Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just want to check that my system is now clean.


  • This topic is locked This topic is locked
20 replies to this topic

#1 Nick1979

Nick1979

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:38 PM

Posted 18 October 2008 - 04:01 PM

Hi,

Last week my computer was infected by a virus which replaced my desktop image with a sign saying that the computer was infected and that I should get some anti-spyware software. My virus-scanner, ClamWin, identified the virus as Trojan.Buzus-3140. I immediately disconnected from the internet, and spent the next couple of days running repeated scans using software recommended elsewhere on this site (Spybot S&D, Ad-Aware, Malwarebytes, HouseCall, RootKit Revealer, Microsoft Malicious Software Removal tool and Stinger). Repeated scans turned up a few more suspicious-looking files lurking on the system. Now, many scans later, I finally seem to have removed everything suspicious, and Spybot S&D, Ad-Aware, and Malwarebytes are all finding no remaining malware. But for peace of mind, I'd very much appreciate it if someone would take a look at my HijackThis log, and just confirm that everything seems to be in order (or, if that's not possible, tell me whether there's any way of being sure an infection is fully removed).

Many thanks,

Nick

====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:20, on 18/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\NICKF~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [NvnUsbAudioLogger] "C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194207050781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194207041109
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8752 bytes

BC AdBot (Login to Remove)

 


#2 Nick1979

Nick1979
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:38 PM

Posted 22 October 2008 - 02:44 PM

Hello? Anyone there?

Again, I'd be really, really grateful if someone could spare the time to take a quick look at this log & let me know if there's still anything on my system I should be suspicious of...

Many thanks,

Nick

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 22 October 2008 - 03:36 PM

Hello Nick.

Sorry for the delay in getting to your topic. There are a couple hundred waiting tob e answered..

From just that HijackThis log, you are clean, but let's look deeper, just in case.


Update Java to Version 6 Update 10
First let's do some updating.

Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java, JDK 6 Update 10 from this page. Follow the prompts and select the appropriate settings for your machine (most likely "Windows"). Click on the "Required File" jdk-6u10-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use.


Download and Run OTViewIt
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop. If you are using Windows Vista, right click the icon and select Run as Administrator.
  • Check both the Scan All Users and Use Whitelist checkboxes. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized. A new Extra.txt will not be created if one exists already.
Copy and Paste the logs into your next reply.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Please post back with:
-the OTViewIt logs
-the Kaspersky log
-a new HijackThis log

Could you tell me if you are experiencing any symptoms of the infection?

With Regards,
The Panda

#4 Nick1979

Nick1979
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:38 PM

Posted 22 October 2008 - 05:58 PM

Thanks so much for getting back to me. Sorry if I seemed impatient - I was just worried that my original post might have disappeared off the radar by now.

I'll follow the steps you suggest and post those logs as soon as possible (probably tomorrow, because it's probably too late here for me to do it all tonight).

Before I do, though, I had one quick question. Is it definitely necessary for me to install the Java Developer's Kit, or can I get away with just installing the latest Runtime Environment? The JDK is a lot bigger, and since I'm not a Java developer I wonder if it's necessary.

As for possible symptoms - the only things that seem any different from before is that my system is possibly a shade slower (though I guess that could be because of the firewall software which I've now installed - before I was just using Windows Firewall), and also the Windows Explorer context menu "open with jEdit" that used to allow me to open files with the jEdit text editor no longer works. I suspect that possibly one of the malware-removal tools that I ran might have misdiagnosed the relevant shell extension entries and removed them from the registry.

Once again, many thanks for your help.

Nick

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 22 October 2008 - 06:07 PM

Hello Nick.

Don't worry, topics don't disappear. We have this thing that sees the unanswered ones and we pickup the older ones first.

No, you can just install the runtime environment.

If it's just slowness, we can try to free up some memory later.

With Regards,
The Panda

#6 Nick1979

Nick1979
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:38 PM

Posted 26 October 2008 - 01:33 PM

Hello again PropagandaPanda.

Sorry about the delay there.

I've now run all those tests - OTViewIt, Kaspersky Online Scanner, and then HijackThis again - and I'll paste the results below.

As for symptoms - I don't know whether it's likely to be because of a virus infection, or whether it might be due to entries removed from the registry by one of the many bits of anti-malware software I've run, but behaviour of the context menu 'Open in...' option has become erratic. It's not just the 'Open in jEdit' option, but 'add to playlist' of media files also now only works intermittently.

Other than that, there have been a few sudden slowdowns, but that could just be normal Windows oddness. In particular, it took several attempts to get Kaspersky Online Scanner to work - it seemed to get stuck scanning the system the first couple of times. Again - possibly just a problem with the Scanner rather than anything sinister, I guess.

Anyway, here are those logs. Once again, many thanks for your help.

Nick

====

OTViewIt logfile created on: 26/10/2008 18:20:15 - Run 2
OTViewIt by OldTimer - Version 1.0.17.0 Folder = C:\Documents and Settings\Nick F\Desktop\anti-malware
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1014.04 Mb Total Physical Memory | 689.86 Mb Available Physical Memory | 68.03% Memory free
2.39 Gb Paging File | 1.98 Gb Available in Paging File | 83.16% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.06 Gb Total Space | 9.69 Gb Free Space | 27.65% Space Free | Partition Type: FAT32
Drive D: | 35.55 Gb Total Space | 19.85 Gb Free Space | 55.83% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICKLAPTOP
Current User Name: Nick F
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
[2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
[2008/10/16 21:04:04 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2005/10/24 16:40:52 | 01,314,816 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admServ.exe
[2005/11/28 13:52:00 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2005/11/28 13:55:00 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
[2005/12/19 14:52:52 | 15,797,248 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
[2005/10/19 09:30:16 | 00,069,632 | ---- | M] (HiTRUST) -- C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
[2006/01/17 18:28:54 | 00,344,064 | ---- | M] (Acer Incorporated) -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
[2006/01/24 18:00:08 | 00,397,312 | ---- | M] (acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\Monitor.exe
[2005/10/24 16:45:32 | 02,462,208 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admtray.exe
[2007/05/22 17:04:02 | 00,007,168 | ---- | M] (Novation DMS Ltd.) -- C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe
[2005/12/13 21:31:36 | 00,254,050 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
[2008/10/16 15:35:04 | 00,519,936 | ---- | M] () -- C:\Program Files\COMODO\Firewall\cmdagent.exe
[2008/10/16 15:35:02 | 01,655,552 | ---- | M] () -- C:\Program Files\COMODO\Firewall\cfp.exe
[2005/12/13 21:31:08 | 00,061,440 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
[2008/09/03 18:17:22 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[2005/12/13 21:31:08 | 01,077,376 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
[2008/10/23 19:37:22 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2007/07/25 15:07:08 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
[2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2005/12/13 21:31:38 | 00,114,784 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
[2008/04/14 01:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/04/14 01:12:42 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
[2005/02/11 11:06:44 | 00,500,224 | ---- | M] (Realtek Semiconductor Corp.) -- C:\DOCUME~1\NICKF~1\LOCALS~1\Temp\RtkBtMnt.exe
[2004/08/04 05:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
[2008/04/14 01:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/08/14 15:52:32 | 00,098,816 | ---- | M] (Opera Software) -- C:\Program Files\Opera\Opera.exe
[2008/10/22 21:46:40 | 00,421,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick F\Desktop\anti-malware\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/10/16 21:04:04 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
File not found -- -- (aspnet_state [On_Demand | Stopped])
[2005/10/24 16:40:52 | 01,314,816 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admServ.exe -- (AWService [Auto | Running])
[2005/12/13 21:31:36 | 00,254,050 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])
[2005/12/13 21:31:38 | 00,114,784 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])
[2008/10/16 15:35:04 | 00,519,936 | ---- | M] () -- C:\Program Files\COMODO\Firewall\cmdagent.exe -- (cmdAgent [Auto | Running])
[2005/12/13 21:31:08 | 00,061,440 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service [Auto | Running])
[2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
[2007/02/04 23:45:46 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/10/23 19:37:22 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
[2005/01/21 19:37:16 | 00,143,360 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Disabled | Stopped])
[2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
[2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services ==========

