Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Malware. 17 svchost.exe ?


  • This topic is locked This topic is locked
12 replies to this topic

#1 Kevooo

Kevooo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 21 November 2008 - 02:04 AM

So I got a virus, or two when downloading some codecs to watch some videos. I've been trying anything I can get my hands on.

It's using up alot of my processing resources - redirecting me when I click on hyperlinks using firefox - disables me from installing applications (ie. HiJackThis, Spybot, etc etc) - When trying to connect to some secure sites for antiviruses, get no connection (also can't update antivirus because it says no connection).

Here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:18 AM, on 11/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\dsgfdfgfd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Kevin\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdlcl.exe] C:\WINDOWS\system32\kdlcl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205184960843
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0A29F89-61C7-46DB-821B-1C526C27F8CF}: NameServer = 85.255.112.100;85.255.112.217
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


Ran spybot, I've been unable to remove a trojan called:
PWS.LSPinchIE
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\idstrf


I've have to go through proxies to be able to even download HJT and Spybot. In order for the installation to launch I had to rename the installation files. Any help would be greatful :thumbsup:

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 26 November 2008 - 04:27 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Run Kaspersky Online Scanner
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

In your next reply please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log


Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Kevooo

Kevooo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 26 November 2008 - 04:59 PM

Doing the Kapersky scan at the moment. Just thought I'd post the OTViewIt logs in the meantime. Also, being that it has been a few days since I originally posted, I can post a new HJT log if you would like.

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 26 November 2008 - 08:45 PM

I'll do a review once you post in the Kaspersky scan as well. :thumbsup:

You can add in a fresh Hijackthis as well.

Edit: Also can you post the logs in, instead of attaching it, it makes it more difficult to see.
Re-scan with OTViewIT and post back the logs.

With Regards,
Extremeboy

Edited by extremeboy, 26 November 2008 - 08:49 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Kevooo

Kevooo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 27 November 2008 - 01:55 AM

OTViewIt-
OTViewIt logfile created on: 11/26/2008 4:51:48 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Kevin\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 670.15 Mb Available Physical Memory | 65.51% Memory free
2.40 Gb Paging File | 2.07 Gb Available in Paging File | 86.29% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 50.78 Gb Free Space | 68.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 65.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MCMASTER-4CA64F
Current User Name: Kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/08/10 07:00:00 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe
[2008/11/26 14:19:29 | 00,060,416 | ---- | M] () -- C:\WINDOWS\system32\CbEvtSvc.exe
[2004/08/10 04:04:40 | 00,194,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehRecvr.exe
[2004/08/10 04:04:42 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe
[2007/11/27 12:52:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2004/08/10 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2004/08/10 07:00:00 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
[2008/11/14 23:18:30 | 07,676,528 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/11/26 16:51:33 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

File not found -- -- (ALG [Disabled | Stopped])
[2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/11/26 14:19:29 | 00,060,416 | ---- | M] () -- C:\WINDOWS\system32\CbEvtSvc.exe -- (CbEvtSvc [Auto | Running])
[2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2004/08/10 04:04:40 | 00,194,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehRecvr.exe -- (ehRecvr [Auto | Running])
[2004/08/10 04:04:42 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe -- (ehSched [Auto | Running])
[2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2006/10/30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2003/02/17 17:00:44 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS [Disabled | Stopped])
[2006/10/30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2007/11/27 12:52:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [Disabled | Stopped])
[2004/08/10 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])

========== Driver Services ==========

[2008/11/26 16:48:10 | 00,032,768 | ---- | M] () -- C:\WINDOWS\system32\drivers\ati8vaxx.sys -- (ati8vaxx [Boot | Running])
[2003/09/22 08:48:06 | 00,130,192 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2003/03/04 12:56:26 | 00,145,408 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2008/11/21 12:24:43 | 00,135,712 | ---- | M] () -- C:\WINDOWS\system32\drivers\ethqgobh.sys -- (ethqgobh [System | Stopped])
[2008/11/26 09:34:49 | 00,065,024 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Temp\OnlineScanner\Anti-Virus\fsgk.sys -- (F-Secure Standalone Minifilter [On_Demand | Stopped])
[2004/08/03 23:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[1996/04/03 14:33:26 | 00,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys -- (giveio [Boot | Running])
[2004/08/03 22:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2008/11/20 03:25:27 | 00,027,904 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\system32\drivers\ndisprot.sys -- (Ndisprot [On_Demand | Stopped])
[2007/11/27 12:52:00 | 07,433,600 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2003/09/22 08:47:38 | 00,178,672 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[2003/09/22 12:43:06 | 01,330,048 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X [On_Demand | Running])
[2003/03/05 12:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2004/08/10 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2008/09/19 16:57:32 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2008/11/21 09:05:08 | 00,000,000 | ---D | M] -- C:\WINDOWS\System32\Restore -- (restore [On_Demand | Stopped])
[2004/08/10 07:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2004/09/17 09:02:54 | 00,732,928 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
[2005/01/27 15:31:06 | 00,260,352 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2006/09/24 08:28:46 | 00,005,248 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys -- (speedfan [Boot | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Local Page"=%SystemRoot%\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Start Page"=http://www.google.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Start Page"=http://www.google.com

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (250062 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.mininova.org
127.0.0.1 www.mininova.com
127.0.0.1 www.thepiratebay.org
127.0.0.1 www.suprbay.org
127.0.0.1 mininova.org
127.0.0.1 mininova.com
127.0.0.1 thepiratebay.org
127.0.0.1 suprbay.org
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
8718 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{9BF7481E-EBC9-4904-B981-0895DA716B21} (HKLM) -- C:\WINDOWS\system32\vtUoOhGV.dll File not found

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC}" (HKLM) -- C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{D0943516-5076-4020-A3B5-AEFAF26AB263}" (HKLM) -- C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"nwiz"=nwiz.exe /install ()

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.mss -- File not found
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.the -- File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}: Button: BitComet -- %ProgramFiles%\BitComet\tools\BitCometBHO_1.2.2.28.dll [2008/02/29 03:49:22 | 00,468,280 | ---- | M] (BitComet)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
41 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://www.update.microsoft.com/windowsupd...b?1205184960843 -- WUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}: http://support.f-secure.com/ols/fscax.cab -- F-Secure Online Scanner 3.3
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05

========== (O17) DNS Name Servers ==========

{062468A5-EB7F-4229-AF41-000FFA29C458} (Servers: | Description: Intel® PRO/100 VE Network Connection)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
gosnqyxm: "DllName" = gosnqyxm.dll -- C:\WINDOWS\system32\gosnqyxm.dll ()

