BleepingComputer.com: Google/Bing search results keep redirecting.

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Google/Bing search results keep redirecting. I do not know how to correct this.

#1 User is offline   ktravers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 21-May 11

Posted 21 May 2011 - 05:02 PM

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ken at 10:55:03 on 2011-05-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2036.874 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Online\Engine\2.1.0.23\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\tcpsvcs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Norton Online\Engine\2.1.0.23\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DAP\DAP.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ken\Desktop\Defogger.exe
C:\Documents and Settings\Ken\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = localhost
uInternet Settings,ProxyServer = http=127.0.0.1:51636
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BTjunkie Toolbar: {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - c:\program files\btjunkie\prxtbBTju.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Norton Safety Minder: {b8e07826-0971-4f16-b133-047b88034e89} - c:\program files\norton online\addons\norton safety minder\engine\2.1.0.52\coIEPlg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Download Accelerator Plus Integration: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: BTjunkie Toolbar: {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - c:\program files\btjunkie\prxtbBTju.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Pzujelapelepi] rundll32.exe "c:\windows\opovisidubadi.dll",Startup
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: idvaultservices.com\ringo
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 04332822;04332822 Boot Guard Driver;c:\windows\system32\drivers\04332822.sys [2011-5-8 37392]
R0 FileLock;FileLock;c:\windows\system32\drivers\FileLock.sys [2005-1-1 35456]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-5-17 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-5-17 744568]
R0 WAEMU;waemu;c:\windows\system32\drivers\waemu.sys [2011-3-3 91618]
R1 04332821;04332821;c:\windows\system32\drivers\04332821.sys [2011-5-8 128016]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-18 802936]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-2-1 98160]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2010-7-1 120320]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-5-17 136312]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-7-5 10384]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-5-17 130008]
R2 NOF;Norton Online;c:\program files\norton online\engine\2.1.0.23\ccSvcHst.exe [2011-5-16 126904]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2010-6-13 45696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-19 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110518.001\IDSXpx86.sys [2011-5-18 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110520.036\NAVENG.SYS [2011-5-21 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110520.036\NAVEX15.SYS [2011-5-21 1542392]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2010-6-13 56960]
S1 MpKsl16ff5349;MpKsl16ff5349; [x]
S1 MpKsl2a4e80db;MpKsl2a4e80db; [x]
S1 MpKsl3748b157;MpKsl3748b157; [x]
S1 MpKsl7beac835;MpKsl7beac835; [x]
S1 MpKsl8309d0a9;MpKsl8309d0a9; [x]
S1 MpKsl9bad1fb8;MpKsl9bad1fb8; [x]
S1 MpKslbd2d0e7d;MpKslbd2d0e7d; [x]
S1 MpKsld5f1cdc9;MpKsld5f1cdc9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{af526b2b-e4b3-4b8f-a7bb-3e55030598bd}\mpksld5f1cdc9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{af526b2b-e4b3-4b8f-a7bb-3e55030598bd}\MpKsld5f1cdc9.sys [?]
S1 MpKslec6abf51;MpKslec6abf51; [x]
S1 MpKslf18d44fb;MpKslf18d44fb; [x]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/06/13 22:18:59]; [x]
S3 adxapie;adxapie; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-7-5 1691480]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-11-4 24576]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2011-5-8 29184]
S3 kcusbser;Kyocera USB Device for Legacy Serial Communication;c:\windows\system32\drivers\kcusbser.sys [2009-11-3 105984]
S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\nsm\0201000.034\symrdr.sys [2011-5-16 181296]
S3 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-9-30 1051968]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2010-2-25 10064]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-29 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-29 136176]
S4 NAUpdate;@c:\program files\ahead\update\nasvc.exe,-200;c:\program files\ahead\update\NASvc.exe [2010-3-25 490280]
S4 nlsX86cc;Nalpeiron Licensing Service; [x]
S4 WinArchiver Service;WinArchiver Service;c:\program files\winarchiver virtual drive\WAService.exe [2011-3-3 196608]
.
=============== Created Last 30 ================
.
2011-05-21 15:18:32 388096 ----a-r- c:\documents and settings\ken\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-21 15:18:28 -------- d-----w- c:\program files\Trend Micro
2011-05-19 14:00:55 -------- d-----w- c:\documents and settings\all users\application data\Big Fish Games
2011-05-19 14:00:37 -------- d-----w- c:\program files\bfgclient
2011-05-19 13:59:59 -------- d-----w- c:\documents and settings\all users\application data\BigFishGamesCache
2011-05-19 12:47:41 -------- d-----w- c:\documents and settings\ken\local settings\application data\{8D45F8A1-B938-400D-8812-91CDD3702462}
2011-05-17 23:17:26 331384 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
2011-05-17 23:17:25 369784 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys
2011-05-17 23:17:25 296568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2011-05-17 23:17:22 744568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symefa.sys
2011-05-17 23:17:21 50168 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2011-05-17 23:17:21 340088 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symds.sys
2011-05-17 23:17:19 516216 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2011-05-17 23:17:19 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys
2011-05-17 23:12:16 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
2011-05-17 03:52:52 181296 ----a-r- c:\windows\system32\drivers\nsm\0201000.034\symrdr.sys
2011-05-17 03:52:40 -------- d-----w- c:\windows\system32\drivers\nsm\0201000.034
2011-05-17 03:52:40 -------- d-----w- c:\windows\system32\drivers\NSM
2011-05-17 03:52:21 -------- d-----w- c:\windows\system32\drivers\nof\0201000.017
2011-05-17 03:52:21 -------- d-----w- c:\windows\system32\drivers\NOF
2011-05-17 03:52:21 -------- d-----w- c:\program files\Norton Online
2011-05-17 03:25:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-17 02:44:07 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-17 02:44:07 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-17 02:44:07 -------- d-----w- c:\program files\Symantec
2011-05-17 02:44:07 -------- d-----w- c:\program files\common files\Symantec Shared
2011-05-17 02:44:04 -------- d-----w- c:\documents and settings\ken\local settings\application data\Secunia PSI
2011-05-17 02:42:37 -------- d-----w- c:\windows\system32\drivers\N360
2011-05-17 02:42:35 -------- d-----w- c:\program files\Norton Security Suite
2011-05-17 02:41:28 -------- d-----w- c:\program files\NortonInstaller
2011-05-17 02:16:29 -------- d-----w- c:\program files\Secunia
2011-05-15 01:22:24 -------- d-----w- c:\documents and settings\ken\ICDL Cache
2011-05-13 09:55:37 -------- d-----w- c:\program files\SPlayer
2011-05-11 00:12:15 -------- d-----w- c:\program files\WinArchiver Virtual Drive
2011-05-10 22:45:42 -------- d-----w- c:\program files\Rosetta Stone
2011-05-10 22:45:42 -------- d-----w- c:\documents and settings\all users\application data\Rosetta Stone
2011-05-09 09:39:40 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2011-05-09 09:39:33 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2011-05-09 09:35:15 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2011-05-09 08:09:23 -------- d-----w- c:\windows\ServicePackFiles
2011-05-09 03:52:36 37392 ----a-w- c:\windows\system32\drivers\04332822.sys
2011-05-09 03:52:29 128016 ----a-w- c:\windows\system32\drivers\04332821.sys
2011-05-08 15:43:24 29184 ----a-r- c:\windows\system32\drivers\dsiarhwprog.sys
2011-05-08 15:41:44 -------- d-----w- c:\program files\Datel
2011-05-07 15:04:16 -------- d-----w- c:\program files\Support Tools
2011-05-07 14:33:39 -------- d-----w- c:\windows\system32\FxsTmp
2011-05-07 14:33:30 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2011-05-07 14:33:30 18944 ----a-w- c:\windows\system32\simptcp.dll
2011-05-07 14:33:30 -------- d-----w- c:\windows\system32\drivers\etc
2011-05-07 14:33:29 31744 -c--a-w- c:\windows\system32\dllcache\fxsroute.dll
2011-05-07 14:33:29 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-05-07 14:33:29 132608 -c--a-w- c:\windows\system32\dllcache\fxsclntr.dll
2011-05-07 14:33:29 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-05-07 14:33:29 11264 -c--a-w- c:\windows\system32\dllcache\fxssend.exe
2011-05-07 14:33:29 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-05-07 14:33:02 111104 -c--a-w- c:\windows\system32\dllcache\fxscfgwz.dll
2011-05-07 14:33:02 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-05-03 09:51:03 -------- d-----w- c:\program files\Valve
2011-05-02 22:28:19 -------- d-----w- c:\documents and settings\all users\application data\iG28614FpJkJ28614
2011-05-02 22:26:18 94208 ----a-w- c:\windows\DUMPb1a7.tmp
2011-05-02 05:25:29 -------- dc----w- C:\Microsoft
2011-05-02 04:34:50 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-05-02 04:20:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-05-01 23:04:48 126976 --sha-r- c:\program files\common files\d3d89.dll
2011-05-01 14:58:16 -------- d-----w- c:\documents and settings\ken\local settings\application data\VS Revo Group
2011-05-01 10:59:41 -------- d-----w- c:\program files\Conduit
2011-05-01 10:59:33 -------- d-----w- c:\documents and settings\ken\local settings\application data\ConduitEngine
2011-05-01 10:59:32 -------- d-----w- c:\documents and settings\ken\local settings\application data\BTjunkie
2011-05-01 10:59:30 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-05-01 10:59:30 -------- d-----w- c:\program files\ConduitEngine
2011-05-01 10:59:15 -------- d-----w- c:\program files\BTjunkie
2011-05-01 10:21:28 18944 ----a-r- c:\documents and settings\ken\application data\microsoft\installer\{8f018a9e-56de-4a79-a5ef-25f413f1d538}\IconBB6A16301.exe
2011-05-01 10:20:59 -------- d-----w- c:\documents and settings\ken\application data\FinalMediaPlayer
2011-05-01 10:20:46 -------- d-----w- c:\program files\FinalMediaPlayer
2011-04-27 02:48:15 -------- dc----w- C:\Netgear
2011-04-24 13:41:52 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-04-22 18:30:15 -------- d-----w- c:\documents and settings\ken\application data\Rovio
2011-04-22 18:29:55 -------- d-----w- c:\program files\Bejeweled 3
.
==================== Find3M ====================
.
2011-05-21 14:13:01 0 ----a-w- c:\windows\Dtayewohisi.bin
2011-05-19 20:15:36 0 ----a-w- c:\windows\FileLock.bin
2011-04-18 00:55:41 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-04-18 00:50:23 3584 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-04-17 21:50:46 312 ----a-w- c:\documents and settings\ken\stsf.bat
2011-04-17 16:36:15 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-17 16:36:15 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-10 18:16:31 356352 ----a-w- c:\windows\system32\mfuzi.exe
2011-03-28 17:46:40 98160 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2011-03-20 04:00:36 7040 ----a-w- c:\windows\system32\drivers\tkfilter.sys
2011-03-09 05:10:50 253952 -c----w- c:\windows\Setup1.exe
2011-03-09 05:10:43 73216 -c--a-w- c:\windows\ST6UNST.EXE
2011-03-07 05:33:50 692736 -c--a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-04 02:11:48 91618 ----a-w- c:\windows\system32\drivers\waemu.sys
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 10:56:58.28 ===============

Attached File(s)

  • Attached File  attach.txt (17.65K)
    Number of downloads: 0
  • Attached File  Ark.txt (36.6K)
    Number of downloads: 2

#2 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 23 May 2011 - 03:48 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.

  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!

  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.

  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!

  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.

  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!

  • Please do not PM me directly for help. If you have any questions, post them in this topic.

  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.


____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:

  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:


Please provide an update on how things are running in your next reply.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 User is offline   ktravers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 21-May 11

