 00,000,117 | ---- | M] () -- C:\WINDOWS\System32\scg
[2009/12/04 16:31:33 | 00,047,104 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Win32k3rdDiag.exe
[2009/12/04 15:27:35 | 01,474,832 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfi.dat
[2009/12/04 14:38:52 | 03,579,965 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\tchbytes.exe
[2009/12/04 13:59:50 | 03,579,965 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\ComboFixHelp.exe
[2009/12/04 13:52:54 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\rkill.exe
[2009/12/04 13:52:38 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\rkill.com
[2009/12/04 13:52:21 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\rkill.scr
[2009/12/04 13:51:57 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\rkill.pif
[2009/12/04 04:27:29 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\settings.dat
[2009/12/04 04:26:30 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\My PC\settings.dat
[2009/12/04 04:19:13 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\My PC\My Documents\RootRepeal.exe
[2009/12/04 03:40:30 | 00,000,209 | ---- | M] () -- C:\Boot.bak
[2009/12/03 09:09:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/12/03 00:59:51 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/03 00:58:58 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\My PC\My Documents\mbam-setup.exe
[2009/12/02 21:44:38 | 00,000,754 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Resume Adobe Downloads.lnk
[2009/12/02 12:51:03 | 00,028,223 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Ocean.zip
[2009/12/02 09:56:28 | 01,850,368 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Mantra.pps
[2009/12/02 09:20:06 | 01,821,566 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\FSCaptureSetup65.exe
[2009/12/01 01:31:14 | 04,803,704 | -H-- | M] () -- C:\Documents and Settings\My PC\Local Settings\Application Data\IconCache.db
[2009/11/30 14:23:14 | 06,186,202 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Amylynn.zip
[2009/11/26 14:52:56 | 01,839,984 | ---- | M] (Trend Micro) -- C:\Documents and Settings\My PC\My Documents\HousecallLauncher.exe
[2009/11/26 14:48:40 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\My PC\Local Settings\Application Data\housecall.guid.cache
[2009/11/26 14:38:25 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\HijackThis.lnk
[2009/11/26 13:31:33 | 01,925,024 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\My PC\My Documents\install_flash_player.exe
[2009/11/25 16:42:57 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/25 16:36:50 | 00,287,704 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/25 16:32:11 | 00,001,751 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Musicmatch JUKEBOX.lnk
[2009/11/25 16:25:32 | 26,705,808 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\mmsetup_10004015b_ENU.exe
[2009/11/25 10:00:35 | 00,171,552 | ---- | M] (COMODO) -- C:\WINDOWS\System32\guard32.dll
[2009/11/25 10:00:32 | 00,133,064 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2009/11/24 18:29:50 | 00,040,448 | ---- | M] () -- C:\Documents and Settings\My PC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/24 18:29:04 | 06,889,573 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Apparition.wmv
[2009/11/24 14:12:42 | 07,392,800 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\SUPERAntiSpywarePro.exe
[2009/11/24 12:43:01 | 00,356,633 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/23 23:29:13 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2009/11/21 18:21:37 | 00,356,633 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091124-124301.backup
[2009/11/18 08:34:10 | 00,351,981 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20091121-182136.backup
[2009/11/18 08:32:55 | 00,087,104 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2009/11/18 08:32:55 | 00,025,160 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2009/11/14 17:25:21 | 06,886,504 | ---- | M] (Opera Software ASA ) -- C:\Documents and Settings\My PC\My Documents\Opera_1001_en_Setup.exe
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/13 12:50:31 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/13 09:34:20 | 12,364,3305 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Video_2009-11-13_093420sound.wmv
[2009/11/13 09:17:33 | 12,629,791 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Video_2009-11-13_091733.wmv
[2009/11/13 06:51:29 | 10,324,565 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\SFYumiWheresMomma3.wmv
[2009/11/13 05:49:02 | 00,000,666 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Blaze Media Pro.lnk
[2009/11/13 05:47:18 | 20,092,336 | ---- | M] (Mystik Media ) -- C:\Documents and Settings\My PC\My Documents\blazemp.exe
[2009/11/12 12:07:09 | 08,036,352 | ---- | M] (Irfan Skiljan) -- C:\Documents and Settings\My PC\My Documents\irfanview_plugins_425_setup.exe
[2009/11/12 12:01:12 | 01,359,360 | ---- | M] (Irfan Skiljan) -- C:\Documents and Settings\My PC\My Documents\IrfanViewer.exe
[2009/11/12 10:36:44 | 31,182,013 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\Video_2009-11-12_103644.wmv
[2009/11/11 10:45:45 | 08,086,599 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\SFYumiDigging.wmv