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=msv1_0,C:\WINDOWS\system32\vtUoOhGV,
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/02/21 17:46:04 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf [[autorun] | open=DIR625.exe | icon=D-LINK.ico | label=DIR-625 | ]
[2007/03/21 01:12:00 | 00,000,060 | R--- | M] () -- E:\autorun.inf -- [ CDFS ]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2008/11/26 16:51:34 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTViewIt.exe
[2008/11/26 14:22:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2008/11/26 14:20:34 | 00,021,504 | ---- | C] () -- C:\WINDOWS\System32\gosnqyxm32.dll
[2008/11/26 14:20:33 | 00,162,001 | ---- | C] () -- C:\WINDOWS\System32\nvapps.xml
[2008/11/26 14:20:23 | 00,017,737 | ---- | C] () -- C:\WINDOWS\System32\nvdisp.nvu
[2008/11/26 14:20:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\nview
[2008/11/26 14:19:30 | 00,060,416 | ---- | C] () -- C:\WINDOWS\System32\CbEvtSvc.exe
[2008/11/26 13:54:00 | 00,021,504 | ---- | C] () -- C:\WINDOWS\System32\gosnqyxm.dll
[2008/11/26 13:40:58 | 04,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2008/11/26 13:40:58 | 02,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2008/11/26 13:40:58 | 00,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2008/11/26 13:40:57 | 00,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2008/11/26 13:40:57 | 00,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2008/11/26 13:40:57 | 00,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2008/11/26 13:40:57 | 00,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2008/11/26 13:40:56 | 00,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2008/11/26 13:40:56 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2008/11/26 13:40:56 | 00,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2008/11/26 13:40:55 | 03,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2008/11/26 13:40:55 | 01,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2008/11/26 13:40:55 | 00,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2008/11/26 13:40:55 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2008/11/26 13:40:55 | 00,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2008/11/26 13:40:54 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2008/11/26 13:40:54 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2008/11/26 13:40:53 | 03,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2008/11/26 13:40:53 | 01,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2008/11/26 13:40:53 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2008/11/26 13:40:52 | 00,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2008/11/26 13:40:52 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2008/11/26 13:40:52 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2008/11/26 13:40:51 | 03,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2008/11/26 13:40:51 | 01,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2008/11/26 13:40:51 | 00,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2008/11/26 13:40:51 | 00,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2008/11/26 13:40:50 | 01,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2008/11/26 13:40:50 | 00,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2008/11/26 13:40:49 | 03,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2008/11/26 13:40:49 | 00,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2008/11/26 13:40:48 | 03,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2008/11/26 13:40:48 | 01,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2008/11/26 13:40:48 | 00,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2008/11/26 13:40:48 | 00,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2008/11/26 13:40:48 | 00,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2008/11/26 13:40:47 | 03,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2008/11/26 13:40:47 | 01,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2008/11/26 13:40:47 | 00,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2008/11/26 13:40:47 | 00,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2008/11/26 13:40:46 | 00,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2008/11/26 13:40:45 | 01,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2008/11/26 13:40:45 | 00,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2008/11/26 13:40:43 | 03,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2008/11/26 13:40:43 | 00,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2008/11/26 13:40:43 | 00,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2008/11/26 13:40:42 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2008/11/26 13:40:42 | 02,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2008/11/26 13:40:42 | 00,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2008/11/26 13:40:42 | 00,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2008/11/26 13:40:41 | 00,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2008/11/26 13:40:41 | 00,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2008/11/26 13:40:41 | 00,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2008/11/26 13:40:41 | 00,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2008/11/26 13:40:40 | 00,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2008/11/26 13:40:37 | 02,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2008/11/26 13:40:37 | 02,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2008/11/26 13:40:37 | 00,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2008/11/26 13:40:37 | 00,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2008/11/26 13:40:36 | 02,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2008/11/26 13:40:36 | 02,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2008/11/26 13:40:36 | 00,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2008/11/26 13:40:35 | 02,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2008/11/26 13:40:35 | 02,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2008/11/26 13:40:34 | 02,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2008/11/26 13:39:08 | 00,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2008/11/26 13:39:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2008/11/26 13:39:00 | 00,302,928 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\dxwebsetup.exe
[2008/11/26 13:38:12 | 00,894,504 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\WGAPluginInstall.exe
[2008/11/26 13:31:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Desktop\Windo2
[2008/11/26 13:30:45 | 02,576,600 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Windower-3.41(2).exe
[2008/11/26 13:29:32 | 00,000,180 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Live Chat Support.url
[2008/11/26 13:29:32 | 00,000,132 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Plugin Documentation.url
[2008/11/26 13:29:32 | 00,000,125 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Known Issues.url
[2008/11/26 13:29:32 | 00,000,125 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Known Crash Issues.url
[2008/11/26 13:29:32 | 00,000,122 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Other Plugins.url
[2008/11/26 09:32:28 | 00,000,000 | ---D | C] -- C:\fsaua.data
[2008/11/26 09:28:21 | 00,142,096 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2008/11/26 09:18:04 | 00,096,978 | ---- | C] (Business Information Solutions) -- C:\Documents and Settings\Kevin\Desktop\VirtumundoBeGone.exe
[2008/11/26 07:34:01 | 00,000,000 | ---D | C] -- C:\Program Files\MindDate Software
[2008/11/26 07:33:48 | 01,531,433 | ---- | C] (MindDate Software) -- C:\Documents and Settings\Kevin\Desktop\Kbr.exe
[2008/11/26 07:28:42 | 00,473,120 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\OGAPluginInstall.exe
[2008/11/26 07:27:24 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdjpn.dll
[2008/11/26 07:27:24 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdjpn.dll
[2008/11/26 07:27:24 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkor.dll
[2008/11/26 07:27:24 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdkor.dll
[2008/11/26 07:27:24 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd106.dll
[2008/11/26 07:27:24 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106.dll
[2008/11/26 07:27:23 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101c.dll
[2008/11/26 07:27:23 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101c.dll
[2008/11/26 07:27:23 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd103.dll
[2008/11/26 07:27:23 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd103.dll
[2008/11/26 07:27:21 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101b.dll
[2008/11/26 07:27:21 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101b.dll
[2008/11/22 11:04:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Desktop\4chan
[2008/11/22 10:31:25 | 01,673,180 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\WRT54GS-v5v6_1.52.5.002_fw.bin
[2008/11/21 14:14:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2008/11/21 12:24:43 | 00,135,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\ethqgobh.sys
[2008/11/21 12:21:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\NV7041096.TMP
[2008/11/21 12:21:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\NV35643568.TMP
[2008/11/21 12:20:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood(2)
[2008/11/21 08:10:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2008/11/21 02:57:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
[2008/11/21 02:55:48 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/11/21 02:55:48 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/21 02:55:45 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/21 02:55:44 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/11/21 02:55:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/21 02:43:53 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2008/11/21 01:11:51 | 00,000,226 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\fix.reg
[2008/11/21 01:11:09 | 00,001,436 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\GoodCopy.reg
[2008/11/21 00:01:46 | 00,000,101 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/11/20 23:38:16 | 03,739,744 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\spybotsd_includes.exe
[2008/11/20 23:12:01 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/20 11:35:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Local Settings\Application Data\Symantec
[2008/11/20 11:31:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2008/11/20 11:31:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2008/11/20 11:15:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2008/11/20 09:59:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\Uniblue
[2008/11/20 09:32:12 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008/11/20 09:32:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/11/20 09:30:54 | 15,083,520 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Kevin\Desktop\spybotsd160.exe
[2008/11/20 07:54:51 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2008/11/20 07:52:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2008/11/20 05:59:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2008/11/20 05:32:32 | 00,000,000 | ---D | C] -- C:\smitrem
[2008/11/20 04:44:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2008/11/20 04:40:26 | 00,000,294 | ---- | C] () -- C:\WINDOWS\tasks\pslipbzl.job
[2008/11/20 03:58:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2008/11/20 03:55:31 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008/11/20 03:55:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/11/20 03:35:09 | 00,071,680 | ---- | C] () -- C:\WINDOWS\System32\wkifwjtw.dll
[2008/11/20 03:26:57 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\drivers\ati8vaxx.sys
[2008/11/20 03:26:47 | 00,000,527 | ---- | C] () -- C:\WINDOWS\System32\TDSSwgqt.dat
[2008/11/20 03:26:25 | 00,000,002 | ---- | C] () -- C:\-1403163580
[2008/11/20 03:26:22 | 00,000,294 | ---- | C] () -- C:\WINDOWS\tasks\lacpfvtv.job
[2008/11/20 03:25:27 | 00,027,904 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ndisprot.sys
[2008/11/20 03:24:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\HDTV Player
[2008/11/20 03:20:33 | 00,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2008/11/12 21:12:51 | 00,499,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71.dll
[2008/11/12 21:12:51 | 00,348,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll
[2008/11/12 21:12:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2008/11/09 22:21:01 | 04,966,728 | ---- | C] (Amazing Planet (www.amazingplanet.com)) -- C:\Documents and Settings\Kevin\Desktop\Update_Nov_08_2008.exe
[2008/11/07 17:58:28 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\New Bitmap Image.bmp
[2008/11/06 23:35:14 | 00,044,922 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\3E33E4REEEEEEERRT444.jpg
[2008/11/01 03:06:03 | 00,001,814 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Pokemon Global.lnk
[2008/10/27 18:04:20 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\FFXIMemory.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2008/11/26 16:51:33 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTViewIt.exe
[2008/11/26 16:48:18 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\svchost.exe
@Alternate Data Stream - 25088 bytes -> C:\WINDOWS\System32\svchost.exe:ext.exe
[2008/11/26 16:48:18 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\svchost.exe
[2008/11/26 16:48:12 | 00,021,504 | ---- | M] () -- C:\WINDOWS\System32\gosnqyxm.dll
[2008/11/26 16:48:10 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\drivers\ati8vaxx.sys
[2008/11/26 16:47:15 | 00,000,294 | ---- | M] () -- C:\WINDOWS\tasks\lacpfvtv.job
[2008/11/26 16:47:15 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/26 16:47:12 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/26 16:38:15 | 02,110,676 | -H-- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\IconCache.db
[2008/11/26 16:00:00 | 00,000,294 | ---- | M] () -- C:\WINDOWS\tasks\pslipbzl.job
[2008/11/26 14:22:07 | 00,162,001 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2008/11/26 14:22:02 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/26 14:20:34 | 00,021,504 | ---- | M] () -- C:\WINDOWS\System32\gosnqyxm32.dll
[2008/11/26 14:19:29 | 00,060,416 | ---- | M] () -- C:\WINDOWS\System32\CbEvtSvc.exe
[2008/11/26 13:38:59 | 00,302,928 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\dxwebsetup.exe
[2008/11/26 13:38:10 | 00,894,504 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\WGAPluginInstall.exe
[2008/11/26 13:30:41 | 02,576,600 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Windower-3.41(2).exe
[2008/11/26 11:39:34 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/11/26 11:39:34 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/11/26 11:39:34 | 00,000,209 | -HS- | M] () -- C:\boot.ini
[2008/11/26 10:04:29 | 00,011,231 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\New Rich Text Document.rtf
[2008/11/26 09:28:21 | 00,142,096 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2008/11/26 09:17:56 | 00,096,978 | ---- | M] (Business Information Solutions) -- C:\Documents and Settings\Kevin\Desktop\VirtumundoBeGone.exe
[2008/11/26 07:33:49 | 01,531,433 | ---- | M] (MindDate Software) -- C:\Documents and Settings\Kevin\Desktop\Kbr.exe
[2008/11/26 07:28:40 | 00,473,120 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\OGAPluginInstall.exe
[2008/11/25 17:21:16 | 00,119,744 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/25 13:34:57 | 00,019,576 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/22 23:17:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008/11/22 10:31:21 | 01,673,180 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\WRT54GS-v5v6_1.52.5.002_fw.bin
[2008/11/21 12:24:43 | 00,135,712 | ---- | M] () -- C:\WINDOWS\System32\drivers\ethqgobh.sys
[2008/11/21 02:55:48 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/21 02:20:43 | 00,000,527 | ---- | M] () -- C:\WINDOWS\System32\TDSSwgqt.dat
[2008/11/21 01:11:51 | 00,000,226 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\fix.reg
[2008/11/21 01:11:09 | 00,001,436 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\GoodCopy.reg
[2008/11/21 00:01:46 | 00,000,101 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2008/11/20 23:38:23 | 03,739,744 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\spybotsd_includes.exe
[2008/11/20 23:35:39 | 00,250,062 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/11/20 09:31:09 | 15,083,520 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Kevin\Desktop\spybotsd160.exe
[2008/11/20 03:35:10 | 00,071,680 | ---- | M] () -- C:\WINDOWS\System32\wkifwjtw.dll
[2008/11/20 03:26:28 | 00,000,002 | ---- | M] () -- C:\-1403163580
[2008/11/20 03:26:18 | 00,000,915 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20081120-233539.backup
[2008/11/20 03:25:27 | 00,027,904 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ndisprot.sys
[2008/11/20 03:20:33 | 00,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2008/11/20 03:20:06 | 00,001,469 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\DivX Movies.lnk
[2008/11/20 03:18:12 | 00,005,632 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/12 21:12:57 | 00,001,541 | ---- | M] () -- C:\WINDOWS\mozver.dat
[2008/11/09 22:21:15 | 04,966,728 | ---- | M] (Amazing Planet (www.amazingplanet.com)) -- C:\Documents and Settings\Kevin\Desktop\Update_Nov_08_2008.exe
[2008/11/07 17:58:28 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\New Bitmap Image.bmp
[2008/11/06 23:35:15 | 00,044,922 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\3E33E4REEEEEEERRT444.jpg
[2008/11/04 09:35:24 | 00,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71.dll
[2008/11/04 09:35:24 | 00,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll
[2008/11/01 03:06:03 | 00,001,814 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Pokemon Global.lnk
< End of report >