Posted 24 May 2011 - 09:05 PM

Thank You ST :)
Here is the RootKit Report:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xA7914000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6402048 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x9F026000 C:\WINDOWS\system32\DRIVERS\04332821.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xBF2E9000 C:\WINDOWS\System32\igxpdx32.DLL 3837952 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xBF059000 C:\WINDOWS\System32\igxpdv32.DLL 2686976 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2265088 bytes
0x804D7000 RAW 2265088 bytes
0x804D7000 WMIxWDM 2265088 bytes
0xB8A4E000 C:\WINDOWS\system32\drivers\cmudax3.sys 1875968 bytes (C-Media Inc, C-Media Audio WDM Driver)
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB8CAF000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 1732608 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0x9CD44000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110524.018\NAVEX15.SYS 1536000 bytes (Symantec Corporation, AV Engine)
0xB893A000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 839680 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0x9F546000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110518.001\BHDrvx86.sys 819200 bytes (Symantec Corporation, BASH Driver)
0xF7B24000 SYMEFA.SYS 765952 bytes
0xBA773000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA6747000 C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS 548864 bytes (Symantec Corporation, Symantec AutoProtect)
0xA662A000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0x9F6A1000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x9F62C000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB887F000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0x9F83C000 C:\WINDOWS\System32\Drivers\N360\0501000.01D\SYMTDI.SYS 364544 bytes (Symantec Corporation, Network Dispatch Driver)
0x9F895000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9F7BE000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110518.001\IDSxpx86.sys 360448 bytes (Symantec Corporation, IDS Core Driver)
0x9DE30000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF7449000 SYMDS.SYS 356352 bytes
0xA7F2F000 C:\WINDOWS\system32\drivers\btaudio.sys 323584 bytes (Broadcom Corporation., Bluetooth Audio Device)
0xBF692000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9E068000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x9F75E000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
0xB8C3C000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 225280 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 217088 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xBA746000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9C6EA000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0x9F711000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8C73000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0x9F796000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0x9F816000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA66FD000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 155648 bytes (Symantec Corporation, Symantec Event Library)
0xA6723000 C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS 147456 bytes (Symantec Corporation, Iron Driver)
0xB8A2A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8C18000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB8A07000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0x9F73C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x9F93A000 C:\WINDOWS\system32\drivers\SSHDRV65.sys 139264 bytes
0x80700000 ACPI_HAL 134400 bytes
0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF74A0000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0x9F60E000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 122880 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xB88F5000 C:\WINDOWS\system32\DRIVERS\mcdbus.sys 118784 bytes (MagicISO, Inc., MagicISO SCSI Host Controller)
0xBA716000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x9F901000 C:\WINDOWS\System32\Drivers\InCDfs.SYS 102400 bytes (Nero AG, InCD File System Driver)
0xF74C0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9F00E000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB88DD000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0x9F68A000 C:\WINDOWS\system32\DRIVERS\idmtdi.sys 94208 bytes (Tonec Inc., Internet Download Manager TDI Driver)
0xF7420000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8923000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xBA730000 waemu.sys 90112 bytes (WinArchiver Computing, Inc., WinArchiver Virtual Drive)
0x9D33C000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0x9CD30000 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110524.018\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xB8C9B000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x9F8EE000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF740D000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xF7437000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8912000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA5F1A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB8F85000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA12D000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA13D000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB8F75000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0x9DD08000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76D7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF76E7000 C:\WINDOWS\system32\DRIVERS\ousb2hub.sys 57344 bytes (OrangeWare Corporation, USB 2.0 Hub Driver)
0xF7667000 04332822.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA10D000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7567000 C:\WINDOWS\System32\Drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xBA14D000 C:\WINDOWS\System32\Drivers\ousbehci.sys 49152 bytes (OrangeWare Corporation, USB 2.0 Enhanced Host Controller Driver)
0xBA0CD000 C:\WINDOWS\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xBA0ED000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7527000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7537000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA0FD000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7577000 C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS 45056 bytes (Symantec Corporation, Symantec AutoProtect)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB8F95000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7657000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF76B7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7647000 FileLock.sys 36864 bytes (Gili Soft Inc., File Lock Kernel Modual)
0xF7557000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA11D000 C:\WINDOWS\SYSTEM32\DRIVERS\INTELPPM.SYS 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7547000 C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 36864 bytes (Microsoft Corporation, IPv6 Windows Firewall Driver)
0xBA0DD000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7587000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9CA45000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB8F05000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB8E76000 C:\WINDOWS\System32\DRIVERS\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0xB9F73000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xB9F6B000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xF7807000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7747000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF77D7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB9F83000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8E6E000 C:\WINDOWS\System32\Drivers\incdrm.SYS 28672 bytes (Nero AG, Ahead MRW Filter Driver)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB9F7B000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB8E86000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB9F8B000 C:\WINDOWS\System32\Drivers\LUsbFilt.Sys 24576 bytes (Logitech, Inc., Logitech USB Filter Driver.)
0xB8E7E000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF77CF000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77C7000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA5156000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8E96000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8E8E000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF77EF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xA14BD000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA612000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA5FE000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0x9EFCE000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA61E000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA16AE000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA596000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA78C9000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0xBA616000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA60E000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA622000 C:\WINDOWS\system32\DRIVERS\tunmp.sys 12288 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x9FFBC000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xA5EF8000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0x9FFBE000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x9FFC2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF799F000 C:\WINDOWS\system32\DRIVERS\moufiltr.sys 8192 bytes (Micro Innovations, Mouse Filter Driver)
0x9FFBA000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79FB000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF798B000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A9F000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA3534000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xA00F2000 C:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)
0xF7AA7000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x89559DA8 ] TID: 200
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8941E5E0 ] TID: 208, 471160 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x89591DA8 ] TID: 224, 262147 bytes
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8943C020 ] TID: 236, 4194368 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x89591020 ] TID: 240
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x89643020 ] TID: 244
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x89572B38 ] TID: 248
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8903F8C8 ] TID: 252
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x894BB020 ] TID: 256
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x895BD9D0 ] TID: 264, 8781826 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x895B0DA8 ] TID: 304
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8956BDA8 ] TID: 312, 8781829 bytes
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88825590 ] TID: 316
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x895BD020 ] TID: 324
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88D40020 ] TID: 328
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x89571020 ] TID: 344
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x893CC020 ] TID: 432
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892D7020 ] TID: 440
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x895A38D0 ] TID: 444
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x89266020 ] TID: 464
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89619DA8 ] TID: 472
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8956DDA8 ] TID: 476
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x89617DA8 ] TID: 508
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x89561020 ] TID: 512
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8960A768 ] TID: 536
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88933DA8 ] TID: 548
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88D549A8 ] TID: 552
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x89587020 ] TID: 560
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x89574DA8 ] TID: 568
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x890A7020 ] TID: 576
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89599DA8 ] TID: 592
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8955D728 ] TID: 612
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x894809A0 ] TID: 624
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88830D80 ] TID: 628
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8ABA5020 ] TID: 632
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8ABA59D8 ] TID: 640
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8ABA5760 ] TID: 644
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x89541598 ] TID: 656
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x882E9020 ] TID: 672
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892A39A8 ] TID: 704, 262147 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892516A8 ] TID: 740, 2097245 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89550020 ] TID: 756, 5439575 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8957A020 ] TID: 760, 458777 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89535DA8 ] TID: 764
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8950E2E8 ] TID: 776, 3014770 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8952C9C8 ] TID: 784, 3014772 bytes
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x893EF020 ] TID: 788
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8949B020 ] TID: 832
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894CADA8 ] TID: 836
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8956C9E8 ] TID: 876
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x8A942020 ] TID: 888
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x8A767A78 ] TID: 892
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x89E06020 ] TID: 896
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x894E2020 ] TID: 908
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x894E57A8 ] TID: 932
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x894F9DA8 ] TID: 952
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x887F3490 ] TID: 964
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89480DA8 ] TID: 968
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89393020 ] TID: 984
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88847DA8 ] TID: 1012
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89274020 ] TID: 1016
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x89496020 ] TID: 1024
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x89492020 ] TID: 1032
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894D3DA8 ] TID: 1044
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893B6020 ] TID: 1048
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894B18D8 ] TID: 1056
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89443020 ] TID: 1064
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x894DA740 ] TID: 1076
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89178020 ] TID: 1080
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x895563C0 ] TID: 1112
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89532B58 ] TID: 1116
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894E1B30 ] TID: 1120
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893C2DA8 ] TID: 1148
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8939ADA8 ] TID: 1156
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893DB368 ] TID: 1160
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8895F588 ] TID: 1164, 5046363 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894DAB50 ] TID: 1168
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894DD598 ] TID: 1180, 196611 bytes
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x894EBB40 ] TID: 1196
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x891CE020 ] TID: 1204
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892C9020 ] TID: 1224
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x89433B38 ] TID: 1228, 7471204 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894C6650 ] TID: 1232
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x89640020 ] TID: 1236, 813512 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894C68C8 ] TID: 1240
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88716020 ] TID: 1248, 7536761 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893C0020 ] TID: 1252
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893F7020 ] TID: 1256
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893D5DA8 ] TID: 1260, 1296496 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892429A0 ] TID: 1276
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89410020 ] TID: 1280
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893C89A8 ] TID: 1292
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x894542E8 ] TID: 1304
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x8944B2E8 ] TID: 1308
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8941B9C0 ] TID: 1312
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x893D2A20 ] TID: 1316
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89439020 ] TID: 1320
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88843DA8 ] TID: 1344
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89447020 ] TID: 1352
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x893D9DA8 ] TID: 1364
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8941A020 ] TID: 1368
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x894C6DA8 ] TID: 1372
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8929F9A0 ] TID: 1376
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892D1598 ] TID: 1384
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F24328 ] TID: 1408
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893D79A0 ] TID: 1412
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x894BFB38 ] TID: 1428
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x887DE590 ] TID: 1432
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x890EC728 ] TID: 1444
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894D8DA8 ] TID: 1464
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894EE020 ] TID: 1468
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88911590 ] TID: 1472
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x891741C8 ] TID: 1488, 7602287 bytes
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x886F9818 ] TID: 1496
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x893F4DA8 ] TID: 1520
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x894009A0 ] TID: 1524
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894E39C8 ] TID: 1540
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x894375F0 ] TID: 1552
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89670020 ] TID: 1560
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8901B628 ] TID: 1564
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894C08C8 ] TID: 1576
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8922B020 ] TID: 1580
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89585020 ] TID: 1588
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x894F9020 ] TID: 1592
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89531B38 ] TID: 1600
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x895ACDA8 ] TID: 1604
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89429020 ] TID: 1616
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x894959B0 ] TID: 1636
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x8804E7D0 ] TID: 1656, 3145776 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x891C1DA8 ] TID: 1664
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x893ED020 ] TID: 1668
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89514648 ] TID: 1676
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8923F598 ] TID: 1684
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89423400 ] TID: 1688
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x895AB020 ] TID: 1696, 7274612 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x895AC020 ] TID: 1704
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89227B38 ] TID: 1712
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8923B020 ] TID: 1724
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8917CDA8 ] TID: 1728
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x89534020 ] TID: 1736
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x89526C90 ] TID: 1740
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8949E020 ] TID: 1760
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89222598 ] TID: 1776
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x89519020 ] TID: 1780
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89412020 ] TID: 1788
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8940D020 ] TID: 1812
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x89398580 ] TID: 1824
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8920E748 ] TID: 1832
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x893C45F8 ] TID: 1844
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F63C70 ] TID: 1856
0x80562520 Faked ServiceTable-->csrss.exe [ ETHREAD 0x895BC8C0 ] TID: 1872, 6357102 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x893CD020 ] TID: 1880
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8949EB38 ] TID: 1888
0x80562520 Faked ServiceTable-->igfxtray.exe [ ETHREAD 0x88F63888 ] TID: 1896
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88689D28 ] TID: 1900
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x88491020 ] TID: 1912
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x892DE020 ] TID: 1920
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x894F0020 ] TID: 1928
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89422730 ] TID: 1936
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8941ADA8 ] TID: 1948
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x891C2020 ] TID: 1956
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89153020 ] TID: 1960
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x893FA020 ] TID: 1984
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88AE6020 ] TID: 1992
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x895B0020 ] TID: 2004
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89217DA8 ] TID: 2008
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x895B99E0 ] TID: 2012, 32 bytes
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88AFF020 ] TID: 2020
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x894CD020 ] TID: 2024
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88B53020 ] TID: 2032
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89417020 ] TID: 2036
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8882C7B8 ] TID: 2060
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892E6020 ] TID: 2092
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x892EB9D0 ] TID: 2100
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88972580 ] TID: 2116, 2097184 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x891B7420 ] TID: 2124
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8929C908 ] TID: 2128
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892AE598 ] TID: 2132
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x89059020 ] TID: 2136
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x888A0580 ] TID: 2152
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89102020 ] TID: 2172
0x80562520 Faked ServiceTable-->csrss.exe [ ETHREAD 0x8922A9B8 ] TID: 2184
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8928A020 ] TID: 2200, 4784196 bytes
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8804B020 ] TID: 2212
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x891BD020 ] TID: 2240
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88B48020 ] TID: 2244
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x886BFCE8 ] TID: 2252
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x887AA590 ] TID: 2272
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x890FADA8 ] TID: 2288
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88465D58 ] TID: 2296
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8954F020 ] TID: 2304, 3145783 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892C6020 ] TID: 2324
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892EC020 ] TID: 2328
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892CF020 ] TID: 2332
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x892B0B38 ] TID: 2336
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x892BCDA8 ] TID: 2340
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x890F3DA8 ] TID: 2344
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F30020 ] TID: 2368
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x892E7DA8 ] TID: 2372, 2949120 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x887C2530 ] TID: 2380
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F4B020 ] TID: 2392
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x889EADA8 ] TID: 2396
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x89208020 ] TID: 2416
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89192020 ] TID: 2424
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8919B020 ] TID: 2432
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x87FBAC98 ] TID: 2440
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x88EBC608 ] TID: 2444, 5963776 bytes
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89193020 ] TID: 2456
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8917D020 ] TID: 2468
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89131020 ] TID: 2472
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89211020 ] TID: 2476
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89137658 ] TID: 2480
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8924DB40 ] TID: 2484
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8913E020 ] TID: 2496
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x891F9020 ] TID: 2500, 5832787 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89209020 ] TID: 2552
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x889A4D30 ] TID: 2576
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x890F0020 ] TID: 2620
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x8886A580 ] TID: 2628
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x889F6DA8 ] TID: 2636
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x892E7020 ] TID: 2644
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x88F7B020 ] TID: 2648
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x88F51DA8 ] TID: 2652, 7536751 bytes
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x88D67638 ] TID: 2688
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x887EE818 ] TID: 2700
0x80562520 Faked ServiceTable-->igfxsrvc.exe [ ETHREAD 0x890FB9C0 ] TID: 2752
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x88ED8020 ] TID: 2764
0x80562520 Faked ServiceTable-->igfxsrvc.exe [ ETHREAD 0x88135020 ] TID: 2768
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8911A020 ] TID: 2788
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892501C0 ] TID: 2792
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x88F269E8 ] TID: 2796, 4456532 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F255F0 ] TID: 2808
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892A9398 ] TID: 2820
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88304020 ] TID: 2824
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x884C1DA8 ] TID: 2852
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x88AE32E8 ] TID: 2864
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8915B020 ] TID: 2872
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88E24820 ] TID: 2884, 3014755 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8901A020 ] TID: 2896
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x89023598 ] TID: 2916
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x890F3020 ] TID: 2928
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88F65158 ] TID: 2940
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8858BDA8 ] TID: 2960
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x88F2A730 ] TID: 2968
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x87FEA878 ] TID: 2988
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88BBB020 ] TID: 3004
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88A2CDA8 ] TID: 3012
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8922D8C8 ] TID: 3028
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x892BC6B8 ] TID: 3036
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x88F3A020 ] TID: 3040
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892C8390 ] TID: 3048
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x88D65A08 ] TID: 3080
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8913F288 ] TID: 3088
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x890E0A00 ] TID: 3108
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88E58A68 ] TID: 3116, 6619182 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892CD020 ] TID: 3128
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x88F29DA8 ] TID: 3152, 3145780 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8902FDA8 ] TID: 3156, 130 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88FD1020 ] TID: 3164
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89400020 ] TID: 3176
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F58730 ] TID: 3188, 20062064 bytes
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F69758 ] TID: 3196
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89287580 ] TID: 3200
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89291598 ] TID: 3204
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8928EDA8 ] TID: 3208
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8928EB30 ] TID: 3212
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8928E8B8 ] TID: 3216
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8928E640 ] TID: 3220
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892C89E8 ] TID: 3224
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89287020 ] TID: 3228
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89281580 ] TID: 3232
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8927FDA8 ] TID: 3236
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892A08D0 ] TID: 3240
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892B55F8 ] TID: 3244
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89296DA8 ] TID: 3248
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892D5020 ] TID: 3252
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88D4CDA8 ] TID: 3300
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89613020 ] TID: 3304
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892AC020 ] TID: 3308
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89551020 ] TID: 3316
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892D05D8 ] TID: 3332
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x892625D0 ] TID: 3336
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8922B9A0 ] TID: 3340
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x892ED448 ] TID: 3344
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x87FBA510 ] TID: 3348
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x8922BDA8 ] TID: 3372
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x8949D020 ] TID: 3392
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8908A8A0 ] TID: 3440
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89074628 ] TID: 3468
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x8868D978 ] TID: 3492
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x88ADA430 ] TID: 3500
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88B57020 ] TID: 3508
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89283020 ] TID: 3528
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88AF3020 ] TID: 3544
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x892499C8 ] TID: 3548
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8928CDA8 ] TID: 3556
0x80562520 Faked ServiceTable-->iexplore.exe [ ETHREAD 0x88964590 ] TID: 3564
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x88F2B020 ] TID: 3572
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x8902E320 ] TID: 3588
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89285DA8 ] TID: 3592
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x880B1020 ] TID: 3616
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89060DA8 ] TID: 3620
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88965DA8 ] TID: 3644
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892935C8 ] TID: 3648
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89265020 ] TID: 3656
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8924E8F8 ] TID: 3660
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x891C3810 ] TID: 3672
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892A69C8 ] TID: 3692
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89281DA8 ] TID: 3728
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x890F4DA8 ] TID: 3732
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89273B38 ] TID: 3748
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8922D020 ] TID: 3760
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89239DA8 ] TID: 3764
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8925E020 ] TID: 3784
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x891059E8 ] TID: 3792
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89237DA8 ] TID: 3828
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89237B30 ] TID: 3832
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x88BBDDA8 ] TID: 3864
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892DB9A0 ] TID: 3868
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88827860 ] TID: 3876
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89157020 ] TID: 3880
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F709B0 ] TID: 3884
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F799C8 ] TID: 3888
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x892C4B98 ] TID: 3896
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8928D020 ] TID: 3900
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89232DA8 ] TID: 3908
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89293020 ] TID: 3920
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F78020 ] TID: 3928
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x88F4A020 ] TID: 3936
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8922A020 ] TID: 3944
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x89288020 ] TID: 3976
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x884698A8 ] TID: 3984
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x89248020 ] TID: 3988
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x892AA020 ] TID: 3992
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89277020 ] TID: 4000
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x892D8020 ] TID: 4004
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x892A6020 ] TID: 4008
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89242020 ] TID: 4012
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x892EE2E8 ] TID: 4016
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89229020 ] TID: 4020
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89279020 ] TID: 4024
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89232020 ] TID: 4028
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x892B2020 ] TID: 4032
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89278020 ] TID: 4036
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8925F020 ] TID: 4040
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8927DDA8 ] TID: 4044
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x8927DB30 ] TID: 4048
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89274DA8 ] TID: 4052
0x80562520 Faked ServiceTable-->ccSvcHst.exe [ ETHREAD 0x89265DA8 ] TID: 4060
0x80562520 Faked ServiceTable-->ccsvchst.exe [ ETHREAD 0x8925E330 ] TID: 4068
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8916C020 ] TID: 4076
WARNING: Virus alike driver modification [ndistapi.sys]
WARNING: Virus alike driver modification [bthpan.sys]
WARNING: Virus alike driver modification [sffp_mmc.sys]
WARNING: Virus alike driver modification [LBeepKE.sys]
WARNING: Virus alike driver modification [dxapi.sys]
WARNING: Virus alike driver modification [mup.sys]
WARNING: Virus alike driver modification [gameenum.sys]
WARNING: Virus alike driver modification [sffp_sd.sys]
WARNING: Virus alike driver modification [irenum.sys]
WARNING: Virus alike driver modification [sfloppy.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [mcdbus.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [sffdisk.sys]
WARNING: Virus alike driver modification [pcmcia.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [SSHDRV65.sys]
WARNING: Virus alike driver modification [tdpipe.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [mouhid.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [ftdisk.sys]
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [fltMgr.sys]
WARNING: Virus alike driver modification [afd.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [Monfilt.sys]
WARNING: Virus alike driver modification [rdpwd.sys]
WARNING: Virus alike driver modification [LCCFLTR.SYS]
WARNING: Virus alike driver modification [ks.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [asyncmac.sys]
WARNING: Virus alike driver modification [fastfat.sys]
WARNING: Virus alike driver modification [usbport.sys]
WARNING: Virus alike driver modification [hdaudbus.sys]
WARNING: Virus alike driver modification [kbdhid.sys]
WARNING: Virus alike driver modification [ndisuio.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [portcls.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [usbscan.sys]
WARNING: Virus alike driver modification [ipnat.sys]
WARNING: Virus alike driver modification [dmio.sys]
WARNING: Virus alike driver modification [mssmbios.sys]
WARNING: Virus alike driver modification [serenum.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [netbt.sys]
WARNING: Virus alike driver modification [HPZipr12.sys]
WARNING: Virus alike driver modification [raspti.sys]
WARNING: Virus alike driver modification [Ambfilt.sys]
WARNING: Virus alike driver modification [BthEnum.sys]
WARNING: Virus alike driver modification [usbohci.sys]
WARNING: Virus alike driver modification [kmixer.sys]
WARNING: Virus alike driver modification [igxpmp32.sys]
WARNING: Virus alike driver modification [rdbss.sys]
WARNING: Virus alike driver modification [ptilink.sys]
WARNING: Virus alike driver modification [mrxdav.sys]
WARNING: Virus alike driver modification [ndis.sys]
WARNING: Virus alike driver modification [cdaudio.sys]
WARNING: Virus alike driver modification [cmudax3.sys]
WARNING: Virus alike driver modification [acpi.sys]
WARNING: Virus alike driver modification [BTHUSB.SYS]
WARNING: Virus alike driver modification [msfs.sys]
WARNING: Virus alike driver modification [tdi.sys]
WARNING: Virus alike driver modification [rdpdr.sys]
WARNING: Virus alike driver modification [partmgr.sys]
WARNING: Virus alike driver modification [rmcast.sys]
WARNING: Virus alike driver modification [flpydisk.sys]
WARNING: Virus alike driver modification [secdrv.sys]
WARNING: Virus alike driver modification [usbuhci.sys]
WARNING: Virus alike driver modification [ipinip.sys]
WARNING: Virus alike driver modification [vga.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [HPZius12.sys]
WARNING: Virus alike driver modification [tdtcp.sys]
WARNING: Virus alike driver modification [tcpip6.sys]
WARNING: Virus alike driver modification [mouclass.sys]
WARNING: Virus alike driver modification [Rtenicxp.sys]
WARNING: Virus alike driver modification [kbdclass.sys]
WARNING: Virus alike driver modification [pciidex.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [LHidFlt2.Sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [usbprint.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [usbstor.sys]
WARNING: Virus alike driver modification [http.sys]
WARNING: Virus alike driver modification [bthport.sys]
WARNING: Virus alike driver modification [fdc.sys]
WARNING: Virus alike driver modification [InCDrm.sys]
WARNING: Virus alike driver modification [LUsbFilt.sys]
WARNING: Virus alike driver modification [InCDpass.sys]
WARNING: Virus alike driver modification [modem.sys]
WARNING: Virus alike driver modification [usbehci.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [npfs.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [usbccgp.sys]
WARNING: Virus alike driver modification [wdfldr.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [wanarp.sys]
WARNING: Virus alike driver modification [netbios.sys]
WARNING: Virus alike driver modification [msgpc.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [FileLock.sys]
WARNING: Virus alike driver modification [LHidFilt.Sys]
WARNING: Virus alike driver modification [srv.sys]
WARNING: Virus alike driver modification [processr.sys]
WARNING: Virus alike driver modification [tcpip.sys]
WARNING: Virus alike driver modification [disk.sys]
WARNING: Virus alike driver modification [INTELPPM.SYS]
WARNING: Virus alike driver modification [zxkyjchq.sys]
WARNING: Virus alike driver modification [ip6fw.sys]
WARNING: Virus alike driver modification [btcusb.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [isapnp.sys]
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [LMouFilt.Sys]
WARNING: Virus alike driver modification [cmaudio.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [LHidUsb.sys]
WARNING: Virus alike driver modification [update.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [winusb.sys]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [termdd.sys]
WARNING: Virus alike driver modification [ndproxy.sys]
WARNING: Virus alike driver modification [alcxwdm.sys]
WARNING: Virus alike driver modification [raspppoe.sys]
WARNING: Virus alike driver modification [imapi.sys]
WARNING: Virus alike driver modification [beep.sys]
WARNING: Virus alike driver modification [mnmdd.sys]
WARNING: Virus alike driver modification [rdpcdd.sys]
WARNING: Virus alike driver modification [mountmgr.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [swenum.sys]
WARNING: Virus alike driver modification [wmilib.sys]
WARNING: Virus alike driver modification [fips.sys]
WARNING: Virus alike driver modification [PxHelp20.sys]
WARNING: Virus alike driver modification [ousbehci.sys]
WARNING: Virus alike driver modification [usbd.sys]
WARNING: Virus alike driver modification [pcouffin.sys]
WARNING: Virus alike driver modification [btwhid.sys]
WARNING: Virus alike driver modification [raspptp.sys]
WARNING: Virus alike driver modification [wdf01000.sys]
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [classpnp.sys]
WARNING: Virus alike driver modification [MSPQM.sys]
WARNING: Virus alike driver modification [HPZid412.sys]
WARNING: Virus alike driver modification [rasl2tp.sys]
WARNING: Virus alike driver modification [L8042PR2.SYS]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [volsnap.sys]
WARNING: Virus alike driver modification [DMusic.sys]
WARNING: Virus alike driver modification [MSPCLOCK.sys]
WARNING: Virus alike driver modification [fssfltr_tdi.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [swmidi.sys]
WARNING: Virus alike driver modification [ousb2hub.sys]
WARNING: Virus alike driver modification [ntfs.sys]
WARNING: Virus alike driver modification [redbook.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [rfcomm.sys]
WARNING: Virus alike driver modification [usbhub.sys]
WARNING: Virus alike driver modification [atmarpc.sys]
WARNING: Virus alike driver modification [drmk.sys]
WARNING: Virus alike driver modification [arp1394.sys]
WARNING: Virus alike driver modification [sysaudio.sys]
WARNING: Virus alike driver modification [RtkHDAud.sys]
WARNING: Virus alike driver modification [nic1394.sys]
WARNING: Virus alike driver modification [splitter.sys]
WARNING: Virus alike driver modification [cdrom.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [cdfs.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [serial.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [btwusb.sys]
WARNING: Virus alike driver modification [moufiltr.sys]
WARNING: Virus alike driver modification [parvdm.sys]
WARNING: Virus alike driver modification [pci.sys]
WARNING: Virus alike driver modification [psched.sys]
WARNING: Virus alike driver modification [LMouFlt2.Sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [sr.sys]
WARNING: Virus alike driver modification [ipsec.sys]
WARNING: Virus alike driver modification [MSKSSRV.sys]
WARNING: Virus alike driver modification [WudfPf.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [sdbus.sys]
WARNING: Virus alike driver modification [fs_rec.sys]
WARNING: Virus alike driver modification [dmboot.sys]
WARNING: Virus alike driver modification [parport.sys]
WARNING: Virus alike driver modification [videoprt.sys]
WARNING: Virus alike driver modification [WudfRd.sys]
WARNING: Virus alike driver modification [wdmaud.sys]
WARNING: Virus alike driver modification [InCDrec.sys]
WARNING: Virus alike driver modification [rasacd.sys]
WARNING: Virus alike driver modification [nwlnkipx.sys]
WARNING: Virus alike driver modification [cdr4_xp.sys]
WARNING: Virus alike driver modification [ndiswan.sys]
WARNING: Virus alike driver modification [cdralw2k.sys]
WARNING: Virus alike driver modification [ksecdd.sys]
WARNING: Virus alike driver modification [n558.sys]
WARNING: Virus alike driver modification [scsiport.sys]
WARNING: Virus alike driver modification [atapi.sys]
WARNING: Virus alike driver modification [InCDfs.sys]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)