[2009/11/11 09:10:19 | 14,773,341 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\DaddyHaruGirls111109.wmv
[2009/11/10 21:54:36 | 16,063,997 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\SFSmackdownYumiYuuki.wmv
[2009/11/10 10:32:03 | 16,049,953 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\SFYumiWheresMomma2.wmv
[2009/11/10 10:20:30 | 00,001,578 | ---- | M] () -- C:\Documents and Settings\My PC\Desktop\LimeWire 5.3.6.lnk
[2009/11/10 10:19:07 | 18,665,720 | ---- | M] (Lime Wire LLC) -- C:\Documents and Settings\My PC\My Documents\LimeWireWin2.exe
[2009/11/08 10:59:10 | 95,561,581 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\DaddyYumiHaru110809.wmv
[2009/11/07 17:35:31 | 00,019,448 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\B.jpg
[2009/11/06 16:21:57 | 01,340,512 | ---- | M] () -- C:\Documents and Settings\My PC\My Documents\SFKika
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\*.tmp files -> C:\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/05 07:38:13 | 02,672,312 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\esetsmartinstaller_enu.exe
[2009/12/04 23:35:23 | 00,000,750 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FastStone Capture.lnk
[2009/12/04 21:59:34 | 00,000,209 | ---- | C] () -- C:\Boot.bak
[2009/12/04 21:59:27 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/12/04 21:56:21 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/12/04 21:56:21 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/12/04 21:56:21 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/12/04 21:56:21 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/12/04 21:56:21 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/12/04 21:54:13 | 03,580,291 | R--- | C] () -- C:\Documents and Settings\My PC\Desktop\thcbytes.exe
[2009/12/04 21:50:32 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\rkill.exe
[2009/12/04 21:49:41 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\rkill.com
[2009/12/04 21:49:03 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\rkill.scr
[2009/12/04 21:48:04 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\rkill.pif
[2009/12/04 21:36:00 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\Win32kDiag.exe
[2009/12/04 21:25:59 | 00,289,792 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\exeHelper.com
[2009/12/04 16:35:12 | 00,000,117 | ---- | C] () -- C:\WINDOWS\System32\scg
[2009/12/04 16:31:33 | 00,047,104 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Win32k3rdDiag.exe
[2009/12/04 15:36:26 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Win32kDiag.exe
[2009/12/04 14:38:51 | 03,579,965 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\tchbytes.exe
[2009/12/04 14:02:54 | 03,580,660 | R--- | C] () -- C:\Documents and Settings\My PC\Desktop\CombonFix.exe
[2009/12/04 13:59:49 | 03,579,965 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\ComboFixHelp.exe
[2009/12/04 13:52:54 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\rkill.exe
[2009/12/04 13:52:38 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\rkill.com
[2009/12/04 13:52:21 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\rkill.scr
[2009/12/04 13:51:57 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\rkill.pif
[2009/12/04 04:27:29 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\settings.dat
[2009/12/04 04:19:30 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\My PC\settings.dat
[2009/12/03 00:59:51 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/02 21:44:38 | 00,000,754 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Resume Adobe Downloads.lnk
[2009/12/02 12:51:02 | 00,028,223 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Ocean.zip
[2009/11/30 14:22:50 | 06,186,202 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Amylynn.zip
[2009/11/26 14:48:40 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\My PC\Local Settings\Application Data\housecall.guid.cache
[2009/11/26 14:38:25 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\HijackThis.lnk
[2009/11/25 16:32:11 | 00,001,751 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Musicmatch JUKEBOX.lnk
[2009/11/25 16:25:04 | 26,705,808 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\mmsetup_10004015b_ENU.exe
[2009/11/24 18:29:19 | 06,889,573 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Apparition.wmv
[2009/11/24 14:12:41 | 07,392,800 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\SUPERAntiSpywarePro.exe
[2009/11/19 08:28:52 | 01,850,368 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Mantra.pps
[2009/11/14 17:26:28 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2009/11/13 12:50:31 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/11/13 09:34:29 | 12,364,3305 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Video_2009-11-13_093420sound.wmv
[2009/11/13 09:17:38 | 12,629,791 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Video_2009-11-13_091733.wmv
[2009/11/13 06:47:39 | 10,324,565 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\SFYumiWheresMomma3.wmv
[2009/11/13 05:49:02 | 00,000,666 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Blaze Media Pro.lnk
[2009/11/12 10:36:50 | 31,182,013 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\Video_2009-11-12_103644.wmv