Extras-

OTViewIt Extras logfile created on: 11/26/2008 4:51:48 PM - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Kevin\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 670.15 Mb Available Physical Memory | 65.51% Memory free
2.40 Gb Paging File | 2.07 Gb Available in Paging File | 86.29% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 50.78 Gb Free Space | 68.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 65.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MCMASTER-4CA64F
Current User Name: Kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=1
"FirewallDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/10 07:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/03/10 16:05:20 | 01,691,648 | ---- | M] (SQUARE ENIX CO., LTD.) -- C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe:*:Disabled:PlayOnline Viewer
[2004/08/10 07:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019
[2008/09/26 19:14:06 | 03,660,848 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Disabled:Veoh Client
[2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/10/09 17:11:10 | 03,502,840 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0405E51E-9582-4207-8F38-AC44201D3808}"=VeohTV BETA
"{15095BF3-A3D7-4DDF-B193-3A496881E003}"=Microsoft .NET Framework 3.0
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}"=Google Earth
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3C0619B4-4A2C-4244-8077-488E420DF907}"=FINAL FANTASY XI: Chains of Promathia
"{47004155-7376-403E-89E9-4C9F44AAF0D0}"=PlayOnline Viewer and Tetra Master
"{491DD792-AD81-429C-9EB4-86DD3D22E333}"=Windows Communication Foundation
"{5B037ED7-0755-48D4-9554-808E5AF50F17}"=FINAL FANTASY XI: Wings of the Goddess
"{678F6475-D227-432A-94FF-806178A34520}"=FINAL FANTASY XI
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}"=Windows Media Player Firefox Plugin
"{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}"=FINAL FANTASY XI: Rise of the Zilart
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{789289CA-F73A-4A16-A331-54D498CE069F}"=Ventrilo Client
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}"=Windows Workflow Foundation
"{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}"=Sound Blaster Live!
"{A606C6FF-12E7-40BE-B777-D8F360FF00CD}"=FINAL FANTASY XI: Treasures of Aht Urhgan
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}"=Windows Presentation Foundation
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe Shockwave Player"=Adobe Shockwave Player
"Applian FLV Player2.0.24"=Applian FLV Player
"ArtMoney SE_is1"=ArtMoney SE v7.27
"BitComet"=BitComet 1.01
"Computer Alarm Clock"=Computer Alarm Clock
"Dell AIO Printer A940"=Dell AIO Printer A940
"FFXI AppBeta June 26"=FFXI App
"HijackThis"=HijackThis 2.0.2
"InstallShield_{0405E51E-9582-4207-8F38-AC44201D3808}"=VeohTV BETA
"InstallShield_{3C0619B4-4A2C-4244-8077-488E420DF907}"=FINAL FANTASY XI: Chains of Promathia
"InstallShield_{47004155-7376-403E-89E9-4C9F44AAF0D0}"=PlayOnline Viewer and Tetra Master
"InstallShield_{5B037ED7-0755-48D4-9554-808E5AF50F17}"=FINAL FANTASY XI: Wings of the Goddess
"InstallShield_{678F6475-D227-432A-94FF-806178A34520}"=FINAL FANTASY XI
"InstallShield_{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}"=FINAL FANTASY XI: Rise of the Zilart
"InstallShield_{A606C6FF-12E7-40BE-B777-D8F360FF00CD}"=FINAL FANTASY XI: Treasures of Aht Urhgan
"InterCasinoPoker"=InterPoker
"KanjiBrowze 2006.1"=KanjiBrowze 2006.1
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Microsoft .NET Framework 3.0"=Microsoft .NET Framework 3.0
"Mozilla Firefox (2.0.0.18)"=Mozilla Firefox (2.0.0.18)
"Notepad++"=Notepad++
"NVIDIA Drivers"=NVIDIA Drivers
"POLUtils"=POLUtils
"PROSet"=Intel® PRO Network Adapters and Drivers
"SopCast"=SopCast 3.0.3
"SpeedFan"=SpeedFan (remove only)
"Veoh Web Player Beta"=Veoh Web Player Beta
"WIC"=Windows Imaging Component
"WinRAR archiver"=WinRAR archiver
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0
"Xvid_is1"=Xvid 1.1.3 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Pokemon Global"=Pokemon Global