And now the OTL Report:
OTL logfile created on: 5/24/2011 8:36:32 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Ken\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 67.15% Memory free
7.80 Gb Paging File | 7.35 Gb Available in Paging File | 94.28% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.95 Gb Total Space | 3.73 Gb Free Space | 13.36% Space Free | Partition Type: NTFS
Drive I: | 74.50 Gb Total Space | 0.14 Gb Free Space | 0.18% Space Free | Partition Type: NTFS
Drive J: | 74.50 Gb Total Space | 74.42 Gb Free Space | 99.88% Space Free | Partition Type: NTFS
Drive K: | 74.50 Gb Total Space | 71.26 Gb Free Space | 95.64% Space Free | Partition Type: NTFS
Drive L: | 195.31 Gb Total Space | 133.59 Gb Free Space | 68.40% Space Free | Partition Type: NTFS
Drive M: | 195.31 Gb Total Space | 48.94 Gb Free Space | 25.06% Space Free | Partition Type: NTFS
Drive N: | 195.31 Gb Total Space | 99.84 Gb Free Space | 51.12% Space Free | Partition Type: NTFS
Drive O: | 74.57 Gb Total Space | 73.71 Gb Free Space | 98.84% Space Free | Partition Type: NTFS
Drive P: | 345.58 Gb Total Space | 232.66 Gb Free Space | 67.32% Space Free | Partition Type: NTFS