[2009/11/11 10:45:58 | 08,086,599 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\SFYumiDigging.wmv
[2009/11/11 09:10:44 | 14,773,341 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\DaddyHaruGirls111109.wmv
[2009/11/10 21:55:22 | 16,063,997 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\SFSmackdownYumiYuuki.wmv
[2009/11/10 10:32:17 | 16,049,953 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\SFYumiWheresMomma2.wmv
[2009/11/10 10:20:30 | 00,001,578 | ---- | C] () -- C:\Documents and Settings\My PC\Desktop\LimeWire 5.3.6.lnk
[2009/11/08 10:59:30 | 95,561,581 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\DaddyYumiHaru110809.wmv
[2009/11/07 17:35:31 | 00,019,448 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\B.jpg
[2009/11/07 16:39:42 | 01,340,512 | ---- | C] () -- C:\Documents and Settings\My PC\My Documents\SFKika
[2009/11/03 00:23:39 | 00,000,379 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI
[2009/08/12 01:54:03 | 00,000,033 | ---- | C] () -- C:\WINDOWS\LVMMail.INI
[2009/08/11 17:02:15 | 00,040,448 | ---- | C] () -- C:\Documents and Settings\My PC\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/04 11:52:50 | 00,000,241 | ---- | C] () -- C:\WINDOWS\QSync.INI
[2009/08/04 11:51:02 | 00,000,544 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009/08/04 11:50:31 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\MimicICM.dll
[2009/08/04 11:26:41 | 00,000,034 | ---- | C] () -- C:\WINDOWS\hpfsched.ini
[2009/07/24 17:34:12 | 00,000,139 | ---- | C] () -- C:\Documents and Settings\My PC\Local Settings\Application Data\fusioncache.dat
[2009/07/24 17:21:55 | 00,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/07/24 17:15:56 | 00,002,158 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2009/07/24 17:14:21 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2009/07/24 17:13:29 | 00,000,180 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2009/07/24 17:12:47 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/07/24 17:12:47 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/07/24 17:12:47 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/07/24 17:12:47 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/07/24 17:12:47 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/07/24 17:12:47 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/07/24 17:11:34 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/03 17:07:10 | 03,754,896 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-6.dll
[2008/09/28 11:33:01 | 00,253,952 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2008/08/28 05:20:38 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\comLyricGetter.dll
[2008/08/28 05:17:22 | 00,097,280 | ---- | C] () -- C:\WINDOWS\System32\Uncommon.dll
[2008/08/28 05:17:20 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\NormalizeDSP.dll
[2007/02/03 07:59:04 | 00,005,187 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/11/06 13:30:38 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2005/09/06 16:39:57 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/09/06 15:57:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VAIOUpdt.INI
[2005/09/06 14:13:46 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\WLANDLL.DLL
[2005/09/06 13:53:55 | 00,000,811 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/09/06 13:30:35 | 00,000,762 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/09/06 13:30:07 | 00,056,880 | ---- | C] () -- C:\WINDOWS\System32\scvideo.dll
[2005/08/05 15:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/06/06 13:30:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/07/17 10:46:42 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\winchip.dll
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/11/22 13:50:06 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\hpodinet.dll
[1999/01/27 12:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 06:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2009/10/29 11:01:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2009/10/26 17:34:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/05 07:29:34 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}
[2009/08/04 11:50:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\FotoWire
[2009/08/19 06:32:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\GetRightToGo
[2009/07/24 17:34:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\InterMute
[2009/11/25 17:40:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\LimeWire
[2009/11/25 16:29:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Musicmatch
[2009/08/04 08:39:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Opera
[2009/10/26 17:12:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\PCToolsFirewallPlus
[2009/10/26 17:12:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Spam Monitor
[2009/08/04 12:47:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\WeatherBug
[2009/08/22 02:15:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\My PC\Application Data\Windows Search
[2009/07/24 17:33:51 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 1.job
[2009/07/24 17:33:51 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\Registration reminder 2.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5160F090
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
< End of report >