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Pokemon Global"=Pokemon Global

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/20/2008 11:22:07 PM | Computer Name = MCMASTER-4CA64F | Source = Media Center Scheduler | ID = 0
Description =

Error - 11/20/2008 11:23:11 PM | Computer Name = MCMASTER-4CA64F | Source = Media Center Scheduler | ID = 0
Description =

Error - 11/21/2008 12:27:57 AM | Computer Name = MCMASTER-4CA64F | Source = SDWinSec.exe | ID = 0
Description =

Error - 11/21/2008 1:17:36 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application pol.exe, version 1.18.7.0, faulting module d3d8.dll,
version 5.3.2600.2180, fault address 0x000348e5.

Error - 11/21/2008 1:42:18 PM | Computer Name = MCMASTER-4CA64F | Source = nview_info | ID = 11141121
Description =

Error - 11/25/2008 8:32:52 AM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x13149fce.

Error - 11/26/2008 6:30:34 AM | Computer Name = MCMASTER-4CA64F | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BF from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 11/26/2008 2:07:31 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application pol.exe, version 1.18.7.0, faulting module pol.exe,
version 1.18.7.0, fault address 0x0000a7c2.

Error - 11/26/2008 3:09:42 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application pol.exe, version 1.18.7.0, faulting module hook.dll,
version 3.3.0.0, fault address 0x00010ef6.

Error - 11/26/2008 3:33:49 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.2918, faulting
module unknown, version 0.0.0.0, fault address 0x300d4eef.

[ System Events ]
Error - 11/26/2008 3:22:26 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7001
Description = The Print Spooler service depends on the LexBce Server service which
failed to start because of the following error: %%1058

Error - 11/26/2008 3:22:26 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the FCI service to connect.

Error - 11/26/2008 3:22:26 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7000
Description = The FCI service failed to start due to the following error: %%1053

Error - 11/26/2008 3:22:28 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 11/26/2008 3:49:06 PM | Computer Name = MCMASTER-4CA64F | Source = DCOM | ID = 10010
Description = The server {80EE4901-33A8-11D1-A213-0080C88593A5} did not register
with DCOM within the required timeout.

Error - 11/26/2008 5:47:30 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the ICF service to connect.

Error - 11/26/2008 5:47:30 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7001
Description = The Print Spooler service depends on the LexBce Server service which
failed to start because of the following error: %%1058

Error - 11/26/2008 5:47:30 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the FCI service to connect.

Error - 11/26/2008 5:47:31 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7000
Description = The FCI service failed to start due to the following error: %%1053

Error - 11/26/2008 5:47:36 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep


< End of report >

Kaperky report-
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, November 26, 2008 20:49:33
Records in database: 1419805
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 76888
Threat name 8
Infected objects 23
Suspicious objects 0
Duration of the scan 05:59:36

File name Threat name Threats count
C:\WINDOWS\system32\gosnqyxm32.dll/C:\WINDOWS\system32\gosnqyxm32.dll Infected: Backdoor.Win32.Hijack.ac 1
C:\WINDOWS\System32\CbEvtSvc.exe/C:\WINDOWS\System32\CbEvtSvc.exe Infected: Trojan.Win32.Agent.aqlz 1
C:\WINDOWS\system32\gosnqyxm.dll/C:\WINDOWS\system32\gosnqyxm.dll Infected: Backdoor.Win32.Hijack.ac 1
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\2XSBC1QF\mss32[1].exe Infected: Trojan-Downloader.Win32.Agent.arsy 1
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\2XSBC1QF\mss32[2].exe Infected: Trojan-Downloader.Win32.Agent.arsy 1
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\6JQFYZOD\nww32[1].exe Infected: Trojan.Win32.Agent.aqmj 1
C:\Documents and Settings\LocalService\Application Data\1180451636.exe Infected: Trojan.Win32.Agent.aqlp 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6XSPYLKJ\nww32[1].exe Infected: Trojan.Win32.Agent.aqmj 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IJ2RSTIJ\mss32[1].exe Infected: Trojan-Downloader.Win32.Agent.arsy 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IJ2RSTIJ\psyj982411[1].exe Infected: Trojan.Win32.Agent.aqlp 1
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6B4JY5M7\mss32[1].exe Infected: Trojan-Downloader.Win32.Agent.arsy 1
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\6B4JY5M7\nww32[1].exe Infected: Trojan.Win32.Agent.aqmj 1
C:\RECYCLER\S-1-5-21-1343024091-706699826-839522115-500\DC1.0XE Infected: Trojan-Downloader.Win32.Small.agdo 1
C:\RECYCLER\S-1-5-21-1343024091-706699826-839522115-500\Dc2.exe Infected: Trojan-Downloader.Win32.Small.agdo 1
C:\WINDOWS\system32\CbEvtSvc.exe Infected: Trojan.Win32.Agent.aqlz 1
C:\WINDOWS\system32\gosnqyxm.dll Infected: Backdoor.Win32.Hijack.ac 1
C:\WINDOWS\system32\gosnqyxm32.dll Infected: Backdoor.Win32.Hijack.ac 1
C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Crypt.abo 1
C:\WINDOWS\temp\BN2.tmp Infected: Trojan.Win32.Agent.admk 1
C:\WINDOWS\temp\BN2E.tmp Infected: Trojan.Win32.Agent.admk 1
C:\WINDOWS\temp\BN3.tmp Infected: Trojan.Win32.Agent.admk 1
C:\WINDOWS\temp\lfu5.tmp Infected: Trojan.Win32.Agent.aqlz 1
C:\WINDOWS\temp\lhp6.tmp Infected: Trojan.Win32.Agent.aqlz 1
The selected area was scanned.


And a fresh HJT report as of right now after Copy Pasta all the reports-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:26 AM, on 11/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\CbEvtSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {9BF7481E-EBC9-4904-B981-0895DA716B21} - C:\WINDOWS\system32\vtUoOhGV.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205184960843
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: gosnqyxm - C:\WINDOWS\SYSTEM32\gosnqyxm.dll
O23 - Service: bEvtService - Unknown owner - C:\WINDOWS\System32\bEvtService.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4167 bytes

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 29 November 2008 - 11:18 AM

Hello Kevooo.

Sorry for the delay. The coaches here are very busy and sometimes they can't check the work I have provided for you.
I'll reply back to you as soon as possible, hopefully by today :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 29 November 2008 - 12:27 PM

Hi again and sorry for the delay.

You are really infected so lets get to work.

Posted ImageBackdoor Threat
Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

I'll assume you wish to disinfect, please follow the instructions below.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.
Link 1,Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It
is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-Combofix log
-Gmer log


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Kevooo

Kevooo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 29 November 2008 - 02:15 PM

Thanks for getting back to me EB.

I should let you know, that I got a little antsy before your reply and looked into a few of the files that were questionable, and that led me to use SDfix to remove the rootkits on my computer. So I'm going to go ahead and post the SDfix log along with the ones you requested. Since the SDfix scan, I haven't had the svchost.exe problem anymore.