Computer Name: KEN-D62DA1F4861 | User Name: Ken | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/24 20:25:49 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
PRC - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe
PRC - [2010/07/23 01:05:56 | 000,126,904 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Online\Engine\2.1.0.23\ccSvcHst.exe
PRC - [2008/04/14 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/05/24 20:25:49 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
MOD - [2011/04/28 19:29:01 | 000,413,112 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\5.1.0.29\asoehook.dll
MOD - [2011/01/11 10:59:44 | 000,653,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcr90.dll
MOD - [2011/01/11 10:59:44 | 000,569,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcp90.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/14 07:00:00 | 000,370,176 | ---- | M] () -- C:\WINDOWS\opovisidubadi.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (nlsX86cc)
SRV - [2011/04/24 08:41:55 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe -- (N360)
SRV - [2011/03/03 21:15:08 | 000,196,608 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\WinArchiver Virtual Drive\WAService.exe -- (WinArchiver Service)
SRV - [2011/01/14 06:58:29 | 000,435,008 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010/09/30 10:12:34 | 001,051,968 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2010/09/30 10:09:20 | 000,030,016 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2010/07/23 01:05:56 | 000,126,904 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Online\Engine\2.1.0.23\ccSvcHst.exe -- (NOF)
SRV - [2010/03/25 14:39:22 | 000,490,280 | ---- | M] (Nero AG) [Disabled | Stopped] -- c:\Program Files\Ahead\Update\NASvc.exe -- (NAUpdate)
SRV - [2009/09/23 13:38:18 | 000,935,208 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2009/07/20 12:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/04/14 07:00:00 | 000,105,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\p2pgasvc.dll -- (p2pgasvc)
SRV - [2008/04/14 07:00:00 | 000,035,328 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\iprip.dll -- (Iprip)
SRV - [2005/01/27 19:16:58 | 000,856,064 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)
SRV - [2005/01/27 19:16:58 | 000,856,064 | ---- | M] (Nero AG) [Disabled | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)


========== Driver Services (SafeList) ==========

DRV - [2011/05/17 19:23:44 | 001,542,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110524.018\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/05/17 19:23:44 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110524.018\NAVENG.SYS -- (NAVENG)
DRV - [2011/05/17 18:17:33 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/05/16 21:57:50 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/05/16 21:57:50 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/04/30 01:44:12 | 000,802,936 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110518.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/03/30 22:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 22:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/28 12:46:40 | 000,098,160 | ---- | M] (Tonec Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\idmtdi.sys -- (IDMTDI)
DRV - [2011/03/21 19:39:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0501000.01D\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/19 23:00:36 | 000,007,040 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tkfilter.sys -- (KMW_USB)
DRV - [2011/03/14 21:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/03/14 13:58:34 | 000,341,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110518.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/03/03 21:11:48 | 000,091,618 | ---- | M] (WinArchiver Computing, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\waemu.sys -- (WAEMU)
DRV - [2011/01/29 15:27:37 | 001,872,192 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cmudax3.sys -- (cmuda3)
DRV - [2011/01/29 12:35:44 | 000,056,960 | ---- | M] (OrangeWare Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ousb2hub.sys -- (ousb2hub)
DRV - [2011/01/29 12:35:44 | 000,045,696 | ---- | M] (OrangeWare Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ousbehci.sys -- (ousbehci)
DRV - [2011/01/29 12:35:12 | 000,036,616 | ---- | M] (IVT Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btcusb.sys -- (Btcsrusb)
DRV - [2011/01/27 01:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS -- (SymDS)
DRV - [2010/11/15 20:45:33 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2010/09/14 19:00:32 | 006,143,592 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/07/12 20:20:31 | 000,181,296 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NSM\0201000.034\SymRdr.SYS -- (SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A})
DRV - [2010/07/06 04:13:10 | 000,234,392 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2010/07/01 22:35:57 | 000,120,320 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SSHDRV65.sys -- (SSHDRV65)
DRV - [2010/02/25 11:18:08 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/12/18 10:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
DRV - [2009/11/18 08:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 08:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/11/04 09:54:00 | 000,024,576 | ---- | M] (Kyocera Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\androidusb.sys -- (androidusb)
DRV - [2009/11/03 16:50:00 | 000,105,984 | ---- | M] (Kyocera Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\kcusbser.sys -- (kcusbser)
DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\04332822.sys -- (04332822)
DRV - [2009/09/25 17:59:42 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\04332821.sys -- (04332821)
DRV - [2009/06/17 11:56:32 | 000,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2009/06/17 11:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 11:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/17 11:55:34 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2009/02/24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/04/14 02:15:30 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/08/15 08:27:18 | 000,009,600 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\n558.sys -- (n558)
DRV - [2007/02/08 08:45:14 | 000,029,184 | R--- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dsiarhwprog.sys -- (dsiarhwprog)
DRV - [2006/09/06 06:12:34 | 000,006,784 | ---- | M] (Micro Innovations) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\moufiltr.sys -- (moufiltr)
DRV - [2006/06/07 22:06:58 | 000,329,901 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2006/06/07 16:33:34 | 000,855,018 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/06/07 16:29:10 | 000,030,459 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/06/07 16:28:20 | 000,149,028 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2006/06/07 16:26:52 | 000,067,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/06/07 16:23:20 | 000,047,811 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2005/01/27 19:08:02 | 000,099,200 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/01/27 19:07:34 | 000,028,928 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2005/01/27 12:07:28 | 000,027,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
DRV - [2005/01/01 08:46:43 | 000,035,456 | ---- | M] (Gili Soft Inc.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\FileLock.sys -- (FileLock)
DRV - [2003/11/07 04:50:00 | 000,070,798 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)
DRV - [2003/11/07 04:50:00 | 000,037,884 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidUsb.sys -- (LHidUsb)
DRV - [2003/11/07 04:50:00 | 000,025,502 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys -- (LHidFlt2)
DRV - [2002/11/18 16:51:40 | 000,377,358 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
IE - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51636

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/29 20:26:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{8D45F8A1-B938-400D-8812-91CDD3702462}: C:\Documents and Settings\Ken\Local Settings\Application Data\{8D45F8A1-B938-400D-8812-91CDD3702462} [2011/05/19 07:47:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\ [2011/05/18 17:19:34 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn\ [2011/05/17 18:12:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6D5C8FC4-DE46-41bf-9092-93F0F78E9115}: C:\Documents and Settings\All Users\Application Data\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.1.0.52\coFFFw\ [2011/05/16 22:55:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{815DD103-198D-47BE-9792-97A4426672C8}: C:\Documents and Settings\Damian\Local Settings\Application Data\{815DD103-198D-47BE-9792-97A4426672C8} [2011/05/19 08:33:48 | 000,000,000 | ---D | M]