OTL extras log

OTL Extras logfile created on: 12/5/2009 10:58:32 AM - Run 1
OTL by OldTimer - Version 3.1.11.6 Folder = C:\Documents and Settings\My PC\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.36 Mb Total Physical Memory | 446.00 Mb Available Physical Memory | 43.58% Memory free
2.40 Gb Paging File | 1.84 Gb Available in Paging File | 76.56% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 226.88 Gb Total Space | 166.51 Gb Free Space | 73.39% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ME
Current User Name: My PC
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = Opera.HTML] -- C:\Program Files\Opera\Opera.exe (Opera Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\aol\acs\AOLDial.exe" = C:\Program Files\Common Files\aol\acs\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer -- (AOL LLC)
"C:\Program Files\Common Files\aol\acs\AOLacsd.exe" = C:\Program Files\Common Files\aol\acs\AOLacsd.exe:*:Enabled:AOL Connectivity Service -- (AOL LLC)
"C:\Program Files\Common Files\aol\1249396505\ee\aolsoftware.exe" = C:\Program Files\Common Files\aol\1249396505\ee\aolsoftware.exe:*:Enabled:AOL Shared Components -- (AOL LLC)
"C:\Program Files\AOL 9.1\waol.exe" = C:\Program Files\AOL 9.1\waol.exe:*:Enabled:AOL -- (AOL, LLC.)
"C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe" = C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed -- (AOL LLC)
"C:\Program Files\Common Files\aol\Loader\aolload.exe" = C:\Program Files\Common Files\aol\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\Common Files\aol\System Information\sinf.exe" = C:\Program Files\Common Files\aol\System Information\sinf.exe:*:Enabled:AOL System Information -- (AOL LLC)
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{013E1BA8-C815-4E27-BCB9-D6B1B2E24094}" = SonicStage Mastering Studio Audio Filter Custom Preset
"{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony MP4 Shared Library
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio DigitalMedia Data
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0D396571-7BBD-44CE-ABB3-518BF86B72F7}" = HP Photo and Imaging 2.0 - Photosmart Printer Series
"{0DF00135-D5A7-476A-BFB3-EDFF2840076A}" = VAIO Wireless Utility
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 4.0
"{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 17
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{29999594-B540-4C88-A8D3-C99CA43809FC}" = Image Converter 2
"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C67D8C0-F0EC-11D3-99D3-00C04FCCB775}" = VAIO Action Setup
"{40D1BC4F-56CB-458E-BE8C-35A025CC52FB}" = Sony TV Tuner Library 1.0
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{48820099-ED7D-424B-890C-9A82EF00656D}" = VAIO Update 2
"{4E993095-28F2-4060-9101-99C1FD1195C0}" = VAIO Central
"{5A24DD7E-7B01-41AC-ADA8-F1776177A3BA}" = Logitech ImageStudio
"{5C47C8B6-77FF-4FC7-A388-66FCF9CFC24C}" = Snagit 9.1.3
"{6094F48A-98E4-4095-839F-B41BB38200F7}" = LifeFLOW
"{639BB4D3-AA30-4A7B-8CB5-6DE681AD6659}" = VAIO Light Flo Wallpaper
"{685BCC47-B8EC-45EC-BBCE-77DF2451502C}" = DVgate Plus
"{690BE098-6D0D-493D-B079-BD7E8F81A141}" = Opera 10.10
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{70DECFBF-9119-4434-B2D3-A3C283D15E45}" = WeatherBug
"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 4.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries
"{7A79D11B-FD82-4A5E-834F-20173515DD14}" = VAIO Media Integrated Server 4.2
"{80EE18E6-F16C-11D4-8BE8-006097C9A3ED}" = ISScript
"{82081533-F045-469E-BD53-F16839E445C3}" = VAIO Support Central
"{849ABF1A-6AE3-45E1-B260-D5447B2F29F5}" = OpenMG Secure Module 4.2.00
"{851C67EF-068A-4060-9EF5-2E3DDCD68382}" = Adobe Photoshop Elements 3.0
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{984F10FD-11FD-4BED-8163-92DB81E6A825}" = Logitech IM Video Companion
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B953606-000E-491C-B74D-78ECFDD520A0}" = OpenMG Metadata Extractor for Windows Media Player
"{9E407618-D9CD-4F39-9490-9ED45294073D}" = Click to DVD 2.0.03 Menu Data
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 3.2
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AB467B85-4F52-48C2-AEED-0673D00417B0}" = SonicStage Mastering Studio Audio Filter
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio DigitalMedia Audio
"{AC76BA86-0000-7EC8-7489-000000000702}" = Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
"{AC76BA86-0000-7EC8-7489-000000000703}" = Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
"{AC76BA86-0000-7EC8-7489-000000000704}" = Adobe Acrobat 7.0.3 and Reader 7.0.3 Update
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ADE3CACC-EC31-480C-83A0-587EE60CE8DF}" = RamBooster
"{AF9A04EB-7D8E-41DE-9EDE-4AB9BB2B71B6}" = VAIO Media Registration Tool 4.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio DigitalMedia Copy
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}" = Sony Video Shared Library
"{BF3B304B-8A18-452D-A19F-6012CA8418D7}" = SonicStage Mastering Studio 2.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CAC97A21-F556-4B0B-BBFD-A2BB82FB9F40}" = ATI Catalyst Control Center
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH
"{D917FD82-6CE5-489A-AAF8-C701AAC85C4D}" = VAIO Entertainment Platform
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (VAIO_VEDB)
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E809063C-51A3-4269-8984-D1EB742F2151}" = Click to DVD 2.4.10
"{EA7FC832-8133-46B4-B2CF-5A955326D309}" = Wireless Desktop
"{EE7EB179-5AA2-4B28-AC92-5CBAAF82BA7F}" = SonicStage Mastering Studio Plugins
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service
"{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"{FCCB0B43-7A6D-49A4-A5B3-B10F592F4EB6}" = LAN-Express AS IEEE 802.11 Wireless LAN
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All ATI Software" = ATI - Software Uninstall Utility
"AOL Emergency Connect Utility 1.0" = Uninstall AOL Emergency Connect Utility 1.0
"AOL Toolbar" = AOL Toolbar
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003" = HDAUDIO SoftV92 Data Fax Modem with SmartCP
"COMODO Internet Security" = COMODO Internet Security
"ESET Online Scanner" = ESET Online Scanner v3
"FastStone Capture" = FastStone Capture 6.5
"HijackThis" = HijackThis 2.0.2
"hphuni04" = Photosmart 130,230,7150,7345,7350,7550 (Remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"InstallShield_{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"InstallShield_{849ABF1A-6AE3-45E1-B260-D5447B2F29F5}" = OpenMG Secure Module 4.2.00
"InstallShield_{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"LimeWire" = LimeWire 5.3.6
"Logitech Print Service" = Logitech Print Service
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MoodLogic" = MoodLogic
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROR" = Microsoft Office Professional 2007 Trial
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3962488618-778361740-41019675-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/28/2009 3:47:41 AM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application opera.exe, version 9.64.10487.0, faulting module
npswf32.dll, version 10.0.32.18, fault address 0x00077bd0.