Gmer log
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-29 14:08:03
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip 861030C3
Device \Driver\Tcpip \Device\Tcp 861030C3
Device \Driver\Tcpip \Device\Udp 861030C3
Device \Driver\Tcpip \Device\RawIp 861030C3
Device \Driver\Tcpip \Device\IPMULTICAST 861030C3
Device \FileSystem\Fastfat \Fat B9E99C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.14 ----

Thread 4:556 860FBAAB
Thread 4:560 860FBAAB
Thread 4:564 860FBAAB
Thread 4:568 860FBAAB
Thread 4:572 860FBAAB
Thread 4:576 860FBAAB
Thread 4:580 860FBAAB
Thread 4:584 860FBAAB
Thread 4:588 860FBAAB
Thread 4:592 860FBAAB
Thread 4:596 860FBAAB
Thread 4:600 860FBAAB
Thread 4:604 860FBAAB
Thread 4:608 860FBAAB
Thread 4:612 860FBAAB
Thread 4:616 860FBAAB
Thread 4:620 860FBAAB
Thread 4:624 860FBAAB
Thread 4:628 860FBAAB
Thread 4:632 860FBAAB
Thread 4:636 860FBAAB
Thread 4:640 860FBAAB
Thread 4:644 860FBAAB
Thread 4:648 860FBAAB
Thread 4:652 860FBAAB
Thread 4:656 860FBAAB
Thread 4:660 860FBAAB
Thread 4:664 860FBAAB
Thread 4:668 860FBAAB
Thread 4:672 860FBAAB
Thread 4:676 860FBAAB
Thread 4:680 860FBAAB
Thread 4:684 860FBAAB
Thread 4:688 860FBAAB
Thread 4:692 860FBAAB
Thread 4:696 860FBAAB
Thread 4:700 860FBAAB
Thread 4:704 860FBAAB
Thread 4:708 860FBAAB
Thread 4:712 860FBAAB
Thread 4:716 860FBAAB
Thread 4:720 860FBAAB
Thread 4:724 860FBAAB
Thread 4:728 860FBAAB
Thread 4:732 860FBAAB
Thread 4:736 860FBAAB
Thread 4:740 860FBAAB
Thread 4:744 860FBAAB
Thread 4:748 860FBAAB
Thread 4:752 860FBAAB
Thread 4:756 860FBAAB
Thread 4:760 860FBAAB
Thread 4:764 860FBAAB
Thread 4:768 860FBAAB
Thread 4:772 860FBAAB
Thread 4:776 860FBAAB

---- Files - GMER 1.0.14 ----

ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP1\A0000217.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP1\A0001217.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP1\A0002217.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP1\A0003267.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP1\A0004217.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP1\A0005219.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP1\A0006230.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0018489.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0009474.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0009479.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0009491.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0013490.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0014488.exe:ext.exe 25600 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0015489.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0017488.exe:ext.exe 25600 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0021488.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0022488.exe:ext.exe 25600 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP2\A0022495.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0031890.exe:ext.exe 25600 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0024026.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0024879.exe:ext.exe 25600 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0025887.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0026888.exe:ext.exe 25600 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0027888.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0032887.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0035888.exe:ext.exe 25600 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0036888.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0037892.exe:ext.exe 25088 bytes executable
ADS C:\System Volume Information\_restore{C7F2794C-E518-4D8B-98D5-5EC6816D6904}\RP4\A0039940.exe:ext.exe 25088 bytes executable

---- EOF - GMER 1.0.14 ----


ComboFix log

ComboFix 08-11-29.01 - Kevin 2008-11-29 13:47:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.524 [GMT -5:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\wkifwjtw.dll
c:\windows\Tasks\lacpfvtv.job
c:\windows\Tasks\pslipbzl.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CBEVTSVC
-------\Legacy_ICF