Hosts file not found
O2 - BHO: (BTjunkie Toolbar) - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\prxtbBTju.dll (Conduit Ltd.)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Norton Safety Minder) - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\2.1.0.52\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Download Accelerator Plus Integration) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\DAP\dapieloader.dll (SpeedBit Ltd.)
O3 - HKLM\..\Toolbar: (BTjunkie Toolbar) - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\prxtbBTju.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\..\Toolbar\WebBrowser: (BTjunkie Toolbar) - {1A71246C-3EB0-4D6C-AF77-3AB756017C3A} - C:\Program Files\BTjunkie\prxtbBTju.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\..\Toolbar\WebBrowser: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Pzujelapelepi] C:\WINDOWS\opovisidubadi.dll ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 06 80 FA 03 [binary data]
O7 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67043347
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\..Trusted Domains: idvaultservices.com ([ringo] https in Local intranet)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1343024091-117609710-1801674531-1004 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/24 20:25:46 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
[2011/05/24 05:51:07 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ken\Recent
[2011/05/22 09:19:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Groove Games
[2011/05/22 09:18:55 | 000,000,000 | ---D | C] -- C:\Day of the Zombie
[2011/05/22 09:18:39 | 000,000,000 | ---D | C] -- C:\Program Files\Day of the Zombie
[2011/05/21 10:55:04 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2011/05/21 10:55:04 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Ken\My Documents\My Pictures
[2011/05/21 10:18:28 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/05/21 10:18:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Start Menu\Programs\HiJackThis
[2011/05/19 09:00:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Big Fish Games
[2011/05/19 09:00:37 | 000,000,000 | ---D | C] -- C:\Program Files\bfgclient
[2011/05/19 08:59:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
[2011/05/19 07:47:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\{8D45F8A1-B938-400D-8812-91CDD3702462}
[2011/05/17 18:17:26 | 000,331,384 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symtdiv.sys
[2011/05/17 18:17:25 | 000,369,784 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symtdi.sys
[2011/05/17 18:17:25 | 000,296,568 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symnets.sys
[2011/05/17 18:17:22 | 000,744,568 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symefa.sys
[2011/05/17 18:17:21 | 000,340,088 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symds.sys
[2011/05/17 18:17:21 | 000,050,168 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0501000.01D\srtspx.sys
[2011/05/17 18:17:19 | 000,516,216 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0501000.01D\srtsp.sys
[2011/05/17 18:17:19 | 000,136,312 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0501000.01D\ironx86.sys
[2011/05/17 18:12:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360\0501000.01D
[2011/05/16 22:52:52 | 000,181,296 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NSM\0201000.034\symrdr.sys
[2011/05/16 22:52:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NSM
[2011/05/16 22:52:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NSM\0201000.034
[2011/05/16 22:52:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Safety Minder
[2011/05/16 22:52:21 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Online
[2011/05/16 22:52:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NOF
[2011/05/16 22:52:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NOF\0201000.017
[2011/05/16 22:30:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/16 22:25:40 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/16 21:44:07 | 000,126,584 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/05/16 21:44:07 | 000,060,872 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/05/16 21:44:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/05/16 21:44:07 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/05/16 21:44:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\Secunia PSI
[2011/05/16 21:42:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360
[2011/05/16 21:42:35 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Suite
[2011/05/16 21:42:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Suite
[2011/05/16 21:41:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\My Documents\Symantec
[2011/05/16 21:41:28 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2011/05/16 21:16:29 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2011/05/16 21:14:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
[2011/05/16 19:54:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Start Menu\Programs\SPlayer
[2011/05/16 19:49:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinArchiver Virtual Drive
[2011/05/16 18:38:44 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/05/14 20:22:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\ICDL Cache
[2011/05/13 04:55:37 | 000,000,000 | ---D | C] -- C:\Program Files\SPlayer
[2011/05/10 19:12:15 | 000,000,000 | ---D | C] -- C:\Program Files\WinArchiver Virtual Drive
[2011/05/10 17:45:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2011/05/09 19:38:03 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Ken\My Documents\Passwords Database
[2011/05/09 04:39:40 | 000,039,352 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSVirtualDiskDrv.sys
[2011/05/09 04:39:33 | 000,088,632 | ---- | C] (Infowatch) -- C:\WINDOWS\System32\drivers\CSCrySec.sys
[2011/05/09 04:35:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
[2011/05/09 03:09:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2011/05/08 22:52:36 | 000,037,392 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\04332822.sys
[2011/05/08 22:52:29 | 000,128,016 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\04332821.sys
[2011/05/08 10:43:24 | 000,029,184 | R--- | C] (Thesycon GmbH, Germany) -- C:\WINDOWS\System32\drivers\dsiarhwprog.sys
[2011/05/08 10:41:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Action Replay DSi Code Manager
[2011/05/08 10:41:44 | 000,000,000 | ---D | C] -- C:\Program Files\Datel
[2011/05/07 11:11:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/05/07 10:04:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Support Tools
[2011/05/07 10:04:16 | 000,000,000 | ---D | C] -- C:\Program Files\Support Tools
[2011/05/07 09:33:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\FxsTmp
[2011/05/07 09:33:30 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\simptcp.dll
[2011/05/07 09:33:30 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\simptcp.dll
[2011/05/07 09:33:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\etc
[2011/05/07 09:33:29 | 000,132,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsclntR.dll
[2011/05/07 09:33:29 | 000,132,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsclntr.dll
[2011/05/07 09:33:29 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsroute.dll
[2011/05/07 09:33:29 | 000,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsroute.dll
[2011/05/07 09:33:29 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxssend.exe
[2011/05/07 09:33:29 | 000,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxssend.exe
[2011/05/07 09:33:02 | 000,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxscfgwz.dll
[2011/05/07 09:33:02 | 000,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscfgwz.dll
[2011/05/07 09:32:23 | 000,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lpdsvc.dll
[2011/05/07 09:32:23 | 000,022,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lpdsvc.dll
[2011/05/07 09:32:23 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\lprmon.dll
[2011/05/07 09:32:23 | 000,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lprmon.dll
[2011/05/07 09:32:22 | 000,400,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsxp32.dll
[2011/05/07 09:32:22 | 000,400,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsxp32.dll
[2011/05/07 09:32:22 | 000,397,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxstiff.dll
[2011/05/07 09:32:22 | 000,397,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxstiff.dll
[2011/05/07 09:32:22 | 000,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxst30.dll
[2011/05/07 09:32:22 | 000,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxst30.dll
[2011/05/07 09:32:22 | 000,192,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxswzrd.dll
[2011/05/07 09:32:22 | 000,192,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxswzrd.dll
[2011/05/07 09:32:22 | 000,154,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsui.dll
[2011/05/07 09:32:22 | 000,154,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsui.dll
[2011/05/07 09:32:22 | 000,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iprip.dll
[2011/05/07 09:32:22 | 000,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iprip.dll
[2011/05/07 09:32:21 | 000,562,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsst.dll
[2011/05/07 09:32:21 | 000,562,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsst.dll
[2011/05/07 09:32:21 | 000,285,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxscomex.dll
[2011/05/07 09:32:21 | 000,285,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscomex.dll
[2011/05/07 09:32:21 | 000,267,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxssvc.exe
[2011/05/07 09:32:21 | 000,229,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxscover.exe
[2011/05/07 09:32:21 | 000,229,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscover.exe
[2011/05/07 09:32:21 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsclnt.exe
[2011/05/07 09:32:21 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsclnt.exe
[2011/05/07 09:32:21 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsevent.dll
[2011/05/07 09:32:21 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsevent.dll
[2011/05/07 09:32:21 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsdrv.dll
[2011/05/07 09:32:21 | 000,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsdrv.dll
[2011/05/07 09:32:21 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsmon.dll
[2011/05/07 09:32:21 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsmon.dll
[2011/05/07 09:32:21 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsext32.dll
[2011/05/07 09:32:21 | 000,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsext32.dll
[2011/05/07 09:32:21 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsperf.dll
[2011/05/07 09:32:21 | 000,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsperf.dll
[2011/05/07 09:32:21 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsres.dll
[2011/05/07 09:32:21 | 000,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsres.dll
[2011/05/07 09:32:20 | 000,072,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxscom.dll
[2011/05/07 09:32:20 | 000,072,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxscom.dll
[2011/05/07 09:32:18 | 000,451,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsapi.dll
[2011/05/07 09:32:18 | 000,451,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fxsapi.dll
[2011/05/03 04:51:03 | 000,000,000 | ---D | C] -- C:\Program Files\Valve
[2011/05/02 17:28:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iG28614FpJkJ28614
[2011/05/02 00:25:29 | 000,000,000 | ---D | C] -- C:\Microsoft
[2011/05/01 23:34:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\GridinSoft
[2011/05/01 23:34:50 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
[2011/05/01 23:20:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/05/01 21:57:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\TEMP
[2011/05/01 10:02:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup (Disabled by Starter)
[2011/05/01 09:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\VS Revo Group
[2011/05/01 05:59:41 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/05/01 05:59:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\ConduitEngine
[2011/05/01 05:59:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\BTjunkie
[2011/05/01 05:59:30 | 000,000,000 | ---D | C] -- C:\Program Files\ConduitEngine
[2011/05/01 05:59:15 | 000,000,000 | ---D | C] -- C:\Program Files\BTjunkie
[2011/05/01 05:20:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Application Data\FinalMediaPlayer
[2011/05/01 05:20:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\FinalMediaPlayer
[2011/05/01 05:20:46 | 000,000,000 | ---D | C] -- C:\Program Files\FinalMediaPlayer
[2011/04/26 21:48:15 | 000,000,000 | ---D | C] -- C:\Netgear
[2010/06/21 22:23:16 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Ken\Application Data\pcouffin.sys
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/24 20:42:10 | 000,115,980 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\Rootkit Report
[2011/05/24 20:25:49 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
[2011/05/24 20:22:21 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\RKUnhookerLE.EXE
[2011/05/24 20:14:01 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/24 20:13:00 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011/05/24 20:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2011/05/24 19:58:00 | 000,000,274 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/05/24 19:05:20 | 000,000,382 | ---- | M] () -- C:\WINDOWS\tasks\Final Media Player Update Checker.job
[2011/05/24 19:03:21 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Lkazo.dat
[2011/05/24 19:02:19 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-117609710-1801674531-1004.job
[2011/05/24 19:02:18 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/24 19:02:08 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\RegistryBooster.job
[2011/05/24 19:00:09 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2011/05/24 18:59:13 | 000,013,746 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/24 18:59:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/24 05:46:07 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Dtayewohisi.bin
[2011/05/24 05:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2011/05/24 04:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2011/05/24 03:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2011/05/24 02:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2011/05/24 01:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2011/05/24 00:35:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2011/05/23 23:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2011/05/23 22:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2011/05/23 21:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2011/05/23 18:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2011/05/22 17:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2011/05/22 16:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2011/05/22 15:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2011/05/22 14:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2011/05/22 13:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2011/05/22 12:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2011/05/22 11:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2011/05/22 10:00:01 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2011/05/22 09:19:51 | 000,001,353 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play DOTZ.lnk
[2011/05/22 09:13:31 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/05/22 09:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2011/05/22 08:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2011/05/22 07:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2011/05/22 06:00:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2011/05/21 23:46:43 | 000,000,174 | ---- | M] () -- C:\Documents and Settings\Ken\Application Data\default.rss
[2011/05/21 10:53:26 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Ken\defogger_reenable
[2011/05/21 01:07:00 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-117609710-1801674531-1004.job
[2011/05/19 20:11:18 | 000,000,306 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\Web Settings.url
[2011/05/19 15:15:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\FileLock.bin
[2011/05/18 17:16:26 | 000,618,240 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\Cat.DB
[2011/05/17 21:00:23 | 000,003,395 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\btjunkie - the largest bittorrent search engine.url
[2011/05/17 18:17:33 | 000,126,584 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/05/17 18:17:33 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/05/17 18:17:33 | 000,007,468 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/05/17 18:17:33 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/05/16 22:34:39 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/05/16 20:57:25 | 000,000,254 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Watch Movies Online for Free Streaming Full Length Feature Films XFINITY TV.url
[2011/05/15 09:15:25 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/05/13 20:47:24 | 000,000,563 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Hotmail.url
[2011/05/13 05:00:52 | 000,218,112 | ---- | M] () -- C:\Documents and Settings\Ken\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/13 04:55:53 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Quick Launch\SPlayer(Home Theater).lnk
[2011/05/13 04:55:53 | 000,000,684 | ---- | M] () -- C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Quick Launch\SPlayer.lnk
[2011/05/10 18:21:05 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\isolate.ini
[2011/05/07 10:00:16 | 000,566,522 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/07 10:00:16 | 000,112,874 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/07 09:52:11 | 000,001,891 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/07 09:33:31 | 000,000,535 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/05/05 04:37:50 | 001,250,358 | ---- | M] () -- C:\WINDOWS\ACD Wallpaper.bmp
[2011/05/04 21:16:10 | 000,000,260 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\Oceanet Login.url
[2011/05/03 21:54:59 | 000,014,087 | ---- | M] () -- C:\Documents and Settings\Ken\Application Data\CE6A.651
[2011/05/02 17:33:53 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/02 00:19:45 | 000,000,004 | ---- | M] () -- C:\Documents and Settings\Ken\Application Data\avdrn.dat
[2011/05/01 23:07:33 | 000,000,046 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/05/01 05:20:51 | 000,000,796 | ---- | M] () -- C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Quick Launch\FinalMediaPlayer.lnk
[2011/04/30 07:18:13 | 000,000,226 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Oceaneering.url
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/24 20:35:09 | 000,115,980 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\Rootkit Report
[2011/05/24 20:22:21 | 000,133,632 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\RKUnhookerLE.EXE
[2011/05/22 09:19:50 | 000,001,353 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Play DOTZ.lnk
[2011/05/21 10:53:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Ken\defogger_reenable
[2011/05/19 20:11:18 | 000,000,306 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\Web Settings.url
[2011/05/19 09:01:09 | 000,001,584 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Game Manager.lnk
[2011/05/19 09:01:09 | 000,001,184 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\More Great Games.lnk
[2011/05/18 17:15:39 | 000,618,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\Cat.DB
[2011/05/17 18:17:25 | 000,007,877 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symnetv.cat
[2011/05/17 18:17:25 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symnetv.inf
[2011/05/17 18:17:24 | 000,007,458 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symnet.cat
[2011/05/17 18:17:24 | 000,001,446 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symnet.inf
[2011/05/17 18:17:22 | 000,007,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symefa.cat
[2011/05/17 18:17:22 | 000,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symefa.inf
[2011/05/17 18:17:21 | 000,007,454 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\srtspx.cat
[2011/05/17 18:17:21 | 000,002,792 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symds.inf
[2011/05/17 18:17:21 | 000,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\srtspx.inf
[2011/05/17 18:17:19 | 000,007,528 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\iron.cat
[2011/05/17 18:17:19 | 000,007,450 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\srtsp.cat
[2011/05/17 18:17:19 | 000,001,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\srtsp.inf
[2011/05/17 18:17:19 | 000,000,742 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\iron.inf
[2011/05/17 18:12:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\symds.cat
[2011/05/17 18:12:16 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\isolate.ini
[2011/05/16 22:52:42 | 000,001,486 | R--- | C] () -- C:\WINDOWS\System32\drivers\NSM\0201000.034\SymRdr.inf
[2011/05/16 22:52:40 | 000,007,879 | R--- | C] () -- C:\WINDOWS\System32\drivers\NSM\0201000.034\symrdr.cat
[2011/05/16 22:52:21 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NOF\0201000.017\isolate.ini
[2011/05/16 21:44:07 | 000,007,468 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/05/16 21:44:07 | 000,000,806 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/05/13 04:55:53 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Quick Launch\SPlayer(Home Theater).lnk
[2011/05/13 04:55:53 | 000,000,684 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Quick Launch\SPlayer.lnk
[2011/05/08 17:16:49 | 000,000,254 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Watch Movies Online for Free Streaming Full Length Feature Films XFINITY TV.url
[2011/05/07 21:44:41 | 000,000,563 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Hotmail.url
[2011/05/07 09:33:31 | 000,000,535 | ---- | C] () -- C:\WINDOWS\System32\mapisvc.inf
[2011/05/07 09:33:30 | 000,001,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\etc\quotes
[2011/05/07 09:33:29 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2011/05/07 09:33:29 | 000,001,361 | ---- | C] () -- C:\WINDOWS\System32\fxscount.h
[2011/05/02 17:27:41 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\htjzka.dat
[2011/05/02 01:04:32 | 000,014,087 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\CE6A.651
[2011/05/02 00:19:45 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\avdrn.dat
[2011/05/01 23:07:33 | 000,000,046 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/05/01 05:21:06 | 000,000,382 | ---- | C] () -- C:\WINDOWS\tasks\Final Media Player Update Checker.job
[2011/05/01 05:20:51 | 000,000,796 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\Microsoft\Internet Explorer\Quick Launch\FinalMediaPlayer.lnk
[2011/04/10 13:16:31 | 000,356,352 | ---- | C] () -- C:\WINDOWS\System32\mfuzi.exe
[2011/04/10 13:16:26 | 000,000,231 | ---- | C] () -- C:\WINDOWS\System32\winset.ini
[2011/04/10 09:09:26 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Lkazo.dat
[2011/04/10 09:09:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Dtayewohisi.bin
[2011/03/30 04:33:17 | 000,000,024 | -H-- | C] () -- C:\WINDOWS\msbgctb.ini
[2011/03/30 04:33:17 | 000,000,024 | -H-- | C] () -- C:\WINDOWS\msbgcta.ini
[2011/03/09 00:30:26 | 000,179,240 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/03/05 21:46:04 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/03/03 19:42:51 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Ken\Local Settings\Application Data\housecall.guid.cache
[2011/02/26 22:19:49 | 000,000,244 | ---- | C] () -- C:\WINDOWS\ka.ini
[2011/02/13 11:15:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\FileLock.bin
[2011/02/02 03:07:56 | 000,000,039 | ---- | C] () -- C:\WINDOWS\ImageViewer.INI
[2011/01/29 12:56:11 | 000,007,040 | ---- | C] () -- C:\WINDOWS\System32\drivers\tkfilter.sys
[2011/01/22 12:52:53 | 000,000,160 | ---- | C] () -- C:\WINDOWS\MyDrivers.ini
[2011/01/14 23:02:44 | 000,000,058 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2010/12/26 20:10:26 | 000,081,920 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\ezpinst.exe
[2010/12/26 12:43:23 | 000,001,057 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\vso_ts_preview.xml
[2010/12/11 20:28:44 | 000,000,072 | ---- | C] () -- C:\WINDOWS\MediaManager.INI
[2010/11/21 21:40:48 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo3.dll
[2010/11/21 12:06:13 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2010/10/31 04:38:36 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010/10/30 08:34:36 | 000,000,056 | ---- | C] () -- C:\WINDOWS\WDIRECT.INI
[2010/10/30 08:34:36 | 000,000,005 | ---- | C] () -- C:\WINDOWS\System32\wdirnop.com
[2010/10/30 08:34:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2010/10/30 08:34:25 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\SVGA32.DLL
[2010/10/30 08:34:25 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\WDIR32.DLL
[2010/10/30 08:34:25 | 000,042,084 | ---- | C] () -- C:\WINDOWS\System32\WDIR16.DLL
[2010/10/30 08:34:25 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\PMPRO32.DLL
[2010/10/30 08:34:25 | 000,018,892 | ---- | C] () -- C:\WINDOWS\System32\PMPRO16.DLL
[2010/09/01 04:37:57 | 000,000,042 | ---- | C] () -- C:\WINDOWS\AlchemyMindworksUpdateList.INI
[2010/09/01 04:37:11 | 000,212,992 | ---- | C] () -- C:\WINDOWS\ALCHUNIN.EXE
[2010/08/14 18:29:20 | 000,218,112 | ---- | C] () -- C:\Documents and Settings\Ken\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/16 18:40:03 | 000,000,716 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2010/07/05 22:06:02 | 000,081,920 | R--- | C] () -- C:\WINDOWS\bwUnin-6.1.4.61-8876480L.exe
[2010/07/05 08:43:10 | 000,000,025 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2010/07/03 12:26:27 | 000,093,526 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/07/01 22:35:56 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\drivers\SSHDRV65.sys
[2010/07/01 18:16:39 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2010/07/01 18:16:21 | 000,000,009 | ---- | C] () -- C:\WINDOWS\sierra.ini
[2010/06/29 21:20:35 | 000,161,078 | ---- | C] () -- C:\WINDOWS\hphins17.dat
[2010/06/29 21:20:35 | 000,005,581 | ---- | C] () -- C:\WINDOWS\hphmdl17.dat
[2010/06/29 20:23:59 | 000,023,108 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2010/06/26 17:28:19 | 000,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[2010/06/25 11:42:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\chrtmp
[2010/06/24 22:50:43 | 000,000,526 | ---- | C] () -- C:\WINDOWS\iconeasl.ini
[2010/06/24 22:50:43 | 000,000,069 | ---- | C] () -- C:\WINDOWS\easyicon.ini
[2010/06/24 22:49:08 | 000,001,300 | ---- | C] () -- C:\WINDOWS\System32\cool.dll
[2010/06/22 06:35:04 | 000,000,174 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\default.rss
[2010/06/22 06:33:34 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/21 22:38:32 | 000,512,468 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\data.dat
[2010/06/21 22:23:16 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\inst.exe
[2010/06/21 22:23:16 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\pcouffin.cat
[2010/06/21 22:23:16 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Ken\Application Data\pcouffin.inf
[2010/06/20 19:27:49 | 000,160,205 | ---- | C] () -- C:\WINDOWS\hpoins44.dat
[2010/06/20 19:27:49 | 000,000,586 | ---- | C] () -- C:\WINDOWS\hpomdl44.dat
[2010/06/20 00:48:53 | 000,000,016 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2010/06/19 00:42:12 | 000,000,066 | ---- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfl
[2010/06/19 00:34:50 | 000,001,480 | R--- | C] () -- C:\WINDOWS\Cmicnfg3.ini.cfg
[2010/06/19 00:32:28 | 000,002,378 | R--- | C] () -- C:\WINDOWS\cmudax3.ini
[2010/06/18 20:06:45 | 000,000,146 | ---- | C] () -- C:\WINDOWS\Hallow.ini
[2010/06/17 22:04:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\GAMCHEST.INI
[2010/06/17 22:01:17 | 000,000,236 | ---- | C] () -- C:\WINDOWS\DWSLOT.INI
[2010/06/17 21:58:14 | 000,000,436 | ---- | C] () -- C:\WINDOWS\Win95dll.ini
[2010/06/17 00:49:47 | 000,000,032 | ---- | C] () -- C:\WINDOWS\concentr.ini
[2010/06/17 00:49:33 | 000,000,033 | ---- | C] () -- C:\WINDOWS\webica.ini
[2010/06/16 22:03:57 | 000,000,045 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2010/06/16 22:03:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2010/06/16 21:57:43 | 000,000,193 | ---- | C] () -- C:\WINDOWS\cncscore.ini
[2010/06/16 21:55:32 | 000,000,367 | ---- | C] () -- C:\WINDOWS\2XCherry.ini
[2010/06/16 21:45:06 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/06/16 21:41:03 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4885.dll
[2010/06/16 21:20:00 | 000,000,099 | ---- | C] () -- C:\WINDOWS\Ultisoft.ini
[2010/06/16 21:20:00 | 000,000,009 | ---- | C] () -- C:\WINDOWS\Collida.ini
[2010/06/16 21:20:00 | 000,000,009 | ---- | C] () -- C:\WINDOWS\Brick.ini
[2010/06/14 00:16:48 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/13 19:54:55 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/06/13 19:47:29 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/06/12 19:16:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/06/12 19:11:12 | 000,285,312 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/02 17:17:34 | 000,179,091 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2010/02/08 07:33:04 | 000,359,320 | ---- | C] () -- C:\WINDOWS\System32\vfprintpthelper.dll
[2010/01/12 05:35:44 | 000,080,416 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 07:00:00 | 000,566,522 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 07:00:00 | 000,370,176 | ---- | C] () -- C:\WINDOWS\opovisidubadi.dll
[2008/04/14 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 07:00:00 | 000,112,874 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/15 07:27:18 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2006/06/07 16:52:08 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/01/01 05:17:07 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2003/09/27 02:00:48 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\CSMX.DLL
[2002/11/19 15:46:20 | 000,039,104 | ---- | C] () -- C:\WINDOWS\cmijack.dat
[2002/11/19 15:43:38 | 000,022,178 | ---- | C] () -- C:\WINDOWS\cmaudio.dat
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1998/05/05 22:19:58 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Ken\Desktop\Rootkit Report:SummaryInformation
@Alternate Data Stream - 275 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:010ADD2C
@Alternate Data Stream - 249 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:2B11E0DF
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:63238B95
@Alternate Data Stream - 1072 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:79207C85