Error - 10/28/2009 3:03:09 PM | Computer Name = ME | Source = Media Center Scheduler | ID = 0
Description =

Error - 10/29/2009 1:06:04 PM | Computer Name = ME | Source = MsiInstaller | ID = 10005
Description = Product: Snagit 9.1.3 -- Internal Error 2755. 1601, C:\Program Files\Common
Files\Wise Installation Wizard\WIS5C47C8B677FF4FC7A38866FCF9CFC24C_9_1_3_19.MSI

Error - 10/29/2009 6:27:32 PM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application opera.exe, version 9.64.10487.0, faulting module
unknown, version 0.0.0.0, fault address 0x05463242.

Error - 11/2/2009 10:45:35 AM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application opera.exe, version 9.64.10487.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x00011766.

Error - 11/2/2009 11:23:10 AM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application opera.exe, version 9.64.10487.0, faulting module
opera.dll, version 9.64.10487.0, fault address 0x0004ba96.

Error - 11/3/2009 5:20:07 PM | Computer Name = ME | Source = Application Hang | ID = 1002
Description = Hanging application Weather.exe, version 6.7.2.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/7/2009 10:58:01 PM | Computer Name = ME | Source = Media Center Receiver | ID = 3
Description = TV tuner encountered an error. (0xc004050b) SMRT TV Tuner

Error - 11/7/2009 10:58:02 PM | Computer Name = ME | Source = Media Center Scheduler | ID = 0
Description =

Error - 11/12/2009 11:53:32 AM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application fsrecorder.exe, version 0.0.0.0, faulting module
wmvencod.dll, version 11.0.5721.5145, fault address 0x0002b9ed.

[ Application Events ]
Error - 10/28/2009 3:47:41 AM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application opera.exe, version 9.64.10487.0, faulting module
npswf32.dll, version 10.0.32.18, fault address 0x00077bd0.

Error - 10/28/2009 3:03:09 PM | Computer Name = ME | Source = Media Center Scheduler | ID = 0
Description =

Error - 10/29/2009 1:06:04 PM | Computer Name = ME | Source = MsiInstaller | ID = 10005
Description = Product: Snagit 9.1.3 -- Internal Error 2755. 1601, C:\Program Files\Common
Files\Wise Installation Wizard\WIS5C47C8B677FF4FC7A38866FCF9CFC24C_9_1_3_19.MSI

Error - 10/29/2009 6:27:32 PM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application opera.exe, version 9.64.10487.0, faulting module
unknown, version 0.0.0.0, fault address 0x05463242.

Error - 11/2/2009 10:45:35 AM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application opera.exe, version 9.64.10487.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x00011766.

Error - 11/2/2009 11:23:10 AM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application opera.exe, version 9.64.10487.0, faulting module
opera.dll, version 9.64.10487.0, fault address 0x0004ba96.