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-29 06:30 . 2008-11-29 06:30 <DIR> d-------- c:\documents and settings\Kevin\Application Data\acccore
2008-11-29 06:22 . 2008-11-29 06:22 <DIR> d-------- c:\program files\Viewpoint
2008-11-29 06:22 . 2008-11-29 06:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-29 06:22 . 2008-11-29 06:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-29 06:21 . 2008-11-29 06:21 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-29 06:21 . 2008-11-29 06:22 <DIR> d-------- c:\program files\AIM6
2008-11-29 06:21 . 2008-11-29 06:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-29 06:21 . 2008-11-29 06:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-29 06:21 . 2008-11-29 06:22 410 --ah----- C:\IPH.PH
2008-11-27 15:22 . 2008-11-27 15:22 <DIR> d-------- c:\windows\ERUNT
2008-11-27 15:18 . 2008-11-27 15:50 <DIR> d-------- C:\SDFix
2008-11-27 14:45 . 2008-11-27 14:45 90,624 --a------ c:\windows\system32\bEvtSvcE.exe
2008-11-27 13:59 . 2008-11-27 13:59 <DIR> d-------- c:\program files\NVIDIA Corporation
2008-11-27 13:58 . 2008-11-27 13:58 <DIR> d-------- c:\program files\NVIDIA nTune Performance Application
2008-11-27 12:33 . 2002-02-21 01:00 212,992 --a------ c:\windows\system32\CTDevCtrl.cpl
2008-11-27 12:33 . 2000-05-11 01:00 90,112 --------- c:\windows\Updreg.EXE
2008-11-27 12:33 . 2002-02-15 09:00 24,576 --a------ c:\windows\system32\CTDevCRes.dll
2008-11-27 12:33 . 2002-02-19 01:00 14,273 --a------ c:\windows\system32\CTDEVCTRL.HLP
2008-11-27 12:33 . 2002-02-15 01:00 274 --a------ c:\windows\system32\ctdevctrl.CNT
2008-11-27 12:33 . 1997-12-24 01:00 0 --a------ c:\windows\system32\CTDevctrl.gid
2008-11-27 12:33 . 1997-12-24 01:00 0 --a------ c:\windows\system32\CTDevctrl.fts
2008-11-27 12:33 . 1997-12-24 01:00 0 --a------ c:\windows\system32\CTDevctrl.ftg
2008-11-27 12:31 . 2008-11-27 12:31 <DIR> d-------- c:\windows\VirtualEar
2008-11-27 12:31 . 2008-11-27 12:31 <DIR> d-------- c:\program files\Analog Devices
2008-11-27 12:31 . 2001-10-04 14:50 991,232 --a------ c:\windows\system32\virtear.dll
2008-11-27 12:31 . 2003-08-19 18:36 65,536 --a------ c:\windows\system32\Audio3d.dll
2008-11-27 12:31 . 2004-11-19 10:00 49,152 --a------ c:\windows\system32\DSndUp.exe
2008-11-27 12:31 . 2002-04-17 14:05 45,056 --a------ c:\windows\system32\CleanUp.exe
2008-11-27 12:26 . 2008-11-28 03:11 588 --a------ c:\windows\system32\settingsbkup.sfm
2008-11-27 12:26 . 2008-11-28 03:11 588 --a------ c:\windows\system32\settings.sfm
2008-11-26 14:22 . 2008-11-26 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-26 14:20 . 2008-11-26 14:20 <DIR> d-------- c:\windows\nview
2008-11-26 14:20 . 2007-11-27 12:52 356,352 --a------ c:\windows\system32\nvudisp.exe
2008-11-26 14:20 . 2008-11-26 14:22 162,001 --a------ c:\windows\system32\nvapps.xml
2008-11-26 14:20 . 2007-11-27 12:52 17,737 --a------ c:\windows\system32\nvdisp.nvu
2008-11-26 14:19 . 2007-11-27 14:21 356,352 --a------ c:\windows\system32\NVUNINST.EXE
2008-11-26 13:39 . 2008-11-26 13:40 <DIR> d--h----- c:\windows\msdownld.tmp
2008-11-26 13:39 . 2008-11-26 13:39 <DIR> d-------- c:\windows\Logs
2008-11-26 11:34 . 2008-11-26 11:34 91,648 --a------ c:\windows\system32\bEvtService.exe
2008-11-26 09:32 . 2008-11-26 09:32 <DIR> d-------- C:\fsaua.data
2008-11-26 09:28 . 2008-11-26 09:28 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-26 07:34 . 2008-11-26 07:34 <DIR> d-------- c:\program files\MindDate Software
2008-11-26 07:27 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-11-26 07:27 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-11-26 07:27 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-11-26 07:27 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-11-26 07:27 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2008-11-26 07:27 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-11-26 07:27 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-11-26 07:27 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-11-26 07:27 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-11-26 07:27 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-11-26 07:27 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-11-26 07:27 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2008-11-21 14:14 . 2008-11-21 14:14 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-21 12:24 . 2008-11-21 12:24 135,712 --a------ c:\windows\system32\drivers\ethqgobh.sys
2008-11-21 12:21 . 2008-11-21 12:21 <DIR> d-------- c:\windows\NV7041096.TMP
2008-11-21 12:21 . 2008-11-21 12:21 <DIR> d-------- c:\windows\NV35643568.TMP
2008-11-21 12:20 . 2008-11-21 12:20 <DIR> d-------- c:\windows\LastGood(2)
2008-11-21 02:57 . 2008-11-21 02:57 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Malwarebytes
2008-11-21 02:55 . 2008-11-26 09:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-21 02:55 . 2008-11-21 02:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-21 02:55 . 2008-10-26 21:53 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-21 02:55 . 2008-10-26 21:53 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-21 02:43 . 2008-11-21 02:43 <DIR> d-------- C:\VundoFix Backups
2008-11-21 00:01 . 2008-11-21 00:01 101 --a------ c:\windows\wininit.ini
2008-11-20 23:12 . 2008-11-20 23:12 <DIR> d-------- c:\program files\Trend Micro
2008-11-20 11:31 . 2008-11-20 11:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-20 11:31 . 2008-11-21 08:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2008-11-20 11:15 . 2008-11-20 11:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-20 09:59 . 2008-11-20 09:59 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Uniblue
2008-11-20 09:32 . 2008-11-20 23:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-20 09:32 . 2008-11-20 23:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-20 08:02 . 2008-11-21 12:23 <DIR> d-------- c:\documents and settings\Administrator.MCMASTER-4CA64F.000
2008-11-20 07:54 . 2008-11-20 07:54 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-20 07:52 . 2008-11-20 07:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-20 07:37 . 2008-11-20 07:37 <DIR> d-------- c:\documents and settings\Kevo2\Application Data\Ventrilo
2008-11-20 05:32 . 2008-11-20 05:32 <DIR> d-------- C:\smitrem
2008-11-20 04:44 . 2008-11-20 04:44 <DIR> d-------- c:\documents and settings\Administrator.MCMASTER-4CA64F
2008-11-20 04:37 . 2008-11-20 04:37 <DIR> d-------- c:\documents and settings\Kevo2
2008-11-20 03:55 . 2008-11-20 03:55 <DIR> d-------- c:\program files\Lavasoft
2008-11-20 03:55 . 2008-11-20 03:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-20 03:47 . 2008-11-20 03:47 <DIR> d-------- c:\documents and settings\Administrator
2008-11-20 03:25 . 2008-11-20 03:25 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-20 03:24 . 2008-11-20 03:24 <DIR> d-------- c:\windows\HDTV Player
2008-11-12 21:12 . 2008-11-27 12:49 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 12:06 --------- d-----w c:\program files\FFXI App
2008-11-27 20:11 14,336 ----a-w c:\windows\system32\svchost.exe
2008-11-27 17:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-27 17:33 --------- d-----w c:\program files\Creative
2008-11-21 13:10 --------- d-----w c:\program files\Full Tilt Poker
2008-11-21 13:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-20 14:01 --------- d-----w c:\program files\DivX
2008-10-27 15:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 15:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 15:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 15:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-24 08:25 --------- d-----w c:\documents and settings\Kevin\Application Data\Apple Computer
2008-10-24 08:14 --------- d-----w c:\program files\QuickTime
2008-10-24 08:14 --------- d-----w c:\program files\Common Files\Apple
2008-10-24 08:14 --------- d-----w c:\program files\Apple Software Update
2008-10-24 08:14 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-24 08:13 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-14 09:49 --------- d-----w c:\program files\Veoh Networks
2008-10-10 09:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 09:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 09:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-27 8523776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.VP40"= vp4vfw.dll
"vidc.X264"= x264vfw.dll
"VIDC.MSUD"= msulvc05.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
-ra------ 2007-03-01 10:37 2321600 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A940]
--a------ 2003-02-17 17:00 86102 c:\program files\Dell AIO Printer A940\dlbabmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\diagent]
--a------ 2002-04-03 01:01 135264 c:\program files\Creative\SBLive\Diagnostics\diagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 04:04 59392 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
--a------ 2008-10-26 21:53 1261200 c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-11-27 12:52 8523776 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 19:25 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-11-27 12:52 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 14:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 19:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
--a------ 2008-10-09 17:11 3502840 c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-11-27 12:52 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"LexBceS"=2 (0x2)
"idsvc"=3 (0x3)
"ICF"=2 (0x2)
"FCI"=2 (0x2)
"AVP"=2 (0x2)
"ALG"=3 (0x3)
"Norton AntiVirus"=2 (0x2)
"aawservice"=2 (0x2)
"CbEvtSvc"=2 (0x2)
"nTuneService"=2 (0x2)
"bEvtSvcE"=2 (0x2)
"bEvtService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26491:TCP"= 26491:TCP:BitComet 26491 TCP
"26491:UDP"= 26491:UDP:BitComet 26491 UDP

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-29 24652]
S1 ethqgobh;ethqgobh;c:\windows\system32\drivers\ethqgobh.sys [2008-11-21 135712]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Kevin\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-20 27904]
S4 bEvtService;bEvtService;c:\windows\System32\bEvtService.exe -k netsvcs [2008-11-26 91648]
S4 bEvtSvcE;bEvtSvcE;c:\windows\System32\bEvtSvcE.exe -k netsvcs [2008-11-27 90624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\DIR625.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9BF7481E-EBC9-4904-B981-0895DA716B21} - c:\windows\system32\vtUoOhGV.dll
MSConfigStartUp-12CFG94-z641-2SF-N31P-5M1ER6H6L1 - c:\recycler\S-1-5-21-0837365481-3592956936-125237520-9288\winigon.exe
MSConfigStartUp-AVP - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
MSConfigStartUp-kdlcl - c:\windows\system32\kdlcl.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\Kevin\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-rs32net - c:\windows\System32\rs32net.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
MSConfigStartUp-xsjfn83jkemfofght - c:\docume~1\Kevin\LOCALS~1\Temp\winlogin.exe
MSConfigStartUp-brastk - brastk.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\gvzeaisg.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 13:50:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dllhost.exe
c:\program files\AIM6\aolsoftware.exe
c:\progra~1\MOZILL~1\firefox.exe
.
**************************************************************************
.
Completion time: 2008-11-29 13:53:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 18:53:40

Pre-Run: 54,201,802,752 bytes free
Post-Run: 54,161,387,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

285


SDfix log

SDFix: Version 1.240
Run by Kevin on Thu 11/27/2008 at 03:26 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\ATI8VAXX.sys - Rootkit Pandex/Cutwail - Protect.sys

Name :
FCI
restore
TDSSserv.sys
ATI8VAXX

Path :
C:\WINDOWS\system32\svchost.exe:ext.exe
\??\C:\WINDOWS\system32\drivers\restore.sys
\systemroot\system32\drivers\TDSSpcuu.sys
System32\Drivers\ati8vaxx.sys

FCI - Deleted
restore - Deleted
TDSSserv.sys - Deleted
ATI8VAXX - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Service ATI8VAXX - Deleted after Reboot

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\GOSNQYXM.dll - Deleted
C:\-14031~1 - Deleted
C:\DOCUME~1\LOCALS~1\APPLIC~1\104183~1.EXE - Deleted
C:\DOCUME~1\LOCALS~1\APPLIC~1\112428~1.EXE - Deleted
C:\DOCUME~1\LOCALS~1\APPLIC~1\118045~1.EXE - Deleted
C:\DOCUME~1\LOCALS~1\APPLIC~1\118117~1.EXE - Deleted
C:\WINDOWS\sysin.scr - Deleted
C:\WINDOWS\system32\sn.txt - Deleted
C:\WINDOWS\system32\drivers\TDSSpcuu.sys - Deleted
C:\WINDOWS\system32\TDSSwgqt.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSWGQT.dat - Deleted
C:\WINDOWS\system32\drivers\ATI8VAXX.sys - Deleted





Removing Temp Files

ADS Check :


C:\WINDOWS\system32\svchost.exe
: ADS Found!
svchost.exe: deleted 25088 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 15:49:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001c8

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"="C:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe:*:Disabled:PlayOnline Viewer"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Disabled:Veoh Client"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"="C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe:*:Enabled:Veoh Web Player "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 26 Nov 2008 51,712 ..SHR --- "C:\Program Files\MindDate Software\KanjiBrowze 2006.1\Setup.exe"

Finished!