< End of report >




And lastly the Extras Report:
OTL Extras logfile created on: 5/24/2011 8:36:32 PM - Run 1
OTL by OldTimer - Version 3.2.23.0 Folder = C:\Documents and Settings\Ken\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 67.15% Memory free
7.80 Gb Paging File | 7.35 Gb Available in Paging File | 94.28% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.95 Gb Total Space | 3.73 Gb Free Space | 13.36% Space Free | Partition Type: NTFS
Drive I: | 74.50 Gb Total Space | 0.14 Gb Free Space | 0.18% Space Free | Partition Type: NTFS
Drive J: | 74.50 Gb Total Space | 74.42 Gb Free Space | 99.88% Space Free | Partition Type: NTFS
Drive K: | 74.50 Gb Total Space | 71.26 Gb Free Space | 95.64% Space Free | Partition Type: NTFS
Drive L: | 195.31 Gb Total Space | 133.59 Gb Free Space | 68.40% Space Free | Partition Type: NTFS
Drive M: | 195.31 Gb Total Space | 48.94 Gb Free Space | 25.06% Space Free | Partition Type: NTFS
Drive N: | 195.31 Gb Total Space | 99.84 Gb Free Space | 51.12% Space Free | Partition Type: NTFS
Drive O: | 74.57 Gb Total Space | 73.71 Gb Free Space | 98.84% Space Free | Partition Type: NTFS
Drive P: | 345.58 Gb Total Space | 232.66 Gb Free Space | 67.32% Space Free | Partition Type: NTFS

Computer Name: KEN-D62DA1F4861 | User Name: Ken | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDSee Pro 3.Manage] -- "C:\Program Files\ACD Systems\ACDSee Pro\3.0\ACDSeeQVPro3.exe" "%1" (ACD Systems International Inc.)
Directory [Browse with ACDSee] -- "C:\Program Files\ACDSee32\ACDSee32.exe" "%1" (ACD Systems, Ltd.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- Reg Error: Key error.
Directory [Winamp.Enqueue] -- Reg Error: Key error.
Directory [Winamp.Play] -- Reg Error: Key error.
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UACDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:TCP" = 1900:TCP:LocalSubNet:Disabled:UDP 1900
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3587:TCP" = 3587:TCP:*:Enabled:Windows Peer-to-Peer Grouping
"3540:UDP" = 3540:UDP:*:Enabled:Peer Name Resolution Protocol (PNRP)
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD9\PowerDVD9.exe" = C:\Program Files\CyberLink\PowerDVD9\PowerDVD9.exe:*:Enabled:CyberLink PowerDVD 9.0
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe:*:Enabled:hpqcopy2.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe
"C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Enabled:hpqphotocrm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Enabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\Ken\LOCALS~1\Temp\File1.exe" = C:\DOCUME~1\Ken\LOCALS~1\Temp\File1.exe:*:Enabled:Windows Messanger
"C:\DOCUME~1\Ken\LOCALS~1\Temp\48328.exe" = C:\DOCUME~1\Ken\LOCALS~1\Temp\48328.exe:*:Enabled:Windows Messanger
"C:\Program Files\DAP\DAP.exe" = C:\Program Files\DAP\DAP.exe:*:Enabled:Download Accelerator Plus (DAP) -- (SpeedBit Ltd.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Disabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy2.exe:*:Disabled:hpqcopy2.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Disabled:hpqgplgtupl.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe" = C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe:*:Disabled:hpqphotocrm.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Disabled:hpqusgh.exe
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Disabled:hpqusgm.exe
"C:\Program Files\HP\HP Software Update\HPWUCli.exe" = C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Disabled:hpwucli.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe" = C:\Program Files\HP\Digital Imaging\smart web printing\SmartWebPrintExe.exe:*:Disabled:smartwebprintexe.exe -- (Hewlett-Packard Co.)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\FinalMediaPlayer\FMPCheckForUpdates.exe" = C:\Program Files\FinalMediaPlayer\FMPCheckForUpdates.exe:*:Enabled:Final Media Player Update Checker -- (Bitberry Software)
"J:\DAP\Facemoods.exe" = J:\DAP\Facemoods.exe:*:Disabled:InstallCore™
"H:\Winamp\winamp.exe" = H:\Winamp\winamp.exe:*:Disabled:Winamp
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{07FB17D8-7DB6-4F06-80C4-8BE1719CB6A1}" = hpWLPGInstaller
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1B280FAF-AE10-4E31-A41A-DB3917D651DC}" = ACDSee Pro 3
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21A2F5EE-1DC5-488A-BE7E-E526F8C61488}" = DeviceDiscovery
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 23
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}" = Data Lifeguard Tools
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{3035E526-C5C1-4194-AF49-FE5E2A749AAA}" = FutureDial Suite
"{30363C5E-1A3E-43B2-947F-7589DC1DA185}" = JSWPFGrade2
"{30AB2FCD-FBF2-4bed-AC6A-13E6A1468621}_is1" = GiliSoft File Lock Pro 4.2
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = WIDCOMM Bluetooth Software
"{42E2EEB2-D48E-4A47-B181-32ECA031D93B}" = DJ_AIO_06_F2400_SW_Min
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{478A4971-68B3-4BD9-A379-4EDD111A6BA7}" = JS3DPreSchool
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4CCC7F68-A437-4559-A840-F5E010934951}" = HP Driver Diagnostics
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79
"{5E730665-26CF-4cd5-BBDC-D005665B01F6}" = PS_APP_02_Software
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6B437F94-056F-4791-AF2C-0D10E2706AF0}" = PanoStandAlone
"{6BAA71B6-8F43-4C72-931A-3354ABB0258A}" = F2400
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7203911B-70A5-4F68-A2FF-44BAFA5B3112}" = KYOCERA USB Modem M6000 Driver
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{793A260C-CDBF-499C-ABBA-B51E8E076867}_is1" = Uniblue PowerSuite
"{7C4196CA-CA41-4F34-9C08-7724E7705D52}" = Jasc Animation Shop 3
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8686D4FE-62EF-46FB-B9FD-00679EB381FF}_is1" = Trojan Killer 2.0
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}" = Windows Support Tools
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8FF6F5CA-4E30-4E3B-B951-204CAAA2716A}" = SmartWebPrinting
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A2F0A59-B202-4D2A-9343-A7E5ACE852B7}" = JSWPFCom
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A1BC8E02-6B5B-4B4A-A75F-B27A16918C2B}" = DiscWizard for Windows
"{A1C962E2-2426-49C6-A38B-9A07E40D607C}" = Microsoft Games for Windows - LIVE
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
"{AE8705FB-E13C-40A9-8A2D-68D6733FBFC2}" = Status
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles
"{B1EE1CC5-6CED-4801-BFFF-8454F21A245A}" = Garmin Communicator Plugin
"{B2EB23D7-8AA5-457F-82B8-4F60321A9CC7}" = JSWPFGradeK
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BDE4CF11-7BA4-4755-96D4-98D03E2026C0}" = JSWPFGrade1
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C5A7CB6C-E76D-408F-BA0E-85605420FE9D}" = SoundTrax
"{C75CDBA2-3C86-481e-BD10-BDDA758F9DFF}" = hpPrintProjects
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240BD}" = WinZip 14.5
"{cd998cc4-714f-47e0-82d6-1fc0b79af1b5}" = Nero 9
"{CDBF8C2D-04B0-4F9B-9AE1-7422F7F0EC94}" = HP Deskjet F2400 All-In-One Driver Software 13.0 Rel .6
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEF7211D-CE3A-44C4-B321-D84A2099AE94}" = Comcast Desktop Software (v1.2.0.9)
"{CF911E7B-1B9D-4e1c-8534-60E70FA45BC1}" = PS_APP_02_Software_Min
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 ESD
"{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}" = U3Launcher
"{DB1F1933-58B6-4ACD-A7E8-ABE8CC086A07}" = System Requirements Lab for Intel
"{DC0A5F99-FD66-433F-9D3A-05DCBA64BE42}" = TrayApp
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit
"{E7CCFD3E-1D12-4ce6-9FC4-39521B3B5B64}" = HP Photosmart Appliance Printer Driver Software 10.0 Rel .2
"{F0DC4EFF-AD8D-4C1C-926D-74217AD52D4C}" = Day of the Zombie
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"{FAF26102-09D7-4C58-AB01-0D59A2E517CA}" = Copy
"{FD39EF4B-0B5C-4B33-8D57-2EE865A80EB1}_is1" = Boilsoft Video Joiner 6.34
"{FE3997D3-6B56-4AC4-A99C-9DDFC45359BF}" = TuneUp Utilities Language Pack (en-US)
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"7-Zip" = 7-Zip 4.65
"ACDSee 32" = ACDSee 32
"Action Replay DSi Code Manager_is1" = Action Replay DSi Code Manager
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"ADS Tech Master Installer V3.0" = ADS Tech Master Installer V3.0
"ADS Tech V3.1 DVD Xpress CapWiz" = ADS Tech V3.1 DVD Xpress CapWiz
"Bejeweled 3" = Bejeweled 3
"BFGC" = Big Fish Games: Game Manager
"Browser Mouse" = Browser Mouse
"BTjunkie Toolbar" = BTjunkie Toolbar
"C-Media PCI Sound" = C-Media PCI Audio Device
"CodeStuff Starter" = CodeStuff Starter
"conduitEngine" = Conduit Engine
"CSMFYUV" = CSMX AVI lossless video codec (Remove Only)
"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)
"Easy Video Joiner_is1" = Easy Video Joiner 5.21
"eMusic Promotion" = 50 FREE MP3s +1 Free Audiobook!
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FinalMediaPlayer_is1" = Final Media Player 2011
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Print Projects" = HP Print Projects 1.0
"HP Smart Web Printing" = HP Smart Web Printing 4.60
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Indeo® software" = Indeo® software
"Internet Download Manager" = Internet Download Manager
"IrfanView" = IrfanView (remove only)
"Jigsaw Puzzle Platinum" = Jigsaw Puzzle Platinum
"JumpStart 3D Ages 3-5" = JumpStart 3D Ages 3-5
"JumpStart 3D Ages 4-6" = JumpStart 3D Ages 4-6
"JumpStart 3D Ages 5-7" = JumpStart 3D Ages 5-7
"JumpStart 3D Ages 6-8" = JumpStart 3D Ages 6-8
"LameACM" = Lame ACM MP3 Codec
"Logitech Resource Center" = Logitech Resource Center
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSNINST" = MSN
"Muiltmedia keyboard utility 1.1" = Muiltmedia keyboard utility 1.1
"N360" = Norton Security Suite
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NOF" = Norton Online
"NSM" = Norton Safety Minder
"OJOsoft Total Video Converter_is1" = OJOsoft Total Video Converter
"PCI Audio Driver" = PCI Audio Driver
"PixelPerfect_4281508C_4DA1_4d4e_81EB_725D55EC30DC_is1" = Uniblue PixelPerfect
"QuickTime" = QuickTime
"Recover My Files_is1" = Recover My Files
"SPlayer" = SPlayer
"TuneUp Utilities" = TuneUp Utilities
"UnityWebPlayer" = Unity Web Player
"uTorrent" = µTorrent
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Winamp" = Winamp
"WinArchiver Virtual Drive" = WinArchiver Virtual Drive
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Winrar 3.93" = Winrar 3.93
"WinRAR archiver" = WinRAR archiver
"WinX DVD Player_is1" = WinX DVD Player 3.1.2
"WinZip Self-Extractor" = WinZip Self-Extractor
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Zuma Deluxe_is1" = Zuma Deluxe

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1343024091-117609710-1801674531-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ICDL Book Reader" = ICDL Book Reader
"Move Media Player" = Move Media Player
"SOE-Clone Wars" = Clone Wars
"UnityWebPlayer" = Unity Web Player
"Winamp Detect" = Winamp Detector Plug-in

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/21/2011 6:37:27 PM | Computer Name = KEN-D62DA1F4861 | Source = Ci | ID = 4127
Description = Content index on c:\system volume information\catalog.wci could not
be initialized. Error 3221225477.