Error - 11/3/2009 5:20:07 PM | Computer Name = ME | Source = Application Hang | ID = 1002
Description = Hanging application Weather.exe, version 6.7.2.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 11/7/2009 10:58:01 PM | Computer Name = ME | Source = Media Center Receiver | ID = 3
Description = TV tuner encountered an error. (0xc004050b) SMRT TV Tuner

Error - 11/7/2009 10:58:02 PM | Computer Name = ME | Source = Media Center Scheduler | ID = 0
Description =

Error - 11/12/2009 11:53:32 AM | Computer Name = ME | Source = Application Error | ID = 1000
Description = Faulting application fsrecorder.exe, version 0.0.0.0, faulting module
wmvencod.dll, version 11.0.5721.5145, fault address 0x0002b9ed.

[ System Events ]
Error - 12/5/2009 9:04:19 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The VAIO Entertainment File Import Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/5/2009 9:04:29 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The Adobe Active File Monitor service terminated unexpectedly. It
has done this 1 time(s).

Error - 12/5/2009 9:04:34 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The SonicStageMonitoring service terminated unexpectedly. It has
done this 1 time(s).

Error - 12/5/2009 9:04:53 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 12/5/2009 9:05:05 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The Photoshop Elements Device Connect service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/5/2009 9:05:10 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The VAIO Entertainment Database Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/5/2009 9:14:39 AM | Computer Name = ME | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
TfFsMon TfSysMon

Error - 12/5/2009 9:22:05 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The Photoshop Elements Device Connect service terminated unexpectedly.
It has done this 1 time(s).

Error - 12/5/2009 9:22:05 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The Adobe Active File Monitor service terminated unexpectedly. It
has done this 1 time(s).

Error - 12/5/2009 9:29:34 AM | Computer Name = ME | Source = Service Control Manager | ID = 7034
Description = The NMSAccess service terminated unexpectedly. It has done this 1
time(s).

< End of report >

#12 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 05 December 2009 - 03:27 PM

thcbytes.... Oh boy. I was surfing a trusted site, one I visit daily. All of a sudden I got redirected to a page with one of those horrible warning, your system is infected and you MUST download so and so. it had a pop up I could not close. I had no choice but to shut down entire Opera Browser and start a new session. When I went to start menu where Opera is pinned right at the very top, it was now located bottom last!!! So far, all seems ok. Just thought you should know in case that makes a difference or, God forbid, we have to start over??????

This post has been edited by MsKatGreenbay: 05 December 2009 - 03:28 PM

#13 thcbytes

Bleepin' Teacher

Group: Malware Response Instructor
Posts: 11,595
Joined: 09-December 08
Gender:Male

Posted 05 December 2009 - 08:53 PM

Not real good news.

Question.

Were you surfing with your firewall and antivirus turned off??

Do me a favor. Avoid surfing aside from sites that I send you to for now. Only use that computer for clean up till I give you the all clear.

Let's continue....

Re-run RKill and Exehelper in normal mode.

==========

1. Download the file TDSSKiller.zip and extract it to your desktop.
2. Click start->run->copy-paste "%userprofile%desktop\TDSSKiller.exe" -l report.txt -v into the textbox and press enter.
3. report.txt should be generated into same location with TDSSKiller.exe. Post contents of that report, please.

==========

Right click and delete your current copy of Combofix.

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
Double click on thcbytes.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

==========

Re-run Gmer and post a log

==========

With your next post please provide:

* Answer to question
* Exehelper
* Combofix.txt
* Gmer log
* Any problems?

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

#14 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 06 December 2009 - 12:57 AM

YES my AV and firewall were off.. NO, I will not use machine again except as instructed by you. I am not able to run Rkill. Each 4 mirrors I tried my desktop icons disappeared and came back with no program running.. this also happened earlier when requested to run it. so Rkill has never been run.... I was unable to paste into the run command "%userprofile%desktop\TDSSKiller.exe" -l report.txt -v.. It said that path refers to a location that is not available.

TDSSKiller I am not sure if it ran. Below are the results I got from it. When I tried to extract zip, the wizard would pop up, I press next and there is a progress bar for extraction, which never progresses. So I press next and it says unzipped. So I try to run TDSSKiller.exe and this is what I get..... All other requested logs I believe are in order. So sorry about using machine. I will not do that again. Promise

I just posted but it said my post was too long. Will post Gmer in separate post.

TDSS rootkit removing tool, Kaspersky Lab 2009
version 2.0.0 Nov 26 2009 13:23:50

Scanning Registry ...

Scanning Kernel memory ...

Completed

Results:
Infected / Cured drivers in memory: 0 / 0
Infected / Cured drivers on disk: 0 / 0
Files deleted on next reboot: 0
Registry nodes deleted on next reboot: 0

Press any key to continue . . .

exeHelper by Raktor
Build 20091204
Run at 20:52:06 on 12/05/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Combo Fix
ComboFix 09-12-05.03 - My PC 12/05/2009 21:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.461 [GMT -6:00]
Running from: c:\documents and settings\My PC\Desktop\thcbytes.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))
.