[2006/06/15 04:28:26 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
[2004/08/04 05:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
[2008/04/13 19:36:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
[2005/10/31 14:16:00 | 00,045,312 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
[2005/12/06 00:16:14 | 00,005,273 | ---- | M] (Arrowkey) -- C:\Program Files\Quintessential Player\cdrpdacc.sys -- (CDRPDACC [Auto | Running])
[2008/10/16 15:35:04 | 00,087,056 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdguard.sys -- (cmdGuard [System | Running])
[2008/10/16 15:35:04 | 00,024,208 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdhlp.sys -- (cmdHlp [System | Running])
[2004/08/04 05:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
[2004/12/08 14:10:00 | 00,016,896 | ---- | M] (Dritek System Inc.) -- C:\WINDOWS\system32\DRIVERS\DKbFltr.sys -- (DKbFltr [On_Demand | Running])
[2005/11/17 17:20:02 | 00,060,928 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\EMS7SK.sys -- (EMSCR [On_Demand | Stopped])
[2005/04/22 16:57:06 | 00,004,096 | ---- | M] (Acer Value Labs, USA) -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd [Auto | Running])
[2005/04/22 16:57:06 | 00,078,208 | ---- | M] (Acer Value Labs, USA) -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd [Auto | Running])
[2005/11/17 17:20:12 | 00,037,888 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\ESD7SK.sys -- (ESDCR [On_Demand | Stopped])
[2005/11/17 17:20:08 | 00,074,624 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\ESM7SK.sys -- (ESMCR [On_Demand | Stopped])
[2008/04/13 17:36:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
[2005/10/24 10:20:52 | 00,218,496 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Running])
[2005/10/18 16:53:24 | 00,998,656 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
[2005/11/28 14:20:00 | 01,353,820 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
[2008/10/16 15:35:04 | 00,079,760 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect [Boot | Running])
[2005/12/19 17:37:42 | 04,127,232 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2008/04/13 19:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\kbdhid.sys -- (kbdhid [System | Stopped])
[2005/10/05 15:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2004/08/04 05:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
[2005/09/13 15:34:40 | 00,004,392 | ---- | M] (OSA Technologies) -- C:\WINDOWS\System32\Drivers\NdisFilt.sys -- (NdisFilt [On_Demand | Running])
[2005/05/02 12:13:42 | 00,009,600 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\NETMNT.sys -- (NETMNT [On_Demand | Stopped])
[2005/08/03 05:10:14 | 00,032,512 | ---- | M] (CACE Technologies) -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF [On_Demand | Stopped])
[2005/01/21 12:10:38 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
[2007/05/22 17:04:02 | 00,025,600 | ---- | M] (Novation DMS Ltd.) -- C:\WINDOWS\system32\drivers\nvnusbaudio.sys -- (NvnUsbAudio [On_Demand | Stopped])
[2005/10/15 18:20:44 | 00,012,106 | ---- | M] (OSA Technologies) -- C:\WINDOWS\system32\drivers\OsaFsLoc.sys -- (OsaFsLoc [System | Running])
[2005/06/30 16:58:24 | 00,007,296 | ---- | M] (OSA Technologies, An Avocent Company) -- C:\WINDOWS\system32\drivers\osaio.sys -- (osaio [Auto | Running])
[2005/01/14 15:57:16 | 00,004,010 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm [Auto | Running])
[2006/10/27 15:29:38 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/07 23:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2004/08/04 05:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
[2006/09/28 05:56:20 | 00,172,401 | ---- | M] (Roland Corporation) -- C:\WINDOWS\system32\Drivers\rdwm1046.sys -- (RDID1046 [On_Demand | Stopped])
[2005/11/28 12:09:26 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
[2008/04/13 19:36:44 | 00,079,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\sdbus.sys -- (sdbus [On_Demand | Stopped])
[2006/04/28 17:24:42 | 00,061,600 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27bus.sys -- (SE27bus [On_Demand | Stopped])
[2006/04/28 17:25:40 | 00,009,360 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys -- (SE27mdfl [On_Demand | Stopped])
[2006/04/28 17:25:44 | 00,097,184 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27mdm.sys -- (SE27mdm [On_Demand | Stopped])
[2006/04/28 17:26:46 | 00,088,688 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys -- (SE27mgmt [On_Demand | Stopped])
[2006/04/28 17:27:48 | 00,086,560 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27obex.sys -- (SE27obex [On_Demand | Stopped])
[2006/04/28 17:24:00 | 00,090,800 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\se27unic.sys -- (se27unic [On_Demand | Stopped])
[2007/11/13 10:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2008/04/13 19:36:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
[2004/06/16 11:19:58 | 00,046,080 | ---- | M] (SMSC) -- C:\WINDOWS\system32\DRIVERS\smcirda.sys -- (SMCIRDA [On_Demand | Stopped])
[2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2004/08/04 05:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
[2005/07/20 14:53:54 | 00,190,592 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
[2004/12/17 16:14:44 | 00,013,952 | ---- | M] () -- C:\WINDOWS\System32\drivers\UBHelper.sys -- (UBHelper [Boot | Running])
[2004/08/04 05:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
[2005/12/04 09:55:30 | 01,428,096 | ---- | M] (Intel« Corporation) -- C:\WINDOWS\system32\DRIVERS\w39n51.sys -- (w39n51 [On_Demand | Running])
[2005/10/18 16:52:30 | 00,721,280 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
[2008/04/13 19:36:38 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\wmiacpi.sys -- (WmiAcpi [System | Running])
[2005/01/13 14:46:16 | 00,069,632 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys [Auto | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=about:blank

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=about:blank

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (267617 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 local.travel67.com
127.0.0.1 local.okinawajet.com
127.0.0.1 local.greenhands.net
127.0.0.1 addressbook
127.0.0.1 cake.addressbook
127.0.0.1 ci.addressbook
127.0.0.1 local.unrecorded.org
127.0.0.1 local.bookshelf.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 123topsearch.com
127.0.0.1 www.123topsearch.com
127.0.0.1 132.com
127.0.0.1 www.132.com
127.0.0.1 136136.net
9265 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- c:\program files\google\googletoolbar3.dll (Google Inc.)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (Google Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar3.dll (Google Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar3.dll (Google Inc.)

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar3.dll (Google Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer ePower Management"=C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot (Acer Value Labs, Taiwan)
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" (Avocent Inc.)
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" --logon (alch)
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" -h ()
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe (HiTRUST)
"ePower_DMC"=C:\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Incorporated)
"eRecoveryService"=C:\Acer\Empowering Technology\eRecovery\Monitor.exe (acer Inc.)
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ()
"NvnUsbAudioLogger"="C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe" (Novation DMS Ltd.)
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
"RTHDCPL"=RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

========== (O4) Startup Folders ==========

[1999/11/04 15:06:48 | 00,113,664 | ---- | M] (Adobe Systems, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Control Panel]
"Homepage"=0

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Restrictions]
"NoBrowserOptions"=1

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\policies\microsoft\internet explorer\Control Panel]
"Homepage"=0

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\policies\microsoft\internet explorer\Restrictions]
"NoBrowserOptions"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoStrCmpLogical"=01 00 00 00 [binary data]
"NoDriveAutoRun"=10 00 00 00 [binary data]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=91 00 00 00 [binary data]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=91 00 00 00 [binary data]

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoStrCmpLogical"=01 00 00 00 [binary data]
"NoDriveAutoRun"=10 00 00 00 [binary data]

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\Network Diagnostic\xpnetdiag.exe [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | ---- | M] (Safer Networking Limited)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | ---- | M] (Safer Networking Limited)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
46 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
microsoft.com\*.update: http in My Computer
microsoft.com\*.update: https in Local intranet
windowsupdate.com\download: http in My Computer
49 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
105 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
105 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
microsoft.com\*.update: http in My Computer
microsoft.com\*.update: https in Local intranet
windowsupdate.com\download: http in My Computer
49 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://www.update.microsoft.com/microsoftu...b?1194207050781 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://www.update.microsoft.com/microsoftu...b?1194207041109 -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_10
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_10
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_10

========== (O17) DNS Name Servers ==========

{2AE3E7ED-A9B8-45EB-8295-E346CE687983} (Servers: | Description: Broadcom 440x 10/100 Integrated Controller)
{B48D51AB-0452-49ED-8927-82B60F0E2EE0} (Servers: | Description: Intel® PRO/Wireless 3945ABG Network Connection)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=C:\WINDOWS\system32\guard32.dll
>[2008/10/16 15:35:04 | 00,143,104 | ---- | M] () -- C:\WINDOWS\system32\guard32.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 0