Error - 5/21/2011 6:37:27 PM | Computer Name = KEN-D62DA1F4861 | Source = Ci | ID = 4127
Description = Content index on c:\system volume information\catalog.wci could not
be initialized. Error 3221225477.

Error - 5/21/2011 7:22:37 PM | Computer Name = KEN-D62DA1F4861 | Source = Application Error | ID = 1000
Description = Faulting application winzip32.exe, version 25.0.9095.0, faulting module
winzip32.exe, version 25.0.9095.0, fault address 0x00028ca5.

Error - 5/22/2011 9:21:36 AM | Computer Name = KEN-D62DA1F4861 | Source = ThreadLib | ID = 0
Description =

Error - 5/22/2011 11:04:34 AM | Computer Name = KEN-D62DA1F4861 | Source = Ci | ID = 4127
Description = Content index on c:\system volume information\catalog.wci could not
be initialized. Error 3221225477.

Error - 5/22/2011 11:04:35 AM | Computer Name = KEN-D62DA1F4861 | Source = Ci | ID = 4127
Description = Content index on c:\system volume information\catalog.wci could not
be initialized. Error 3221225477.

Error - 5/23/2011 6:44:07 PM | Computer Name = KEN-D62DA1F4861 | Source = Ci | ID = 4127
Description = Content index on c:\system volume information\catalog.wci could not
be initialized. Error 3221225477.

Error - 5/23/2011 6:44:11 PM | Computer Name = KEN-D62DA1F4861 | Source = Ci | ID = 4127
Description = Content index on c:\system volume information\catalog.wci could not
be initialized. Error 3221225477.

Error - 5/24/2011 8:04:06 PM | Computer Name = KEN-D62DA1F4861 | Source = Ci | ID = 4127
Description = Content index on c:\system volume information\catalog.wci could not
be initialized. Error 3221225477.

Error - 5/24/2011 8:04:06 PM | Computer Name = KEN-D62DA1F4861 | Source = Ci | ID = 4127
Description = Content index on c:\system volume information\catalog.wci could not
be initialized. Error 3221225477.

[ System Events ]
Error - 5/24/2011 8:07:32 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service hpqcxs08 with
arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Error - 5/24/2011 8:07:33 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service hpqcxs08 with
arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Error - 5/24/2011 8:07:40 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service hpqcxs08 with
arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Error - 5/24/2011 8:14:00 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service gupdate with
arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error - 5/24/2011 9:00:00 PM | Computer Name = KEN-D62DA1F4861 | Source = Schedule | ID = 7901
Description = The At21.job command failed to start due to the following error: %%2147942402

Error - 5/24/2011 9:19:41 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service hpqcxs08 with
arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Error - 5/24/2011 9:19:42 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service hpqcxs08 with
arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Error - 5/24/2011 9:28:33 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service hpqcxs08 with
arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Error - 5/24/2011 9:38:20 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service hpqcxs08 with
arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}

Error - 5/24/2011 9:38:20 PM | Computer Name = KEN-D62DA1F4861 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service hpqcxs08 with
arguments "" in order to run the server: {1DAEDD8A-30ED-4585-9CF1-13BDF7791DDE}


< End of report >
Nothing seems different as I didn't do anything but run the scans and save the reports.

Thanks
Ken

#4 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 25 May 2011 - 10:21 AM

Hi Ken!

Lets see where we stand after this.

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:OTL
MOD - [2008/04/14 07:00:00 | 000,370,176 | ---- | M] () -- C:\WINDOWS\opovisidubadi.dll
SRV - File not found [Disabled | Stopped] -- -- (nlsX86cc)
IE - HKU\.DEFAULT\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1343024091-117609710-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:51636
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O4 - HKLM..\Run: [Pzujelapelepi] C:\WINDOWS\opovisidubadi.dll ()
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Reg Error: Value error. File not found
[2011/05/19 07:47:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\{8D45F8A1-B938-400D-8812-91CDD3702462}
[2011/05/02 17:28:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\iG28614FpJkJ28614
[2011/05/24 20:13:00 | 000,000,252 | -H-- | M] () -- C:\WINDOWS\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[2011/05/24 19:58:00 | 000,000,274 | -H-- | M] () -- C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
[2011/05/24 19:03:21 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Lkazo.dat
[2011/05/24 05:46:07 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Dtayewohisi.bin
[2011/05/02 17:27:41 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\htjzka.dat
[2011/04/10 13:16:31 | 000,356,352 | ---- | C] () -- C:\WINDOWS\System32\mfuzi.exe
[2011/04/10 09:09:26 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Lkazo.dat
[2011/04/10 09:09:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Dtayewohisi.bin
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Ken\Desktop\Rootkit Report:SummaryInformation
@Alternate Data Stream - 275 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:010ADD2C
@Alternate Data Stream - 249 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:2B11E0DF
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:63238B95
@Alternate Data Stream - 1072 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:79207C85

:Reg

:Files
C:\WINDOWS\tasks\At*.job
dir /s /a "C:\Microsoft" /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.



NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

This post has been edited by SweetTech: 25 May 2011 - 10:21 AM

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#5 User is offline   ktravers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 21-May 11

Posted 25 May 2011 - 08:16 PM

Hi ST!
My pc seems to be much better pages are popping and no redirects.
here is the ComboFix Log:
ComboFix 11-05-25.01 - Ken 05/25/2011 19:35:39.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2036.1382 [GMT -5:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Ken\Application Data\inst.exe
c:\documents and settings\Ken\WINDOWS
c:\documents and settings\NetworkService\Application Data\PriceGong
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\1.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\a.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\b.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\c.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\d.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\e.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\f.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\g.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\h.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\i.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\J.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\k.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\l.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\m.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\n.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\o.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\p.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\q.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\r.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\s.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\t.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\u.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\v.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\w.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\x.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\y.xml
c:\documents and settings\NetworkService\Application Data\PriceGong\Data\z.xml
C:\Microsoft
c:\windows\system32\_000115_.tmp.dll
.
----- BITS: Possible infected sites -----
.
hxxp://knowledgeadventure.cachefly.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SSHNAS
.
.
((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
.
.
2011-05-26 00:10 . 2011-05-26 00:10 -------- dc----w- C:\_OTL
2011-05-22 14:18 . 2011-05-22 14:22 -------- dc----w- C:\Day of the Zombie
2011-05-22 14:18 . 2011-05-22 14:18 -------- d-----w- c:\program files\Day of the Zombie
2011-05-21 15:18 . 2011-05-21 15:18 388096 ----a-r- c:\documents and settings\Ken\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-21 15:18 . 2011-05-21 15:18 -------- d-----w- c:\program files\Trend Micro
2011-05-19 14:00 . 2011-05-19 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2011-05-19 14:00 . 2011-05-19 14:01 -------- d-----w- c:\program files\bfgclient
2011-05-19 13:59 . 2011-05-19 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2011-05-17 03:52 . 2011-05-17 03:52 -------- d-----w- c:\windows\system32\drivers\NSM
2011-05-17 03:52 . 2011-05-17 03:52 -------- d-----w- c:\program files\Norton Online
2011-05-17 03:52 . 2011-05-17 03:52 -------- d-----w- c:\windows\system32\drivers\NOF
2011-05-17 03:30 . 2011-05-17 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-17 03:25 . 2011-05-17 03:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-17 02:44 . 2011-05-17 23:17 -------- d-----w- c:\program files\Symantec
2011-05-17 02:44 . 2011-05-17 23:17 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-05-17 02:44 . 2011-05-17 23:17 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-05-17 02:44 . 2011-05-17 03:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-05-17 02:44 . 2011-05-17 02:44 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\Secunia PSI
2011-05-17 02:42 . 2011-05-18 22:18 -------- d-----w- c:\windows\system32\drivers\N360
2011-05-17 02:42 . 2011-05-17 02:42 -------- d-----w- c:\program files\Norton Security Suite
2011-05-17 02:41 . 2011-05-17 03:50 -------- d-----w- c:\program files\NortonInstaller
2011-05-17 02:16 . 2011-05-17 02:16 -------- d-----w- c:\program files\Secunia
2011-05-15 01:22 . 2011-05-15 01:22 -------- d-----w- c:\documents and settings\Ken\ICDL Cache
2011-05-14 01:49 . 2011-05-17 00:38 -------- d-----w- c:\documents and settings\Damian
2011-05-13 09:55 . 2011-05-22 04:49 -------- d-----w- c:\program files\SPlayer
2011-05-11 00:12 . 2011-05-17 00:49 -------- d-----w- c:\program files\WinArchiver Virtual Drive
2011-05-10 22:45 . 2011-05-21 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2011-05-09 09:39 . 2009-12-14 17:44 39352 ----a-w- c:\windows\system32\drivers\CSVirtualDiskDrv.sys
2011-05-09 09:39 . 2009-12-14 17:44 88632 ----a-w- c:\windows\system32\drivers\CSCrySec.sys
2011-05-09 09:35 . 2011-05-10 10:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-05-09 08:09 . 2011-05-09 08:09 -------- d-----w- c:\windows\ServicePackFiles
2011-05-09 03:52 . 2009-10-22 18:54 37392 ----a-w- c:\windows\system32\drivers\04332822.sys
2011-05-09 03:52 . 2009-09-25 22:59 128016 ----a-w- c:\windows\system32\drivers\04332821.sys
2011-05-08 15:43 . 2007-02-08 13:45 29184 ----a-r- c:\windows\system32\drivers\dsiarhwprog.sys
2011-05-08 15:41 . 2011-05-08 15:41 -------- d-----w- c:\program files\Datel
2011-05-07 16:11 . 2011-05-07 17:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-07 15:04 . 2011-05-07 15:04 -------- d-----w- c:\program files\Support Tools
2011-05-07 14:33 . 2011-05-07 14:33 -------- d-----w- c:\windows\system32\FxsTmp
2011-05-07 14:33 . 2008-04-14 12:00 18944 -c--a-w- c:\windows\system32\dllcache\simptcp.dll
2011-05-07 14:33 . 2008-04-14 12:00 18944 ----a-w- c:\windows\system32\simptcp.dll
2011-05-07 14:33 . 2008-04-14 12:00 31744 -c--a-w- c:\windows\system32\dllcache\fxsroute.dll
2011-05-07 14:33 . 2008-04-14 12:00 31744 ----a-w- c:\windows\system32\fxsroute.dll
2011-05-07 14:33 . 2008-04-14 12:00 132608 -c--a-w- c:\windows\system32\dllcache\fxsclntr.dll
2011-05-07 14:33 . 2008-04-14 12:00 132608 ----a-w- c:\windows\system32\fxsclntR.dll
2011-05-07 14:33 . 2008-04-14 12:00 11264 -c--a-w- c:\windows\system32\dllcache\fxssend.exe
2011-05-07 14:33 . 2008-04-14 12:00 11264 ----a-w- c:\windows\system32\fxssend.exe
2011-05-07 14:33 . 2008-04-14 12:00 111104 -c--a-w- c:\windows\system32\dllcache\fxscfgwz.dll
2011-05-07 14:33 . 2008-04-14 12:00 111104 ----a-w- c:\windows\system32\fxscfgwz.dll
2011-05-03 09:51 . 2011-05-03 09:51 -------- d-----w- c:\program files\Valve
2011-05-02 22:28 . 2011-05-03 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\iG28614FpJkJ28614
2011-05-02 04:34 . 2011-05-02 04:34 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-05-02 04:20 . 2011-05-02 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-02 02:55 . 2011-05-02 02:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2011-05-02 01:28 . 2011-05-02 01:28 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-05-01 23:33 . 2011-05-01 23:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\VS Revo Group
2011-05-01 14:58 . 2011-05-01 14:58 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\VS Revo Group
2011-05-01 10:59 . 2011-05-01 10:59 -------- d-----w- c:\program files\Conduit
2011-05-01 10:59 . 2011-05-25 01:19 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\ConduitEngine
2011-05-01 10:59 . 2011-05-25 01:19 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\BTjunkie
2011-05-01 10:59 . 2011-05-01 10:59 -------- d-----w- c:\program files\BTjunkie
2011-05-01 10:21 . 2011-05-01 10:21 18944 ----a-r- c:\documents and settings\Ken\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-05-01 10:20 . 2011-05-01 10:49 -------- d-----w- c:\documents and settings\Ken\Application Data\FinalMediaPlayer
2011-05-01 10:20 . 2011-05-01 10:20 -------- d-----w- c:\program files\FinalMediaPlayer
2011-04-27 02:48 . 2011-04-27 03:22 -------- dc----w- C:\Netgear
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 00:55 . 2011-04-18 00:55 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-04-18 00:50 . 2011-04-18 00:50 3584 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-04-17 21:50 . 2011-04-17 21:50 312 ----a-w- c:\documents and settings\Ken\stsf.bat
2011-04-17 16:36 . 2010-06-14 04:38 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-17 16:36 . 2010-06-14 04:38 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-03-28 17:46 . 2011-02-01 14:37 98160 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2011-03-20 04:00 . 2011-01-29 17:56 7040 ----a-w- c:\windows\system32\drivers\tkfilter.sys
2011-03-09 05:10 . 2011-03-09 04:48 253952 -c----w- c:\windows\Setup1.exe
2011-03-09 05:10 . 2011-03-09 04:47 73216 -c--a-w- c:\windows\ST6UNST.EXE
2011-03-07 05:33 . 2010-06-14 00:47 692736 -c--a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-14 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-04 02:11 . 2011-03-04 02:11 91618 ----a-w- c:\windows\system32\drivers\waemu.sys
2011-03-03 13:21 . 2008-04-14 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]
2011-03-28 16:22 176936 ----a-w- c:\program files\BTjunkie\prxtbBTju.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1a71246c-3eb0-4d6c-af77-3ab756017c3a}"= "c:\program files\BTjunkie\prxtbBTju.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1A71246C-3EB0-4D6C-AF77-3AB756017C3A}"= "c:\program files\BTjunkie\prxtbBTju.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-03-02 15:23 68216 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IDMan"=c:\program files\Internet Download Manager\IDMan.exe /onboot
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 04332822;04332822 Boot Guard Driver;c:\windows\system32\drivers\04332822.sys [5/8/2011 10:52 PM 37392]
R0 FileLock;FileLock;c:\windows\system32\drivers\FileLock.sys [1/1/2005 8:46 AM 35456]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\symds.sys [5/17/2011 6:17 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\symefa.sys [5/17/2011 6:17 PM 744568]
R0 WAEMU;waemu;c:\windows\system32\drivers\waemu.sys [3/3/2011 9:11 PM 91618]
R1 04332821;04332821;c:\windows\system32\drivers\04332821.sys [5/8/2011 10:52 PM 128016]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [5/18/2011 6:53 PM 802936]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2/1/2011 9:37 AM 98160]
R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [7/1/2010 10:35 PM 120320]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\ironx86.sys [5/17/2011 6:17 PM 136312]
R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [4/14/2008 7:00 AM 14336]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [7/5/2010 10:28 PM 10384]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [5/17/2011 6:14 PM 130008]
R2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.1.0.23\ccSvcHst.exe [5/16/2011 10:52 PM 126904]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [6/13/2010 8:58 PM 45696]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/19/2011 8:49 PM 105592]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110518.001\IDSXpx86.sys [5/18/2011 8:07 PM 341944]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [6/13/2010 8:58 PM 56960]
S1 MpKsl16ff5349;MpKsl16ff5349; [x]
S1 MpKsl2a4e80db;MpKsl2a4e80db; [x]
S1 MpKsl3748b157;MpKsl3748b157; [x]
S1 MpKsl7beac835;MpKsl7beac835; [x]
S1 MpKsl8309d0a9;MpKsl8309d0a9; [x]
S1 MpKsl9bad1fb8;MpKsl9bad1fb8; [x]
S1 MpKslbd2d0e7d;MpKslbd2d0e7d; [x]
S1 MpKsld5f1cdc9;MpKsld5f1cdc9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AF526B2B-E4B3-4B8F-A7BB-3E55030598BD}\MpKsld5f1cdc9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AF526B2B-E4B3-4B8F-A7BB-3E55030598BD}\MpKsld5f1cdc9.sys [?]
S1 MpKslec6abf51;MpKslec6abf51; [x]
S1 MpKslf18d44fb;MpKslf18d44fb; [x]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/06/13 22:18]; [x]
S3 adxapie;adxapie; [x]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/5/2010 8:13 AM 1691480]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [11/4/2009 9:54 AM 24576]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [5/8/2011 10:43 AM 29184]
S3 kcusbser;Kyocera USB Device for Legacy Serial Communication;c:\windows\system32\drivers\kcusbser.sys [11/3/2009 4:50 PM 105984]
S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\NSM\0201000.034\symrdr.sys [5/16/2011 10:52 PM 181296]
S3 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [9/30/2010 10:12 AM 1051968]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 11:18 AM 10064]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2011 6:04 PM 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2011 6:04 PM 136176]
S4 NAUpdate;@c:\program files\Ahead\Update\NASvc.exe,-200;c:\program files\Ahead\Update\NASvc.exe [3/25/2010 2:39 PM 490280]
S4 WinArchiver Service;WinArchiver Service;c:\program files\WinArchiver Virtual Drive\WAService.exe [3/3/2011 9:15 PM 196608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-26 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-05-01 21:50]
.
2011-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 23:04]
.
2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 23:04]
.
2011-05-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-117609710-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-05-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-117609710-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]
.
2011-05-26 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2011-01-14 13:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = localhost
uInternet Settings,ProxyServer = http=127.0.0.1:51636
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
Trusted Zone: idvaultservices.com\ringo
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-25 19:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\controlset001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\controlset001\Services\NOF]
"ImagePath"="\"c:\program files\Norton Online\Engine\2.1.0.23\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.1.0.23\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8a,d1,1c,81,10,a8,40,4a,be,6a,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8a,d1,1c,81,10,a8,40,4a,be,6a,24,\
.
[HKEY_USERS\S-1-5-21-1343024091-117609710-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1343024091-117609710-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:ce,c2,78,aa,b5,51,77,1f,d3,a0,3c,68,ef,6a,0a,ad,e3,21,a1,ce,27,
98,3d,9c,ab,03,f6,ff,89,f4,99,c8,e0,41,0d,55,b3,22,57,13,fd,a9,17,74,95,8e,\
"rkeysecu"=hex:13,1f,3d,cf,44,95,01,51,97,52,e9,7b,b2,74,6e,75
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05f79628-043a-4540-966d-5d0d6fe79dc3}]
@Denied: (Full) (Everyone)
"Model"=dword:00000000
"Therad"=dword:00000001
"MData"=hex(0):26,93,05,e4,b1,c6,ca,a7,8a,15,63,83,81,16,b1,f8,f9,6e,4d,42,d7,
c2,2e,a9,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1bc4aaef-7a74-471d-b3fb-6245602bdec9}]
@Denied: (Full) (Everyone)
"Model"=dword:0000003d
"Therad"=dword:0000001b
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):3d,5e,8b,a6,0a,7c,bf,bd,eb,15,77,1d,4c,38,1f,62,7a,9b,1d,39,bf,
5d,db,c9,4d,20,fa,77,8a,e8,25,be,82,b2,c6,c7,f5,b2,78,8e,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1548)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2011-05-25 20:04:48 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-26 01:04
.
Pre-Run: 4,147,945,472 bytes free
Post-Run: 3,993,632,768 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=signature(b23bb23b)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
signature(b23bb23b)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=AlwaysOffsignature(b23bb23b)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=K0UGB4 noguiboot
signature(b23bb23b)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition (TuneUp Backup)" /noexecute=AlwaysOffsignature(b23bb23b)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=K0UGB4-BAK
.
- - End Of File - - 3BB4A0C5D0AD6B0BA4148BAA5F35F6AE