I apologize if this has caused any problems at all. I udnerstand the circumstances concerning the risks I might have at this point unless I reformat. I was hoping to push that off until the holidays being that I'm in my examination period at school, so I'm a little more tied up.

I'd still like to see all the steps through to make sure that everything has been removed however. Looking forward to hearing back from you^^.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 29 November 2008 - 03:35 PM

Hello.

Thanks for letting me know and posting the SDFix report for me. Next time please do not run tools alone as it can be dangerous sometimes. I used Combofix instead of Sdfix because it was more stronger.

I apologize if this has caused any problems at all. I udnerstand the circumstances concerning the risks I might have at this point unless I reformat. I was hoping to push that off until the holidays being that I'm in my examination period at school, so I'm a little more tied up.

I'd still like to see all the steps through to make sure that everything has been removed however. Looking forward to hearing back from you^^.

The SDfix didn't really create a problem, it tried to remove some of the infected but couldn't, that was why I ran Combofix and it took care of it.

Sure, we will continue with the disinfection, but at the end the decision is still yours :thumbsup:

Can you please re-run OTViewIT and post back with the OTViewIt.txt

Post back with:
-Fresh OTViewIT logs

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Kevooo

Kevooo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 29 November 2008 - 07:09 PM

OTViewIt logfile created on: 11/29/2008 7:06:59 PM - Run 3
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Kevin\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 701.90 Mb Available Physical Memory | 68.61% Memory free
2.40 Gb Paging File | 2.22 Gb Available in Paging File | 92.45% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 50.50 Gb Free Space | 67.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 65.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MCMASTER-4CA64F
Current User Name: Kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2004/08/10 04:04:40 | 00,194,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehRecvr.exe
[2004/08/10 04:04:42 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe
[2007/11/27 12:52:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2004/08/10 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
[2007/07/30 19:19:16 | 00,053,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/11/14 23:18:30 | 07,676,528 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/11/26 16:51:33 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

File not found -- -- (ALG [On_Demand | Stopped])
[2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/11/26 11:34:08 | 00,091,648 | ---- | M] () -- C:\WINDOWS\system32\bEvtService.exe -- (bEvtService [Disabled | Stopped])
[2008/11/27 14:45:23 | 00,090,624 | ---- | M] () -- C:\WINDOWS\system32\bEvtSvcE.exe -- (bEvtSvcE [Disabled | Stopped])
[2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2004/08/10 04:04:40 | 00,194,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehRecvr.exe -- (ehRecvr [Auto | Running])
[2004/08/10 04:04:42 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe -- (ehSched [Auto | Running])
[2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2006/10/30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2003/02/17 17:00:44 | 00,303,104 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS [Disabled | Stopped])
[2006/10/30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2007/09/04 19:25:44 | 00,131,072 | ---- | M] (NVIDIA) -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService [Disabled | Stopped])
[2007/11/27 12:52:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [Disabled | Stopped])
[2004/08/10 07:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2007/01/04 16:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])

========== Driver Services ==========

[2003/09/22 08:48:06 | 00,130,192 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Stopped])
[2003/03/04 12:56:26 | 00,145,408 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B [On_Demand | Running])
[2008/11/21 12:24:43 | 00,135,712 | ---- | M] () -- C:\WINDOWS\system32\drivers\ethqgobh.sys -- (ethqgobh [System | Stopped])
[2004/08/03 23:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Stopped])
[1996/04/03 14:33:26 | 00,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys -- (giveio [Boot | Running])
[2008/11/29 13:56:38 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [System | Running])
[2004/08/03 22:58:36 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2008/11/20 03:25:27 | 00,027,904 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\system32\drivers\ndisprot.sys -- (Ndisprot [On_Demand | Stopped])
[2007/11/27 12:52:00 | 07,433,600 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2007/09/04 19:26:32 | 00,029,696 | ---- | M] (NVidia Corp.) -- C:\WINDOWS\nvoclock.sys -- (NVR0Dev [On_Demand | Stopped])
[2003/09/22 08:47:38 | 00,178,672 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Stopped])
[2003/09/22 12:43:06 | 01,330,048 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\P16X.sys -- (P16X [On_Demand | Stopped])
[2003/03/05 12:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2004/08/10 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2008/09/19 16:57:32 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2004/08/10 07:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2004/09/17 09:02:54 | 00,732,928 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt [On_Demand | Running])
[2005/01/27 15:31:06 | 00,260,352 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2006/09/24 08:28:46 | 00,005,248 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys -- (speedfan [Boot | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC}" (HKLM) -- C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll (Veoh Networks Inc)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{D0943516-5076-4020-A3B5-AEFAF26AB263}" (HKLM) -- C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (Veoh Networks Inc)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (NVIDIA)

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (NVIDIA)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=227
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.mss -- File not found
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.the -- File not found
"DisableRegistryTools"=0
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"HideStartupScripts"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
&D&ownload &with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
&D&ownload all video with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
&D&ownload all with BitComet: C:\Program Files\BitComet\BitComet.exe [2008/05/05 04:02:40 | 02,334,520 | ---- | M] (www.BitComet.com)
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2003/08/13 02:34:38 | 10,073,144 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A}: Button: BitComet -- %ProgramFiles%\BitComet\tools\BitCometBHO_1.2.2.28.dll [2008/02/29 03:49:22 | 00,468,280 | ---- | M] (BitComet)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 04:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKLM] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 22:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} [HKLM] -> [BitComet] -> File not found
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
41 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
40 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://www.update.microsoft.com/windowsupd...b?1205184960843 -- WUWebControl Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}: http://support.f-secure.com/ols/fscax.cab -- F-Secure Online Scanner 3.3
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05

========== (O17) DNS Name Servers ==========

{CB99FD24-7CDF-4564-A8A2-43B667C3834B} (Servers: | Description: Intel® PRO/100 VE Network Connection)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2008/02/21 17:46:04 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

autorun.inf [[autorun] | open=DIR625.exe | icon=D-LINK.ico | label=DIR-625 | ]
[2007/03/21 01:12:00 | 00,000,060 | R--- | M] () -- E:\autorun.inf -- [ CDFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command]
""=E:\DIR625.exe -- [2007/03/21 01:12:00 | 00,126,976 | R--- | M] (InstallShield Software Corporation)