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ]
[2005/01/21 12:11:40 | 00,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f282b0da-6246-11dc-8e9f-000fb0f0570b}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f282b0da-6246-11dc-8e9f-000fb0f0570b}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f282b0da-6246-11dc-8e9f-000fb0f0570b}\Shell\AutoRun\command]
""=F:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\*.tmp files]
[2008/10/25 13:36:27 | 00,000,000 | ---D | C] -- C:\Useful Software
[2008/10/24 01:09:11 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2008/10/24 01:03:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\dfshim.dll
[2008/10/24 00:04:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2008/10/24 00:03:48 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2008/10/20 23:16:23 | 00,052,551 | ---- | C] () -- C:\Documents and Settings\Nick F\Desktop\20081020152735706.pdf
[2008/10/16 21:03:27 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008/10/16 21:03:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/10/16 21:02:47 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2008/10/16 15:35:04 | 00,143,104 | ---- | C] () -- C:\WINDOWS\System32\guard32.dll
[2008/10/16 15:35:04 | 00,087,056 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2008/10/16 15:35:04 | 00,079,760 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2008/10/16 15:35:04 | 00,024,208 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2008/10/16 15:35:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\comodo
[2008/10/16 15:11:28 | 00,333,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2008/10/16 15:11:22 | 02,189,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/10/16 15:11:22 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/10/16 15:11:21 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/10/16 15:11:21 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/10/16 15:11:01 | 01,846,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2008/10/16 15:09:43 | 00,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll
[2008/10/16 15:08:59 | 00,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2008/10/16 02:31:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick F\Application Data\Comodo
[2008/10/16 02:31:31 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO
[2008/10/16 02:27:15 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/10/16 02:25:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick F\Desktop\anti-malware
[2008/10/16 01:57:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick F\Application Data\Malwarebytes
[2008/10/16 01:57:00 | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/10/16 01:56:59 | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/10/16 01:56:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/10/16 01:56:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/10/15 22:25:17 | 10,633,74848 | -HS- | C] () -- C:\hiberfil.sys
[2008/10/09 14:26:59 | 00,000,000 | ---D | C] -- C:\Program Files\WinMerge
[2008/10/02 16:46:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Audio Damage

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\*.tmp files]
[2008/10/26 16:00:46 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/10/26 15:39:52 | 00,000,451 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2008/10/26 15:39:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/10/26 15:38:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/10/26 15:38:40 | 10,633,74848 | -HS- | M] () -- C:\hiberfil.sys
[2008/10/26 15:15:08 | 00,251,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/24 01:03:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\dfshim.dll
[2008/10/24 00:04:54 | 00,404,548 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/10/24 00:04:54 | 00,062,624 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/10/20 23:31:36 | 00,052,551 | ---- | M] () -- C:\Documents and Settings\Nick F\Desktop\20081020152735706.pdf
[2008/10/19 12:13:12 | 00,000,562 | ---- | M] () -- C:\Documents and Settings\Nick F\Desktop\REAPER.lnk
[2008/10/18 23:43:24 | 00,025,598 | ---- | M] () -- C:\WINDOWS\cool.ini
[2008/10/18 23:43:24 | 00,006,736 | ---- | M] () -- C:\WINDOWS\coolcust.ini
[2008/10/17 17:33:02 | 00,112,640 | ---- | M] () -- C:\Documents and Settings\Nick F\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/16 15:35:04 | 00,143,104 | ---- | M] () -- C:\WINDOWS\System32\guard32.dll
[2008/10/16 15:35:04 | 00,087,056 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2008/10/16 15:35:04 | 00,079,760 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2008/10/16 15:35:04 | 00,024,208 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2008/10/16 15:17:30 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008/10/16 15:15:54 | 00,459,836 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/10/16 02:18:28 | 00,000,712 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/10/16 02:18:28 | 00,000,253 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/10/16 02:18:28 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2008/10/15 17:34:24 | 00,337,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netapi32.dll
[2008/10/15 17:34:24 | 00,337,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2008/10/14 17:19:00 | 00,000,416 | ---- | M] () -- C:\WINDOWS\ClaviaModularEditor Preferences
[2008/10/13 18:06:16 | 00,001,000 | ---- | M] () -- C:\WINDOWS\energyXT.ini
[2008/10/13 15:32:00 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/10/11 01:12:32 | 00,002,257 | ---- | M] () -- C:\Documents and Settings\Nick F\Desktop\Skype.lnk
[2008/10/09 02:09:26 | 03,176,204 | -H-- | M] () -- C:\Documents and Settings\Nick F\Local Settings\Application Data\IconCache.db
[2008/10/08 00:06:28 | 00,002,499 | ---- | M] () -- C:\Documents and Settings\Nick F\Desktop\ACDSee 8.lnk
[2008/10/07 12:19:42 | 16,721,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2008/10/03 18:41:16 | 06,066,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieframe.dll
[2008/10/03 18:41:16 | 06,066,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2008/10/01 13:35:24 | 00,062,816 | ---- | M] () -- C:\Documents and Settings\Nick F\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
< End of report >

====

OTViewIt Extras logfile created on: 26/10/2008 18:20:15 - Run 2
OTViewIt by OldTimer - Version 1.0.17.0 Folder = C:\Documents and Settings\Nick F\Desktop\anti-malware
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1014.04 Mb Total Physical Memory | 689.86 Mb Available Physical Memory | 68.03% Memory free
2.39 Gb Paging File | 1.98 Gb Available in Paging File | 83.16% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.06 Gb Total Space | 9.69 Gb Free Space | 27.65% Space Free | Partition Type: FAT32
Drive D: | 35.55 Gb Total Space | 19.85 Gb Free Space | 55.83% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICKLAPTOP
Current User Name: Nick F
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
"MaxScriptStatements"=

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url [@ = InternetShortcut] -- C:\WINDOWS\system32\ieframe.DLL (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=1
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DoNotAllowExceptions"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 01:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
File not found -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 01:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2005/12/13 21:31:20 | 00,151,552 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Acer\Acer Arcade\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program
[2004/05/14 02:05:26 | 00,885,760 | ---- | M] (Quinnware) -- C:\Program Files\Quintessential Player\QCDPlayer.exe:*:Enabled:Quintessential Player
[2006/04/12 14:24:36 | 13,164,544 | ---- | M] (ACD Systems Ltd.) -- C:\Program Files\ACD Systems\ACDSee\8.0\ACDSee8.exe:*:Enabled:ACDSee8
[2006/04/29 16:47:14 | 00,020,541 | ---- | M] (Apache Software Foundation) -- C:\Program Files\VertrigoServ\Apache\bin\Apache.exe:LocalSubNet:Enabled:Apache HTTP Server
File not found -- C:\Program Files\jEdit 4.3pre5\jedit.jar:*:Enabled:jedit.jar
[2007/06/29 06:25:14 | 06,124,864 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player
[2008/05/28 16:13:28 | 01,138,688 | ---- | M] (Last.fm) -- C:\Program Files\Last.fm\LastFM.exe:*:Enabled:LastFM
[2008/09/05 01:43:40 | 00,053,248 | ---- | M] (alch) -- C:\Program Files\ClamWin\bin\ClamWin.exe:*:Enabled:Virus Scanner
[2006/05/26 03:50:26 | 04,149,248 | ---- | M] () -- C:\Program Files\VertrigoServ\Mysql\bin\mysqld.exe:*:Enabled:mysqld
File not found -- C:\Program Files\Java\jre1.5.0_07\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary
File not found -- C:\Program Files\Aptana\jre\bin\javaw.exe:*:Enabled:javaw
[2007/06/17 10:14:36 | 00,096,256 | ---- | M] () -- C:\Program Files\VideoLAN\vlc.exe:*:Disabled:VLC media player
[2008/08/14 15:52:32 | 00,098,816 | ---- | M] (Opera Software) -- C:\Program Files\Opera\Opera.exe:*:Enabled:Opera Internet Browser
[2007/10/24 19:04:18 | 07,974,912 | ---- | M] () -- C:\Program Files\Plogue\Bidule\PlogueBidule.exe:*:Enabled:PlogueBidule
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
File not found -- C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
File not found -- C:\Program Files\MarketSpeed\MarketSpeed\MarketSpeed.exe:*:Disabled:MarketSpeed Module
[2008/10/18 07:44:02 | 03,533,824 | ---- | M] (Cockos Incorporated) -- C:\Program Files\REAPER\reaper.exe:*:Enabled:reaper
[2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/12/16 18:35:36 | 00,020,480 | ---- | M] () -- C:\Program Files\MusicBrainz Picard\picard.exe:*:Enabled:The next generation MusicBrainz tagger
[2008/09/10 11:06:30 | 06,067,392 | ---- | M] (deepinvent Software GmbH) -- C:\Program Files\MailStore\MailStoreLocal.exe:*:Enabled:MailStore Home
[2008/04/23 17:45:34 | 22,058,792 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
File not found -- C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire
File not found -- C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer
File not found -- C:\Program Files\Soulseek\slsk.exe:*:Disabled:SoulSeek