What else we need to do ?

Ken

#6 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 26 May 2011 - 10:14 AM

Hi Ken!

That's good news! Lets see where we stand after these scans. Be sure to provide me with an update on how things are running after doing the scans outlined below. :)

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:OTL

:Reg

:Files
c:\documents and settings\All Users\Application Data\iG28614FpJkJ28614
ipconfig /flushdns /c
:Commands
[CreateRestorePoint]

  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology

  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#7 User is offline   ktravers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 21-May 11

Posted 27 May 2011 - 06:25 PM

Hi ST
Wow scans took along time.
Here is OTL report:
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== REGISTRY ==========
========== FILES ==========
c:\documents and settings\All Users\Application Data\iG28614FpJkJ28614 folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Ken\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Ken\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.23.0 log created on 05262011_211338


Here is MBAM Log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6689

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/26/2011 10:52:48 PM
mbam-log-2011-05-26 (22-52-48).txt

Scan type: Quick scan
Objects scanned: 175807
Time elapsed: 1 hour(s), 16 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CY08W456F0 (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GAGEZ8R8ZB (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GHWAUC6NNZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ICS5R7Y0OS (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\Desktop\rkill.exe (Trojan.BankerBot.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Ken\application data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Ken\application data\data.dat (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Ken\stsf.bat (Malware.Trace) -> Quarantined and deleted successfully.

Here is ESET Log:
C:\Documents and Settings\Ken\Application Data\Uniblue\RegistryBooster\_temp\registrybooster.exe multiple threats
C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe a variant of Win32/1AntiVirus application
C:\Program Files\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\rb_track_install.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\SpeedUpMyPC\Launcher.exe Win32/SpeedUpMyPC application
C:\Program Files\Uniblue\SpeedUpMyPC\spmonitor.exe Win32/SpeedUpMyPC application
C:\Program Files\Uniblue\SpeedUpMyPC\spnotifier.exe Win32/SpeedUpMyPC application
C:\Program Files\Uniblue\SpeedUpMyPC\sp_decryptor.exe Win32/SpeedUpMyPC application
C:\Program Files\Uniblue\SpeedUpMyPC\sp_move_serial.exe Win32/SpeedUpMyPC application
C:\Program Files\Uniblue\SpeedUpMyPC\sp_track_install.exe Win32/SpeedUpMyPC application
C:\Program Files\Uniblue\SpeedUpMyPC\sump.exe Win32/SpeedUpMyPC application
C:\System Volume Information\_restore{85E8D79C-1FAE-448E-B521-BB3391736CF3}\RP44\A0022643.dll a variant of Win32/Kryptik.NZL trojan
C:\_OTL\MovedFiles\05252011_191002\C_WINDOWS\opovisidubadi.dll a variant of Win32/Kryptik.NZL trojan
C:\_OTL\MovedFiles\05252011_191002\C_WINDOWS\system32\mfuzi.exe a variant of MSIL/Injector.FN trojan

Here is Security check Log :
Results of screen317's Security Check version 0.99.12
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
Java™ 6 Update 23
Out of date Java installed!
Adobe Flash Player 10.3.181.14
Adobe Reader 9.2
Adobe Reader 9.4.4
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````


If I don't hear from you, Have a great holiday weekend !
Ken

#8 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 27 May 2011 - 06:34 PM

Hi Ken!

Yes, the ESET scan can take a bit of time to run. We seem to be making some progress.

I want to point out that your MBAM log is showing a couple of entries that have the ability to steal your data. Please not the following in regards to that:

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



You have RegistryBooster & SpeedUpMyPC installed. I'm not going to lie to you, I'm not a big fan of these utilities at all! They tend to cause way more issues than they can ever solve. I'd recommend removing them.


These 3 items below are currently in quarantine/system restore and will be removed once we clean-up our tools later.

C:\System Volume Information\_restore{85E8D79C-1FAE-448E-B521-BB3391736CF3}\RP44\A0022643.dll a variant of Win32/Kryptik.NZL trojan
C:\_OTL\MovedFiles\05252011_191002\C_WINDOWS\opovisidubadi.dll a variant of Win32/Kryptik.NZL trojan
C:\_OTL\MovedFiles\05252011_191002\C_WINDOWS\system32\mfuzi.exe a variant of MSIL/Injector.FN trojan


Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.



NEXT:



Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform.
    • 32-bit Select: Windows x86 Offline.
    • 64-bit Select: Windows x64.

  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.



NEXT



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.


    netsvcs
    drivers32
    hklm\software\clients\startmenuinternet|command /rs
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Push the Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.



NEXT:



What outstanding issues (if any) are you still experiencing with your computer?

P.S. Enjoy your Holiday weekend! :)
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#9 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 31 May 2011 - 11:16 AM

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#10 User is offline   ktravers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 21-May 11

Posted 31 May 2011 - 04:15 PM

Hey ST
Seems my PC decided to solve the problem itself it crashed friday night and i spent Saturday and most of Monday getting a new harddrive and reloading XP. Thank You for all your excellent help it is very much appreciated. One last question: can you suggest an antivirus program or whatever you think is best to protect my pc? right now i have Norton Security Suite it came free with my Comcast. I have put parental controls on my son's account he is 9 and doesn't go surfing ...yet. Mostly Disney.com and Nick.com but I put them there anyway. Again thank you for trying to help i truly appreciate your efforts.

Ken

#11 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 31 May 2011 - 05:17 PM

Hi Ken!

Sadly, that does happen from time to time, but on the plus side, you're starting with a new hard drive, and a clean computer. :)

I'll provide you with my usual speech for when my users are all clean. There is a section that covers Anti-Virus program recommendations in it.

All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===



Below I have included a number of recommendations for how to protect your computer against malware infections.


Updated Anti-Virus Program
It's essential that you have an updated anti-virus program running on your computer. You don't want to run more than one as it can cause program conflicts, as well as false positives

You can view an excellent list of Free Security Software programs that has been compiled by GeekstoGo.


Avoid P2P Programs

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

If you have any of these programs installed then I highly suggest you uninstall them.

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Internet Browsers

Many of the users that I assist here on the forums, ask me which programs they can use to prevent themselves from getting infected again in the future. The best answer I can give you is too practice safe browsing.

Please consider using an alternative browser such as Google Chrome or Opera. They are both much more secure than Internet Explorer, immune to almost all known browser hijackers, and also have great built-in pop-up blockers.

I also suggest you make your Internet Explore more secure.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.



Extra Goodies

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     then consider a password keeper, to keep all your passwords safe.

  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • You should run an updated scan with MalwareBytes' Anti-Malware weekly. Instructions are included below:

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates


  • Be weary of e-mails from unknown senders. Keep the following in mind as well: If it's to good to be true, then it more than likely is.


  • FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for Chrome and Opera.

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Cheers,
SweetTech.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#12 User is offline   ktravers 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 21-May 11

Posted 01 June 2011 - 08:47 PM

Hey ST !

True new and clean is nice !
Thanks for the all the help and advice all reccommendations taken and installed. I installed Opera and I must say I have always used IE never tried anything else, but opera is pretty cool ! So off I go sailing into webland a little poorer but alot wiser.

Thank you my friend
May all your days be, at the very least, fun !

Thank you
Kenny

#13 User is offline   SweetTech 

  • Agent ST
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 12,662
  • Joined: 15-March 09
  • Gender:Male
  • Location:Antarctica

Posted 02 June 2011 - 10:07 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users