2009-12-05 13:38 . 2009-12-05 13:38 -------- d-----w- c:\program files\ESET
2009-12-05 05:35 . 2009-12-05 05:35 -------- d-----w- c:\program files\FastStone Capture
2009-12-05 03:55 . 2009-12-05 04:18 -------- d-----w- C:\thcbytes
2009-12-04 20:14 . 2009-12-04 20:39 -------- d-----w- C:\32788R22FWJFW.3.tmp
2009-12-04 20:10 . 2009-12-04 20:14 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-12-04 20:03 . 2009-12-04 20:10 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-12-04 10:19 . 2009-12-04 10:26 15 ----a-w- c:\documents and settings\My PC\settings.dat
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\documents and settings\My PC\Application Data\Malwarebytes
2009-12-03 06:59 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 06:59 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 06:59 . 2009-12-03 06:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 03:53 . 2009-12-03 03:53 -------- d-----w- c:\windows\system32\Adobe
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-12-03 03:44 . 2009-12-03 03:44 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-03 03:44 . 2009-12-03 03:44 -------- d-----w- c:\program files\NOS
2009-11-28 17:20 . 2009-11-28 17:20 -------- d-----w- c:\program files\Veoh Networks
2009-11-27 18:24 . 2009-11-27 18:24 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\COMODO
2009-11-26 20:50 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-26 20:38 . 2009-11-26 20:38 -------- d-----w- c:\program files\Trend Micro
2009-11-25 22:29 . 2009-11-25 22:30 -------- d-----w- c:\program files\Musicmatch
2009-11-25 22:29 . 2009-11-25 22:29 -------- d-----w- c:\documents and settings\My PC\Application Data\Musicmatch
2009-11-25 22:26 . 2009-11-25 22:37 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\Musicmatch
2009-11-25 04:26 . 2009-11-25 04:26 1408376 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-11-24 20:15 . 2009-11-24 20:15 117760 ----a-w- c:\documents and settings\My PC\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-24 20:15 . 2009-11-24 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-24 20:14 . 2009-12-04 20:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-24 20:14 . 2009-11-24 20:14 -------- d-----w- c:\documents and settings\My PC\Application Data\SUPERAntiSpyware.com
2009-11-23 10:43 . 2009-11-23 10:43 -------- d-----w- c:\documents and settings\All Users\968a850
2009-11-18 14:53 . 2009-11-18 14:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-14 08:18 . 2009-12-04 20:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 08:18 . 2009-12-04 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-14 07:54 . 2009-11-14 07:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AOL
2009-11-14 07:36 . 2009-11-26 20:58 -------- d-----w- c:\windows\5C47C8B677FF4FC7A38866FCF9CFC24C.TMP
2009-11-13 18:50 . 2009-11-13 18:50 -------- d-----w- c:\documents and settings\My PC\Local Settings\Application Data\Mozilla
2009-11-13 13:45 . 2009-11-13 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-11-13 11:48 . 2009-12-05 13:29 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}
2009-11-12 18:02 . 2009-11-12 18:26 -------- d-----w- c:\program files\IrfanView