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/14 01:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/14 01:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - Microsoft OLE DB Moniker Binder for Internet Publishing]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2008/04/14 01:11:58 | 00,532,480 | ---- | M] (Microsoft Corporation) C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/07/02 17:10:58 | 01,828,440 | R--- | M] (Skype Technologies) C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} (HKLM) [IEProtocolHandler Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/23 12:14:52 | 00,858,136 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Mail\mailcomm.dll (wlmailhtml:{03C514A3-1EFB-4856-9F99-10D7BE1653C0} (HKLM) [Windows Live Mail HTML Asynchronous Pluggable Protocol Handler])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}"=PDFCreator
"{00203668-8170-44A0-BE44-B632FA4D780F}"=Adobe AIR
"{14DD76C8-F13A-4565-B607-5516E8A9ABFE}"=BOINC
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}"=NTI CD & DVD-Maker
"{15B70821-7893-4607-805A-BB80F3EA8279}"=Acer Empowering Technology framework
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}"=Windows Live Mail
"{18D03DE2-D142-4A6C-B346-2FA7C8D76A57}"=BassStation
"{1EBFA30C-6206-4FD8-8B82-3A29F0D01B28}"=ACDSee 8 Media Support Package
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}"=mProSafe
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}"=Acer Arcade
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}"=Java™ 6 Update 10
"{2BB8FBB4-CFF9-434E-AA0A-40F5379C1602}"=OpenOffice.org 2.4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{385979FE-DC4F-4140-8EAD-A59625000D72}"=NTI Backup NOW! 4
"{39F53420-645B-4A97-A458-02E5379E5F85}"=Pluggo Jr. 3.6.1
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}"=Acer ePower Management
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}"=Skype™ 3.8
"{5EFDFC8B-D438-4792-A298-E87AA9ADA816}"=Acer eDataSecurity Management
"{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}"=Acer eLock Management
"{775EA80D-E368-4310-97B6-3D47EB9BB3F1}"=Opera 9.52
"{77DCDCE3-2DED-62F3-8154-05E745472D07}"=Acrobat.com
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1"=CDBurnerXP
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® Graphics Media Accelerator Driver
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}"=mPfMgr
"{95774351-6087-3A3B-8CA8-70BEE49D2BD5}"=Google Gears
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}"=QuickTime
"{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}"=Google Earth
"{9CC89556-3578-48DD-8408-04E66EBEF401}"=mXML
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}"=Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A90000000001}"=Adobe Reader 9
"{AC76BA86-7AD7-5760-0000-705000000001}"=Adobe Reader Japanese Fonts
"{AE80641A-0C8D-4670-A518-B4EC154B1027}"=ACDSee 8
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}"=PowerProducer
"{C06554A1-2C1E-4D20-B613-EE62C79927CC}"=Acer eNet Management
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{D458BBDC-0363-42E0-8FF9-4736E3CB3CA2}"=Acer Screensaver
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{DEE08946-40F0-4890-853E-60A6C3306041}"=Acer ePerformance Management
"{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}"=Acer eSettings Management
"{E431C518-2EE2-471E-9234-BE995C36D513}"=Acer eDataSecurity Management 1.00.23
"{E81667C6-2856-46D6-ABEA-6A2F42166779}"=mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}"=mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}"=Realtek High Definition Audio Driver
"{F1B8DB67-D30E-4FF9-A85F-3CEE51825AA2}"=SMSC IrCC V5.1.3600.5 SP2
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}"=mWlsSafe
"1st Registry Repair"=1st Registry Repair
"4Front Piano Module VSTi_is1"=4Front Piano Module 1.0 VSTi
"7-Zip"=7-Zip 4.60 beta
"Ableton Live_is1"=Ableton Live v6.0.3
"Adobe AIR"=Adobe AIR
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe Photoshop 7.0"=Adobe Photoshop 7.0
"Adobe Shockwave Player"=Adobe Shockwave Player
"Analog Factory SE_is1"=Analog Factory SE 1.2
"ASIO4ALL"=ASIO4ALL
"Audacity 1.3 Beta_is1"=Audacity 1.3.0
"AudioMulch Interactive Music Studio_is1"=AudioMulch Interactive Music Studio 1.0
"Automap Universal_is1"=Automap Universal 1.2
"Avidemux 2.4"=Avidemux 2.4
"ClamWin Free Antivirus_is1"=ClamWin Free Antivirus 0.94
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_1025007F"=HDAUDIO Soft Data Fax Modem with SmartCP
"Collab"=Collab
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1"=Acrobat.com
"COMODO Firewall Pro"=COMODO Firewall Pro
"Cool Edit Pro"=Cool Edit Pro
"Cool Edit Pro 2.0"=Cool Edit Pro 2.0
"ePresentation"=Acer ePresentation Management
"Exact Audio Copy"=Exact Audio Copy 0.95b4
"FileZilla"=FileZilla (remove only)
"FL Studio 7"=FL Studio 7
"FL Studio 8"=FL Studio 8
"Frohmage VST2"=OhmForce Frohmage VST2
"GlaceVerb_is1"=GlaceVerb 1.01
"GridVista"=Acer GridVista
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"IETester"=IETester v0.2.2 (remove only)
"IL Download Manager"=IL Download Manager
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}"=NTI CD & DVD-Maker
"InstallShield_{15B70821-7893-4607-805A-BB80F3EA8279}"=Acer Empowering Technology framework
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}"=NTI Backup NOW! 4
"InstallShield_{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}"=Acer eLock Management
"InstallShield_{DEE08946-40F0-4890-853E-60A6C3306041}"=Acer ePerformance Management
"InstallShield_{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}"=Acer eSettings Management
"IrfanView"=IrfanView (remove only)
"iZotope Vinyl_is1"=iZotope Vinyl
"JPGVideo_is1"=JPGVideo 1.05.0.0
"LastFM_is1"=Last.fm 1.5.1.30182
"LManager"=Launch Manager
"MailStore Home 2.7_is1"=MailStore Home 2.7.0.1987
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Modular Editor 3.03"=Modular Editor 3.03
"Mozilla Firefox (3.0.3)"=Mozilla Firefox (3.0.3)
"MPE"=MyPhoneExplorer
"MusicBrainz Picard"=MusicBrainz Picard 0.9.0
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"Novation USB Audio Driver_is1"=Novation USB Audio Driver 1.1.1
"Op6sed_is1"=Opera Search.ini Editor 1.26
"PlogueBidule"=Plogue Bidule (remove only)
"PoiZone"=PoiZone
"ProInst"=Intel® PROSet/Wireless Software
"Quintessential Media Player"=Quintessential Media Player
"Quintessential Player"=Quintessential Player
"RealAlt_is1"=Real Alternative 1.60 Lite
"REAPER"=REAPER
"RegSupreme_is1"=RegSupreme
"ReMOTE SL Compact Editor_is1"=ReMOTE SL Compact Editor
"ReMOTE SL Editor_is1"=ReMOTE SL Editor
"ReMOTE SL_is1"=ReMOTE SL 4.0
"Sonic Charge ÁTonic VST"=Sonic Charge ÁTonic VST
"SoundDiver Line6"=SoundDiver Line6
"Spybot - Search & Destroy_is1"=Spybot - Search & Destroy 1.5.2.20
"SSL LMC-1"=SSL LMC-1 v1.0
"SyncBackSE_is1"=SyncBackSE
"SynTPDeinstKey"=Synaptics Pointing Device Driver
"Tweak UI 2.10"=Tweak UI
"VertexDSPMultiInspectorFree_is1"=VertexDSP MultiInspectorFree 1.1.3
"VertrigoServ"=VertrigoServ (remove only)
"Visokio Omniscope"=Visokio Omniscope
"VLC media player"=VideoLAN VLC media player 0.8.6c
"Waldorf Edition LE"=Waldorf Edition LE
"Wasp"=Wasp
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows Media Player"=Windows Media Player 10
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinMerge_is1"=WinMerge 2.10.0.0
"Zero-X BeatSlicer"=Zero-X BeatSlicer

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome"=Google Chrome
"jEdit 4.0"=jEdit Version 4.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome"=Google Chrome
"jEdit 4.0"=jEdit Version 4.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 23/10/2008 14:58:16 | Computer Name = NICKLAPTOP | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "SELECT * FROM PDEvent"
whose target class "PDEvent" does not exist. The query will be ignored.

Error - 25/10/2008 08:29:00 | Computer Name = NICKLAPTOP | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "SELECT * FROM PDEvent"
whose target class "PDEvent" does not exist. The query will be ignored.

Error - 26/10/2008 10:56:59 | Computer Name = NICKLAPTOP | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "SELECT * FROM PDEvent"
whose target class "PDEvent" does not exist. The query will be ignored.

Error - 26/10/2008 11:12:05 | Computer Name = NICKLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16735, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/10/2008 11:12:08 | Computer Name = NICKLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16735, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/10/2008 11:12:28 | Computer Name = NICKLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16735, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/10/2008 11:16:11 | Computer Name = NICKLAPTOP | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "SELECT * FROM PDEvent"
whose target class "PDEvent" does not exist. The query will be ignored.

Error - 26/10/2008 11:22:40 | Computer Name = NICKLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16735, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 26/10/2008 11:26:19 | Computer Name = NICKLAPTOP | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "SELECT * FROM PDEvent"
whose target class "PDEvent" does not exist. The query will be ignored.

Error - 26/10/2008 11:39:42 | Computer Name = NICKLAPTOP | Source = WinMgmt | ID = 24
Description = Event provider attempted to register query "SELECT * FROM PDEvent"
whose target class "PDEvent" does not exist. The query will be ignored.

[ System Events ]
Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 23/10/2008 19:05:09 | Computer Name = NICKLAPTOP | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 26/10/2008 11:00:48 | Computer Name = NICKLAPTOP | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.


< End of report >

====

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, October 26, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, October 26, 2008 14:30:40
Records in database: 1348246
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 181214
Threat name: 5
Infected objects: 5
Suspicious objects: 1
Duration of the scan: 01:56:42


File name / Threat name / Threats count
C:\Documents and Settings\Nick F\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\Deleted Items\4B021106-00000242.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Nick F\Local Settings\Application Data\Identities\{42C1D2BF-E2B6-419F-8A24-556D0EAF953C}\Microsoft\Outlook Express\Hotmail - Inbox.dbx Infected: Email-Worm.Win32.NetSky.d 1
C:\Documents and Settings\Nick F\Local Settings\Application Data\Identities\{42C1D2BF-E2B6-419F-8A24-556D0EAF953C}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.NetSky.d 1
C:\Documents and Settings\Nick F\.housecall6.6\Quarantine\TDSSf25c.tmp.bac_a02516 Infected: Backdoor.Win32.TDSS.zj 1
C:\Documents and Settings\Nick F\.housecall6.6\Quarantine\.tt1.tmp.vbs.bac_a02516 Infected: Backdoor.Win32.Frauder.eo 1
C:\Program Files\Opera\profile\images\www.frodosnotebook.com.gif Infected: Exploit.Win32.IMG-GIF.b 1

The selected area was scanned.

====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:06:49, on 26/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\NICKF~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [NvnUsbAudioLogger] "C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194207050781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194207041109
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8946 bytes

Edited by Nick1979, 26 October 2008 - 01:43 PM.


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 26 October 2008 - 01:44 PM

Hello Nick1979.

I don't see any active malware in these logs. However, there are signs of something hiding.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..


When posting logs, please make sure that in Notepad, you go to Format>uncheck WordWrap before copying the logs.

With Regards,
The Panda

#8 Nick1979

Nick1979
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:38 PM

Posted 26 October 2008 - 02:20 PM

Hello again.

Thanks for replying so quickly.

Bad news, though - GMER seems to have found a Rootkit.
The log file is too big to paste as text, so I'll add it as an attachment - hope that's ok.

(One thing - GMER did ask me to close all running software. I closed my browser, file explorer, virus scanner etc. but I did leave COMODO Firewall Pro running - hope that's ok).

Another possible symptom I forgot to mention is that Windows has several times decided to hide file extensions of known file types (I usually have this set to visible so I can see the file extensions of all files).

Nick F

Attached Files

  • Attached File  gmer.log   345.75KB   6 downloads


#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 26 October 2008 - 02:32 PM

Hello Nick.

Did you follow the directions exactly? Was ShowAll checked? The log seems way to big to me.

In any case, you've got a nasty rootkit.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Please run GMER again and post the logs directly into your reply (they lose formatting when they are attached). Thanks.

With Regards,
The Panda

#10 Nick1979

Nick1979
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:38 PM

Posted 26 October 2008 - 04:11 PM

Dear PropagandaPanda,

Thanks for the info. Oh dear - that's very bad news.

I was fairly sure I followed the instructions correctly the first time, but perhaps I missed something. Anyway, I've now run gmer again from Safe Mode, and you're right - the log is much smaller.

A couple of peculiar things - GMER crashed the computer the first time I ran it in Safe Mode. It worked the second time, though, when it produced the log below.

Secondly, when Safe Mode boots, the screen gets filled with DOS-style text listing a lot of system files. All the lines begin:
multi(0)disk(0)partition(2)\WINDOWS\system32\

I've avoided logging into anything sensitive (eg. internet banking) since the infection. However, I will now change my email passwords.

If you can't be sure of the exact nature of this rootkit, I think the best thing will probably be to re-install Windows. I'd be very grateful if you could give me some advice on backing things up first, though. I haven't connected any external drives to the system since the infection, because I don't want it to spread. If I'm going to reinstall, I'd like to back up My Documents, etc, but I'd like to be sure that I can back them up without risking reintroducing the infection after reinstallation.

Thanks again,

Nick

====

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-26 20:43:45
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[232] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\services.exe[276] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\lsass.exe[288] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[444] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[444] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[512] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[512] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 003C5060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003C4F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 003C1860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 003C1230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 003C13C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 4A, 88 ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003C4C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003C16D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003C1550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 003C4960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[572] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 003C4AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\Explorer.EXE[728] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[728] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] USER32.DLL!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] USER32.DLL!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] USER32.DLL!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\Useful Software\gmer.exe[1096] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1096] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Services - GMER 1.0.14 ----

Service system32\drivers\TDSSserv.sys (*** hidden *** ) [SYSTEM] TDSSserv <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys

---- EOF - GMER 1.0.14 ----

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 26 October 2008 - 04:24 PM

Hello Nick1979.

If you would like to reformat, that would definately be the best way to go. It will be safe to backup data files, for example, Word Documents, music, pictures, video, text files, PDF files. This infection does not infect files.

All application files should be deleted in the format, however.

If you would still like to continue...

Download and Run SDFix
You can find complete instructions on running SDFix in the link below:
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

SDfix is for Windows 2000 and Windows XP only,
  • Download SDfix setup onto your desktop.
  • Run the installer. Leave the install location at your system root.
  • After the install, boot into Safe Mode.
  • Click your Start Menu. Click Run. Type in c:\sdfix\runthis.bat. Hit OK.
  • The prompt window will open. Type Y and hit Enter.
  • Wait for the scan to finish.
  • You will be prompted to restart. Press anykey to do so. Allow Sdfix to boot the computer into normal boot.
  • At reboot, the prompt window will pop-up, along with a log (\rapport.txt) shortly after. Copy the contents of the log back in your next reply.
How to Boot into Safe Mode
Print out all intructions to be carried out in Safe Mode, or save them onto your desktop as you will not be able to access the forum where you are receiving help.

If you are unfimiliar with the boot process, please jot down the boot instructions.
  • Shutdown your computer.
  • Press the power on button.
  • Wait for your computer to beep.
  • After hearing the beep, hit the F8 key repeatedly until you see a selection screen.
  • Use your arrow keys to navigate the highlight to Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP, if the highlight was not already on it.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

Also include a new GMER and OTViewIt log (just OTViewIt.txt)

With Regards,
The Panda

#12 Nick1979

Nick1979
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:38 PM

Posted 26 October 2008 - 06:26 PM

Hi again.

I think I will reinstall Windows, but I'll need to have a think about what to back up, and whether to reinstall XP or upgrade to Vista, so in the mean time I think it would be good to try to get the system clean anyway.

I've run SDKit and it seems to have found and removed some things. I'll paste the log below. I then ran GMER in Safe Mode, and finally OTViewIt again. I'll paste both those logs too.