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 21:27 . 2009-10-31 13:48 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-04 20:40 . 2009-10-29 16:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-04 19:50 . 2009-09-17 01:12 -------- d-----w- c:\documents and settings\My PC\Application Data\Lavasoft
2009-12-03 03:47 . 2009-08-04 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-25 23:40 . 2009-09-15 22:44 -------- d-----w- c:\documents and settings\My PC\Application Data\LimeWire
2009-11-25 22:30 . 2005-09-06 20:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-25 16:00 . 2009-10-31 13:44 171552 ----a-w- c:\windows\system32\guard32.dll
2009-11-25 16:00 . 2009-10-31 13:44 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-11-25 04:26 . 2009-10-01 03:03 -------- d-----w- c:\documents and settings\My PC\Application Data\Move Networks
2009-11-25 04:26 . 2009-10-01 03:03 127325 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\uninstall.exe
2009-11-25 04:26 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-24 05:29 . 2009-08-04 14:39 -------- d-----w- c:\program files\Opera
2009-11-19 12:35 . 2009-07-24 23:16 -------- d-----w- c:\program files\Wireless Desktop
2009-11-18 14:32 . 2009-10-31 13:44 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-11-18 14:32 . 2009-10-31 13:44 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-11-10 16:20 . 2009-09-15 22:43 -------- d-----w- c:\program files\LimeWire
2009-11-06 12:40 . 2009-11-05 15:49 -------- d-----w- c:\program files\AOL 9.5
2009-11-05 15:52 . 2009-08-04 14:36 -------- d-----w- c:\documents and settings\My PC\Application Data\AOL
2009-11-05 15:51 . 2009-08-04 14:35 -------- d-----w- c:\program files\Common Files\aol
2009-11-05 15:50 . 2009-08-04 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-05 15:50 . 2009-08-04 14:35 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-05 15:46 . 2009-11-05 15:46 43732816 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\setup.exe
2009-11-05 15:46 . 2009-11-05 15:46 42960 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol_single\4337.155.1.1\noneCodesignFilesBundle.exe
2009-11-05 15:46 . 2009-08-04 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-11-03 21:24 . 2005-09-06 20:53 -------- d-----w- c:\program files\Java
2009-11-03 21:22 . 2009-11-03 21:22 152576 ----a-w- c:\documents and settings\My PC\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 04:45 . 2009-11-02 03:54 -------- d-----w- c:\program files\CamStudio
2009-10-31 13:48 . 2009-10-31 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-10-31 13:44 . 2009-10-31 13:44 -------- d-----w- c:\program files\COMODO
2009-10-29 17:32 . 2009-10-29 17:32 -------- d-----w- c:\documents and settings\My PC\Application Data\FastStone
2009-10-29 17:01 . 2009-10-29 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-10-29 17:01 . 2009-10-29 17:01 -------- d-----w- c:\program files\TechSmith
2009-10-26 23:48 . 2009-10-26 22:59 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-26 23:34 . 2009-10-26 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-26 23:34 . 2009-10-26 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-26 23:12 . 2009-10-26 23:12 -------- d-----w- c:\documents and settings\My PC\Application Data\PCToolsFirewallPlus
2009-10-26 23:12 . 2009-10-26 23:12 -------- d-----w- c:\documents and settings\My PC\Application Data\Spam Monitor
2009-10-22 23:04 . 2009-11-13 11:47 3579904 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\59F37AFC\8917324D\BMP.exe
2009-10-11 10:17 . 2009-08-06 21:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 03:03 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\My PC\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-16 03:59 . 2009-11-13 11:47 1411584 -c--a-w- c:\documents and settings\All Users\Application Data\{B10A9EE2-3B21-44A2-A778-D14E0C4BB591}\OFFLINE\3D2919A7\32F7A4D1\AdjMmsEng.dll
2009-09-15 22:44 . 2009-09-15 22:44 98304 ----a-w- c:\documents and settings\My PC\Application Data\LimeWire\browser\xulrunner\smime3.dll
2009-09-11 14:18 . 2005-09-06 19:30 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-05_04.14.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 13:14 . 2009-12-05 13:14 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2009-12-05 13:14 . 2009-12-05 13:14 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2005-09-06 19:30 . 2009-12-05 04:44 78608 c:\windows\system32\perfc009.dat
- 2005-09-06 19:30 . 2009-11-03 03:08 78608 c:\windows\system32\perfc009.dat
+ 2005-09-06 19:30 . 2009-12-05 04:44 458954 c:\windows\system32\perfh009.dat
- 2005-09-06 19:30 . 2009-11-03 03:08 458954 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-01-30 1347584]
"RamBooster"="c:\program files\RamBooster 2.0\Rambooster.exe" [2005-11-17 561664]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AOL Fast Start"="c:\program files\AOL 9.5\AOL.EXE" [2009-10-28 50536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HostManager"="c:\program files\Common Files\AOL\1249396505\ee\AOLSoftware.exe" [2009-07-20 41264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-11-18 1800464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\windows\pss\ATI CATALYST System Tray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup=c:\windows\pss\VAIO Action Setup (Server).lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PACSPTISVR"=3 (0x3)
"ose"=3 (0x3)
"WZCSVC"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1249396505\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [10/31/2009 7:44 AM 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [10/31/2009 7:44 AM 25160]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 4:40 AM 118784]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD
*Deregistered* - KLMD

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\My PC\Application Data\Mozilla\Firefox\Profiles\o8ql5spr.default\
FF - prefs.js: network.proxy.type - 2
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 21:23
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(136)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-05 21:26
ComboFix-quarantined-files.txt 2009-12-06 03:26
ComboFix2.txt 2009-12-05 13:33
ComboFix3.txt 2009-12-05 04:18

Pre-Run: 178,760,904,704 bytes free
Post-Run: 178,748,182,528 bytes free

- - End Of File - - 021538A84671506AD19BBFD63432FD2F

#15 MsKatGreenbay

Member

Group: Members
Posts: 82
Joined: 03-December 09
Gender:Female
Location:PC HELL :-)

Posted 06 December 2009 - 01:02 AM

It appears the Gmer log is too large as well, so I will split the results into separate posts.

Log for Gmer, Part One.
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\My PC\Desktop\zz1qnmx8.exe[1532] kernel32.dll!CopyFileExA