One thing - the first time I ran GMER it once again produced a massive log file (606K). 'Show All' was definitely not selected. I ran it a second time and it produced the much smaller one (17K) that I'll paste below. Let me know if you'd like to see the larger one.

Do you know what this rootkit was, or what it was likely to have been doing? I'd be very interested to know a little about what the thing was.

Thanks again,

Nick

====


SDFix: Version 1.237
Run by Administrator on 26/10/2008 at 21:47

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\antiv.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 22:05:31
Windows 5.1.2600 Service Pack 3 FAT NTAPI

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"="C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\Quintessential Player\\QCDPlayer.exe"="C:\\Program Files\\Quintessential Player\\QCDPlayer.exe:*:Enabled:Quintessential Player"
"C:\\Program Files\\ACD Systems\\ACDSee\\8.0\\ACDSee8.exe"="C:\\Program Files\\ACD Systems\\ACDSee\\8.0\\ACDSee8.exe:*:Enabled:ACDSee8"
"C:\\Program Files\\VertrigoServ\\Apache\\bin\\Apache.exe"="C:\\Program Files\\VertrigoServ\\Apache\\bin\\Apache.exe:LocalSubNet:Enabled:Apache HTTP Server"
"C:\\Program Files\\jEdit 4.3pre5\\jedit.jar"="C:\\Program Files\\jEdit 4.3pre5\\jedit.jar:*:Enabled:jedit.jar"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Program Files\\ClamWin\\bin\\ClamWin.exe"="C:\\Program Files\\ClamWin\\bin\\ClamWin.exe:*:Enabled:Virus Scanner"
"C:\\Program Files\\VertrigoServ\\Mysql\\bin\\mysqld.exe"="C:\\Program Files\\VertrigoServ\\Mysql\\bin\\mysqld.exe:*:Enabled:mysqld"
"C:\\Program Files\\Java\\jre1.5.0_07\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe"="C:\\Program Files\\Aptana\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\VideoLAN\\vlc.exe"="C:\\Program Files\\VideoLAN\\vlc.exe:*:Disabled:VLC media player"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\\Program Files\\Plogue\\Bidule\\PlogueBidule.exe"="C:\\Program Files\\Plogue\\Bidule\\PlogueBidule.exe:*:Enabled:PlogueBidule"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\MarketSpeed\\MarketSpeed\\MarketSpeed.exe"="C:\\Program Files\\MarketSpeed\\MarketSpeed\\MarketSpeed.exe:*:Disabled:MarketSpeed Module"
"C:\\Program Files\\REAPER\\reaper.exe"="C:\\Program Files\\REAPER\\reaper.exe:*:Enabled:reaper"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MusicBrainz Picard\\picard.exe"="C:\\Program Files\\MusicBrainz Picard\\picard.exe:*:Enabled:The next generation MusicBrainz tagger"
"C:\\Program Files\\MailStore\\MailStoreLocal.exe"="C:\\Program Files\\MailStore\\MailStoreLocal.exe:*:Enabled:MailStore Home"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Disabled:SoulSeek"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 21 Jan 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Fri 21 Jan 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Fri 21 Jan 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Fri 21 Jan 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Fri 21 Jan 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Wed 5 Jul 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 27 Feb 2004 233,472 A..H. --- "C:\Program Files\Image-Line\FL Studio 7\REX Shared Library.dll"
Thu 15 Mar 2001 23,040 A..H. --- "C:\Documents and Settings\Nick F\My Documents\University Work\Japanese\~WRL0002.tmp"
Thu 15 Mar 2001 71,168 A..H. --- "C:\Documents and Settings\Nick F\My Documents\University Work\Japanese\~WRL2293.tmp"
Wed 30 May 2001 25,600 A..H. --- "C:\Documents and Settings\Nick F\My Documents\Correspondence\To\~WRL2588.tmp"
Sun 17 Jun 2001 24,064 A..H. --- "C:\Documents and Settings\Nick F\My Documents\Correspondence\To\~WRL3914.tmp"
Thu 28 Feb 2008 524,288 A..H. --- "C:\Documents and Settings\Nick F\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.bak_jv16pt"
Wed 28 Mar 2001 961,024 A..H. --- "C:\Documents and Settings\Nick F\My Documents\University Work\Psychology\4th Year\~WRL0004.tmp"
Wed 28 Mar 2001 972,288 A..H. --- "C:\Documents and Settings\Nick F\My Documents\University Work\Psychology\4th Year\~WRL2685.tmp"
Wed 28 Mar 2001 109,056 A..H. --- "C:\Documents and Settings\Nick F\My Documents\University Work\Psychology\4th Year\~WRL3709.tmp"
Thu 25 Sep 2003 75,776 A..H. --- "C:\Documents and Settings\Nick F\My Documents\University Work\Psychology\MSc\Dissertation\~WRL0005.tmp"

Finished!

====

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-26 23:05:00
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[232] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[232] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\services.exe[276] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[276] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\lsass.exe[288] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[288] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[440] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[440] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[508] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[508] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 003C5060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003C4F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 003C1860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 003C1230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 003C13C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 4A, 88 ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003C4C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003C16D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] USER32.dll!keybd_event 7E466783 5 Bytes JMP 003C1550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 003C4960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[556] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 003C4AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\Explorer.EXE[724] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[724] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[768] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[768] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] USER32.DLL!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] USER32.DLL!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] USER32.DLL!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] GDI32.dll!CreateDCA 77F1B7C2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] GDI32.dll!CreateDCW 77F1BE28 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] GDI32.dll!CreateDCW + 3 77F1BE2B 2 Bytes [ 0E, 98 ]
.text C:\Useful Software\gmer.exe[1308] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Useful Software\gmer.exe[1308] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.14 ----

====

OTViewIt logfile created on: 26/10/2008 23:10:25 - Run 4
OTViewIt by OldTimer - Version 1.0.17.0 Folder = C:\Documents and Settings\Nick F\Desktop\anti-malware
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1014.04 Mb Total Physical Memory | 590.78 Mb Available Physical Memory | 58.26% Memory free
2.39 Gb Paging File | 2.04 Gb Available in Paging File | 85.49% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 35.06 Gb Total Space | 9.30 Gb Free Space | 26.53% Space Free | Partition Type: FAT32
Drive D: | 35.55 Gb Total Space | 19.85 Gb Free Space | 55.83% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NICKLAPTOP
Current User Name: Nick F
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
[2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
[2008/10/16 21:04:04 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2005/11/28 13:52:00 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
[2005/11/28 13:55:00 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
[2005/12/19 14:52:52 | 15,797,248 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
[2005/10/19 09:30:16 | 00,069,632 | ---- | M] (HiTRUST) -- C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
[2006/01/17 18:28:54 | 00,344,064 | ---- | M] (Acer Incorporated) -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
[2006/01/24 18:00:08 | 00,397,312 | ---- | M] (acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\Monitor.exe
[2005/10/24 16:45:32 | 02,462,208 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admtray.exe
[2007/05/22 17:04:02 | 00,007,168 | ---- | M] (Novation DMS Ltd.) -- C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe
[2008/09/05 01:43:40 | 00,086,016 | ---- | M] (alch) -- C:\Program Files\ClamWin\bin\ClamTray.exe
[2005/10/24 16:40:52 | 01,314,816 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admServ.exe
[2008/06/12 02:38:00 | 00,034,672 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
[2008/10/16 15:35:02 | 01,655,552 | ---- | M] () -- C:\Program Files\COMODO\Firewall\cfp.exe
[2008/10/23 19:37:22 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2008/09/03 18:17:22 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[2007/07/25 15:07:08 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[2005/12/13 21:31:36 | 00,254,050 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
[2008/10/16 15:35:04 | 00,519,936 | ---- | M] () -- C:\Program Files\COMODO\Firewall\cmdagent.exe
[2005/12/13 21:31:08 | 00,061,440 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
[2005/12/13 21:31:08 | 01,077,376 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
[2008/10/23 19:37:22 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
[2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2005/12/13 21:31:38 | 00,114,784 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
[2005/02/11 11:06:44 | 00,500,224 | ---- | M] (Realtek Semiconductor Corp.) -- C:\DOCUME~1\NICKF~1\LOCALS~1\Temp\RtkBtMnt.exe
[2008/04/14 01:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/04/14 01:12:42 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
[2004/08/04 05:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
[2008/04/14 01:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2007/07/30 19:19:16 | 00,053,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/10/22 21:46:40 | 00,421,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick F\Desktop\anti-malware\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/10/16 21:04:04 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
File not found -- -- (aspnet_state [On_Demand | Stopped])
[2005/10/24 16:40:52 | 01,314,816 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admServ.exe -- (AWService [Auto | Running])
[2005/12/13 21:31:36 | 00,254,050 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])
[2005/12/13 21:31:38 | 00,114,784 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])
[2008/10/16 15:35:04 | 00,519,936 | ---- | M] () -- C:\Program Files\COMODO\Firewall\cmdagent.exe -- (cmdAgent [Auto | Running])
[2005/12/13 21:31:08 | 00,061,440 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service [Auto | Running])
[2005/11/28 11:29:00 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
[2007/02/04 23:45:46 | 00,138,168 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
[2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/10/23 19:37:22 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/11/28 11:28:14 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
[2005/01/21 19:37:16 | 00,143,360 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Disabled | Stopped])
[2005/11/28 11:31:32 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
[2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services ==========

[2006/06/15 04:28:26 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
[2004/08/04 05:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
[2008/04/13 19:36:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
[2005/10/31 14:16:00 | 00,045,312 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
[2005/12/06 00:16:14 | 00,005,273 | ---- | M] (Arrowkey) -- C:\Program Files\Quintessential Player\cdrpdacc.sys -- (CDRPDACC [Auto | Running])
[2008/10/16 15:35:04 | 00,087,056 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdguard.sys -- (cmdGuard [System | Running])
[2008/10/16 15:35:04 | 00,024,208 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\cmdhlp.sys -- (cmdHlp [System | Running])
[2004/08/04 05:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
[2004/12/08 14:10:00 | 00,016,896 | ---- | M] (Dritek System Inc.) -- C:\WINDOWS\system32\DRIVERS\DKbFltr.sys -- (DKbFltr [On_Demand | Running])
[2005/11/17 17:20:02 | 00,060,928 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\EMS7SK.sys -- (EMSCR [On_Demand | Stopped])
[2005/04/22 16:57:06 | 00,004,096 | ---- | M] (Acer Value Labs, USA) -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd [Auto | Running])
[2005/04/22 16:57:06 | 00,078,208 | ---- | M] (Acer Value Labs, USA) -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd [Auto | Running])
[2005/11/17 17:20:12 | 00,037,888 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\ESD7SK.sys -- (ESDCR [On_Demand | Stopped])
[2005/11/17 17:20:08 | 00,074,624 | ---- | M] (ENE Technology Inc.) -- C:\WINDOWS\system32\DRIVERS\ESM7SK.sys -- (ESMCR [On_Demand | Stopped])
[2008/10/26 18:44:58 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\DRIVERS\gmer.sys -- (gmer [System | Running])
[2008/04/13 17:36:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
[2005/10/24 10:20:52 | 00,218,496 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Running])
[2005/10/18 16:53:24 | 00,998,656 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
[2005/11/28 14:20:00 | 01,353,820 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
[2008/10/16 15:35:04 | 00,079,760 | ---- | M] (COMODO) -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect [Boot | Running])
[2005/12/19 17:37:42 | 04,127,232 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
[2008/04/13 19:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\kbdhid.sys -- (kbdhid [System | Stopped])
[2005/10/05 15:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2004/08/04 05:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
[2005/09/13 15:34:40 | 00,004,392 | ---- | M] (OSA Technologies) -- C:\WINDOWS\System32\Drivers\NdisFilt.sys -- (NdisFilt [On_Demand | Running])
[2005/05/02 12:13:42 | 00,009,600 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\NETMNT.sys -- (NETMNT [On_Demand | Stopped])
[2005/08/03 05:10:14 | 00,032,512 | ---- | M] (CACE Technologies) -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF [On_Demand | Stopped])
[2005/01/21 12:10:38 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
[2007/05/22 17:04:02 | 00,025,600 | ---- | M] (Novation DMS Ltd.) -- C:\WINDOWS\system32\drivers\nvnusbaudio.sys -- (NvnUsbAudio [On_Demand | Stopped])
[2005/10/15 18:20:44 | 00,012,106 | ---- | M] (OSA Technologies) -- C:\WINDOWS\system32\drivers\OsaFsLoc.sys -- (OsaFsLoc [System | Running])
[2005/06/30 16:58:24 | 00,007,296 | ---- | M] (OSA Technologies, An Avocent Company) -- C:\WINDOWS\system32\drivers\osaio.sys -- (osaio [Auto | Running])
[2005/01/14 15:57:16 | 00,004,010 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm [Auto | Running])
[2006/10/27 15:29:38 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/07 23:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2004/08/04 05:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
[2006/09/28 05:56:20 | 00,172,401 | ---- | M] (Roland Corporation) -- C:\WINDOWS\system32\Drivers\rdwm1046.sys -- (RDID1046 [On_Demand | Stopped])
[2005/11/28 12:09:26 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
[2008/04/13 19:36:44 | 00,079,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\sdbus.sys -- (sdbus [On_Demand | Stopped])
[2006/04/28 17:24:42 | 00,061,600 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27bus.sys -- (SE27bus [On_Demand | Stopped])
[2006/04/28 17:25:40 | 00,009,360 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys -- (SE27mdfl [On_Demand | Stopped])
[2006/04/28 17:25:44 | 00,097,184 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27mdm.sys -- (SE27mdm [On_Demand | Stopped])
[2006/04/28 17:26:46 | 00,088,688 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27mgmt.sys -- (SE27mgmt [On_Demand | Stopped])
[2006/04/28 17:27:48 | 00,086,560 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\SE27obex.sys -- (SE27obex [On_Demand | Stopped])
[2006/04/28 17:24:00 | 00,090,800 | ---- | M] (MCCI) -- C:\WINDOWS\system32\DRIVERS\se27unic.sys -- (se27unic [On_Demand | Stopped])
[2007/11/13 10:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2008/04/13 19:36:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
[2004/06/16 11:19:58 | 00,046,080 | ---- | M] (SMSC) -- C:\WINDOWS\system32\DRIVERS\smcirda.sys -- (SMCIRDA [On_Demand | Stopped])
[2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2004/08/04 05:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2004/08/04 05:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
[2005/07/20 14:53:54 | 00,190,592 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
[2004/12/17 16:14:44 | 00,013,952 | ---- | M] () -- C:\WINDOWS\System32\drivers\UBHelper.sys -- (UBHelper [Boot | Running])
[2004/08/04 05:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
[2005/12/04 09:55:30 | 01,428,096 | ---- | M] (Intel« Corporation) -- C:\WINDOWS\system32\DRIVERS\w39n51.sys -- (w39n51 [On_Demand | Running])
[2005/10/18 16:52:30 | 00,721,280 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
[2008/04/13 19:36:38 | 00,008,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\wmiacpi.sys -- (WmiAcpi [System | Running])
[2005/01/13 14:46:16 | 00,069,632 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys [Auto | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=about:blank

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.google.com
"SearchMigratedDefaultName"=Google
"SearchMigratedDefaultURL"=http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
"Start Page"=about:blank

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- c:\program files\google\googletoolbar3.dll (Google Inc.)
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll (Google Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar3.dll (Google Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar3.dll (Google Inc.)

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar3.dll (Google Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer ePower Management"=C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot (Acer Value Labs, Taiwan)
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" (Avocent Inc.)
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" --logon (alch)
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" -h ()
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe (HiTRUST)
"ePower_DMC"=C:\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Incorporated)
"eRecoveryService"=C:\Acer\Empowering Technology\eRecovery\Monitor.exe (acer Inc.)
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ()
"NvnUsbAudioLogger"="C:\Program Files\Novation\USB Audio Driver\nvnusbaudiolog.exe" (Novation DMS Ltd.)
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
"RTHDCPL"=RTHDCPL.EXE (Realtek Semiconductor Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="C:\Documents and Settings\Nick F\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

========== (O4) Startup Folders ==========

[1999/11/04 15:06:48 | 00,113,664 | ---- | M] (Adobe Systems, Inc.) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Control Panel]
"Homepage"=0

[HKEY_CURRENT_USER\Software\policies\microsoft\internet explorer\Restrictions]
"NoBrowserOptions"=1

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\policies\microsoft\internet explorer\Control Panel]
"Homepage"=0

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\Software\policies\microsoft\internet explorer\Restrictions]
"NoBrowserOptions"=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoStrCmpLogical"=01 00 00 00 [binary data]
"NoDriveAutoRun"=10 00 00 00 [binary data]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=91 00 00 00 [binary data]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=91 00 00 00 [binary data]

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoStrCmpLogical"=01 00 00 00 [binary data]
"NoDriveAutoRun"=10 00 00 00 [binary data]

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | ---- | M] (Safer Networking Limited)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\Network Diagnostic\xpnetdiag.exe [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | ---- | M] (Safer Networking Limited)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %SystemDrive%\PROGRA~1\SPYBOT~1\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | ---- | M] (Safer Networking Limited)
CmdMapping\\{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> %SystemRoot%\Network Diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 19:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 01:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
46 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
microsoft.com\*.update: http in My Computer
microsoft.com\*.update: https in Local intranet
windowsupdate.com\download: http in My Computer
49 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
47 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
105 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
105 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-3491692550-1241253617-669659899-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
microsoft.com\*.update: http in My Computer
microsoft.com\*.update: https in Local intranet
windowsupdate.com\download: http in My Computer
49 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://www.update.microsoft.com/microsoftu...b?1194207050781 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://www.update.microsoft.com/microsoftu...b?1194207041109 -- MUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_10
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_10
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_10

========== (O17) DNS Name Servers ==========

{2AE3E7ED-A9B8-45EB-8295-E346CE687983} (Servers: | Description: Broadcom 440x 10/100 Integrated Controller)
{B48D51AB-0452-49ED-8927-82B60F0E2EE0} (Servers: | Description: Intel® PRO/Wireless 3945ABG Network Connection)

========== (O19) User Style Sheets ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles]

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=C:\WINDOWS\system32\guard32.dll
>[2008/10/16 15:35:04 | 00,143,104 | ---- | M] () -- C:\WINDOWS\system32\guard32.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxdev.dll -- C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 0

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ]
[2005/01/21 12:11:40 | 00,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ FAT32 ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f282b0da-6246-11dc-8e9f-000fb0f0570b}\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f282b0da-6246-11dc-8e9f-000fb0f0570b}\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f282b0da-6246-11dc-8e9f-000fb0f0570b}\Shell\AutoRun\command]
""=F:\LaunchU3.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2008/10/26 23:06:24 | 10,633,74848 | -HS- | C] () -- C:\hiberfil.sys
[2008/10/26 21:46:07 | 00,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2008/10/26 21:42:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2008/10/26 21:36:29 | 00,000,000 | ---D | C] -- C:\SDFix
[2008/10/26 18:44:57 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/10/26 18:44:57 | 00,000,345 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2008/10/26 18:44:57 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/10/26 18:44:56 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2008/10/26 18:44:56 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2008/10/25 13:36:27 | 00,000,000 | ---D | C] -- C:\Useful Software
[2008/10/24 01:09:11 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2008/10/24 01:03:11 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\dfshim.dll
[2008/10/24 00:04:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2008/10/24 00:03:48 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2008/10/20 23:16:23 | 00,052,551 | ---- | C] () -- C:\Documents and Settings\Nick F\Desktop\20081020152735706.pdf
[2008/10/16 21:03:27 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008/10/16 21:03:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/10/16 21:02:47 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2008/10/16 15:35:04 | 00,143,104 | ---- | C] () -- C:\WINDOWS\System32\guard32.dll
[2008/10/16 15:35:04 | 00,087,056 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2008/10/16 15:35:04 | 00,079,760 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2008/10/16 15:35:04 | 00,024,208 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2008/10/16 15:35:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\comodo
[2008/10/16 15:11:28 | 00,333,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2008/10/16 15:11:22 | 02,189,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntoskrnl.exe
[2008/10/16 15:11:22 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2008/10/16 15:11:21 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/10/16 15:11:21 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2008/10/16 15:11:01 | 01,846,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[2008/10/16 15:09:43 | 00,331,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msadce.dll
[2008/10/16 15:08:59 | 00,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2008/10/16 02:31:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick F\Application Data\Comodo
[2008/10/16 02:31:31 | 00,000,000 | ---D | C] -- C:\Program Files\COMODO
[2008/10/16 02:27:15 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/10/16 02:25:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick F\Desktop\anti-malware
[2008/10/16 01:57:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick F\Application Data\Malwarebytes
[2008/10/16 01:57:00 | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/10/16 01:56:59 | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/10/16 01:56:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/10/16 01:56:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/10/09 14:26:59 | 00,000,000 | ---D | C] -- C:\Program Files\WinMerge
[2008/10/02 16:46:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Audio Damage

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2008/10/26 23:07:54 | 00,000,451 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2008/10/26 23:06:50 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/10/26 23:06:32 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/10/26 23:06:26 | 10,633,74848 | -HS- | M] () -- C:\hiberfil.sys
[2008/10/26 22:45:54 | 00,000,345 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2008/10/26 22:14:00 | 03,730,142 | -H-- | M] () -- C:\Documents and Settings\Nick F\Local Settings\Application Data\IconCache.db
[2008/10/26 21:46:08 | 00,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2008/10/26 20:45:32 | 00,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/10/26 18:44:58 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2008/10/26 18:44:58 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/10/26 18:44:58 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/10/26 16:00:46 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/10/26 15:15:08 | 00,251,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/24 01:03:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\dfshim.dll
[2008/10/24 00:04:54 | 00,404,548 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/10/24 00:04:54 | 00,062,624 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/10/20 23:31:36 | 00,052,551 | ---- | M] () -- C:\Documents and Settings\Nick F\Desktop\20081020152735706.pdf
[2008/10/19 12:13:12 | 00,000,562 | ---- | M] () -- C:\Documents and Settings\Nick F\Desktop\REAPER.lnk
[2008/10/18 23:43:24 | 00,025,598 | ---- | M] () -- C:\WINDOWS\cool.ini
[2008/10/18 23:43:24 | 00,006,736 | ---- | M] () -- C:\WINDOWS\coolcust.ini
[2008/10/17 17:33:02 | 00,112,640 | ---- | M] () -- C:\Documents and Settings\Nick F\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/16 15:35:04 | 00,143,104 | ---- | M] () -- C:\WINDOWS\System32\guard32.dll
[2008/10/16 15:35:04 | 00,087,056 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2008/10/16 15:35:04 | 00,079,760 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2008/10/16 15:35:04 | 00,024,208 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2008/10/16 15:17:30 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2008/10/16 15:15:54 | 00,459,836 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/10/16 02:18:28 | 00,000,712 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/10/16 02:18:28 | 00,000,253 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/10/16 02:18:28 | 00,000,211 | -HS- | M] () -- C:\boot.ini
[2008/10/15 17:34:24 | 00,337,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\netapi32.dll
[2008/10/15 17:34:24 | 00,337,408 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2008/10/14 17:19:00 | 00,000,416 | ---- | M] () -- C:\WINDOWS\ClaviaModularEditor Preferences
[2008/10/13 18:06:16 | 00,001,000 | ---- | M] () -- C:\WINDOWS\energyXT.ini
[2008/10/13 15:32:00 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/10/11 01:12:32 | 00,002,257 | ---- | M] () -- C:\Documents and Settings\Nick F\Desktop\Skype.lnk
[2008/10/08 00:06:28 | 00,002,499 | ---- | M] () -- C:\Documents and Settings\Nick F\Desktop\ACDSee 8.lnk
[2008/10/07 12:19:42 | 16,721,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2008/10/03 18:41:16 | 06,066,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ieframe.dll
[2008/10/03 18:41:16 | 06,066,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2008/10/01 13:35:24 | 00,062,816 | ---- | M] () -- C:\Documents and Settings\Nick F\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
< End of report >

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 27 October 2008 - 10:42 AM

Hello Nick1979.

SDFix did take care of that rootkit.

Hmm, I've never seen that with GMER before.

Do you know what this rootkit was, or what it was likely to have been doing? I'd be very interested to know a little about what the thing was.

This rootkit was a backdoor, meaning it can allow remote access to your computer, though I can't be sure exactly because there are many variants of the infection.
------
Please delete this file:
C:\Program Files\Opera\profile\images\www.frodosnotebook.com.gif

Install Antivirus
I see that you have Clam installed, but that does not have realtimer protection.

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:After installing, update the database, run a full system scan and remove any items found.

F-Secure Online Scan
Let's do one more scan.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the F-Secure log
-a new HijackThis log.

How is your computer running now?

With Regards,
The Panda

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 01 November 2008 - 08:30 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:38 AM

Posted 01 November 2008 - 01:54 PM

Hello.

Topic is reopened.

The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users