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2008/11/29 13:56:40 | 00,000,345 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2008/11/29 13:56:38 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2008/11/29 13:56:38 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2008/11/29 13:56:38 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/11/29 13:56:38 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/11/29 13:56:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Desktop\Gmer
[2008/11/29 13:55:53 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\gmer.zip
[2008/11/29 13:53:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2008/11/29 13:47:01 | 00,000,209 | ---- | C] () -- C:\Boot.bak
[2008/11/29 13:46:57 | 00,260,272 | ---- | C] () -- C:\cmldr
[2008/11/29 13:46:54 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2008/11/29 13:45:20 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2008/11/29 13:45:20 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2008/11/29 13:45:20 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2008/11/29 13:45:20 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2008/11/29 13:45:20 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2008/11/29 13:45:20 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2008/11/29 13:45:20 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2008/11/29 13:45:20 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2008/11/29 13:45:20 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2008/11/29 13:45:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008/11/29 13:45:13 | 00,000,000 | ---D | C] -- C:\Qoobox
[2008/11/29 13:43:54 | 03,055,735 | R--- | C] () -- C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
[2008/11/29 06:30:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\acccore
[2008/11/29 06:22:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL OCP
[2008/11/29 06:22:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Local Settings\Application Data\AOL
[2008/11/29 06:22:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/11/29 06:22:12 | 00,000,000 | ---D | C] -- C:\Program Files\Viewpoint
[2008/11/29 06:22:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\acccore
[2008/11/29 06:22:11 | 00,001,674 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AIM 6.lnk
[2008/11/29 06:21:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2008/11/29 06:21:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AOL
[2008/11/29 06:21:40 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\AOL
[2008/11/29 06:21:24 | 00,000,000 | ---D | C] -- C:\Program Files\AIM6
[2008/11/29 06:21:20 | 00,000,410 | -H-- | C] () -- C:\IPH.PH
[2008/11/27 15:22:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2008/11/27 15:18:07 | 00,000,000 | ---D | C] -- C:\SDFix
[2008/11/27 15:18:03 | 01,529,241 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\SDFix.exe
[2008/11/27 14:45:28 | 00,090,624 | ---- | C] () -- C:\WINDOWS\System32\bEvtSvcE.exe
[2008/11/27 13:58:54 | 00,000,000 | ---D | C] -- C:\Program Files\NVIDIA nTune Performance Application
[2008/11/27 13:32:09 | 00,001,683 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\fixnoflashsound.reg
[2008/11/27 13:17:09 | 52,035,774 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\badcopy.reg
[2008/11/27 13:02:49 | 00,001,683 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\missing.reg
[2008/11/27 12:33:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\CTDevctrl.gid
[2008/11/27 12:33:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\CTDevctrl.fts
[2008/11/27 12:33:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\CTDevctrl.ftg
[2008/11/27 12:32:47 | 00,002,516 | ---- | C] () -- C:\WINDOWS\System32\P16X.ini
[2008/11/27 12:32:47 | 00,000,026 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2008/11/27 12:32:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Data
[2008/11/27 12:32:46 | 02,167,684 | ---- | C] () -- C:\WINDOWS\System32\ct2mgm.sf2
[2008/11/27 12:32:46 | 01,048,576 | ---- | C] () -- C:\WINDOWS\System32\Ct1mgm.rom
[2008/11/27 12:32:46 | 00,047,616 | ---- | C] () -- C:\WINDOWS\System32\P16X.dll
[2008/11/27 12:32:46 | 00,004,398 | ---- | C] () -- C:\WINDOWS\Live.ico
[2008/11/27 12:32:46 | 00,003,126 | ---- | C] () -- C:\WINDOWS\Live.bmp
[2008/11/27 12:32:46 | 00,002,696 | ---- | C] () -- C:\WINDOWS\MIXDEF.INI
[2008/11/27 12:32:46 | 00,000,059 | ---- | C] () -- C:\WINDOWS\System32\default8.sfm
[2008/11/27 12:32:46 | 00,000,059 | ---- | C] () -- C:\WINDOWS\System32\default4.sfm
[2008/11/27 12:32:46 | 00,000,059 | ---- | C] () -- C:\WINDOWS\System32\Default.sfm
[2008/11/27 12:31:14 | 00,991,232 | ---- | C] (Sensaura) -- C:\WINDOWS\System32\virtear.dll
[2008/11/27 12:31:14 | 00,049,152 | ---- | C] (Analog Devices Inc.) -- C:\WINDOWS\System32\DSndUp.exe
[2008/11/27 12:31:14 | 00,045,056 | ---- | C] (adi) -- C:\WINDOWS\System32\CleanUp.exe
[2008/11/27 12:31:14 | 00,000,000 | ---D | C] -- C:\WINDOWS\VirtualEar
[2008/11/27 12:31:14 | 00,000,000 | ---D | C] -- C:\Program Files\Analog Devices
[2008/11/27 12:26:29 | 00,000,588 | ---- | C] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2008/11/27 12:26:29 | 00,000,588 | ---- | C] () -- C:\WINDOWS\System32\settings.sfm
[2008/11/27 03:20:17 | 00,038,237 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\n508943592_10312_3570.jpg
[2008/11/26 16:51:34 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTViewIt.exe
[2008/11/26 14:22:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2008/11/26 14:20:33 | 00,162,001 | ---- | C] () -- C:\WINDOWS\System32\nvapps.xml
[2008/11/26 14:20:23 | 00,017,737 | ---- | C] () -- C:\WINDOWS\System32\nvdisp.nvu
[2008/11/26 14:20:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\nview
[2008/11/26 13:40:58 | 04,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2008/11/26 13:40:58 | 02,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2008/11/26 13:40:58 | 00,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2008/11/26 13:40:57 | 00,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2008/11/26 13:40:57 | 00,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2008/11/26 13:40:57 | 00,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2008/11/26 13:40:57 | 00,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2008/11/26 13:40:56 | 00,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2008/11/26 13:40:56 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2008/11/26 13:40:56 | 00,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2008/11/26 13:40:55 | 03,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2008/11/26 13:40:55 | 01,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2008/11/26 13:40:55 | 00,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2008/11/26 13:40:55 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2008/11/26 13:40:55 | 00,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2008/11/26 13:40:54 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2008/11/26 13:40:54 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2008/11/26 13:40:53 | 03,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2008/11/26 13:40:53 | 01,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2008/11/26 13:40:53 | 00,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2008/11/26 13:40:52 | 00,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2008/11/26 13:40:52 | 00,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2008/11/26 13:40:52 | 00,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2008/11/26 13:40:51 | 03,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2008/11/26 13:40:51 | 01,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2008/11/26 13:40:51 | 00,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2008/11/26 13:40:51 | 00,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2008/11/26 13:40:50 | 01,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2008/11/26 13:40:50 | 00,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2008/11/26 13:40:49 | 03,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2008/11/26 13:40:49 | 00,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2008/11/26 13:40:48 | 03,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2008/11/26 13:40:48 | 01,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2008/11/26 13:40:48 | 00,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2008/11/26 13:40:48 | 00,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2008/11/26 13:40:48 | 00,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2008/11/26 13:40:47 | 03,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2008/11/26 13:40:47 | 01,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2008/11/26 13:40:47 | 00,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2008/11/26 13:40:47 | 00,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2008/11/26 13:40:46 | 00,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2008/11/26 13:40:45 | 01,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2008/11/26 13:40:45 | 00,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2008/11/26 13:40:43 | 03,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2008/11/26 13:40:43 | 00,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2008/11/26 13:40:43 | 00,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2008/11/26 13:40:42 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_32.dll
[2008/11/26 13:40:42 | 02,414,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_31.dll
[2008/11/26 13:40:42 | 00,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2008/11/26 13:40:42 | 00,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2008/11/26 13:40:41 | 00,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2008/11/26 13:40:41 | 00,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2008/11/26 13:40:41 | 00,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2008/11/26 13:40:41 | 00,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2008/11/26 13:40:40 | 00,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2008/11/26 13:40:37 | 02,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2008/11/26 13:40:37 | 02,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2008/11/26 13:40:37 | 00,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2008/11/26 13:40:37 | 00,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2008/11/26 13:40:36 | 02,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2008/11/26 13:40:36 | 02,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2008/11/26 13:40:36 | 00,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2008/11/26 13:40:35 | 02,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2008/11/26 13:40:35 | 02,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2008/11/26 13:40:34 | 02,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2008/11/26 13:39:08 | 00,000,000 | -H-D | C] -- C:\WINDOWS\msdownld.tmp
[2008/11/26 13:39:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\Logs
[2008/11/26 13:39:00 | 00,302,928 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\dxwebsetup.exe
[2008/11/26 13:38:12 | 00,894,504 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\WGAPluginInstall.exe
[2008/11/26 13:31:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Desktop\Windo2
[2008/11/26 13:30:45 | 02,576,600 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Windower-3.41(2).exe
[2008/11/26 13:29:32 | 00,000,180 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Live Chat Support.url
[2008/11/26 13:29:32 | 00,000,132 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Plugin Documentation.url
[2008/11/26 11:34:13 | 00,091,648 | ---- | C] () -- C:\WINDOWS\System32\bEvtService.exe
[2008/11/26 09:32:28 | 00,000,000 | ---D | C] -- C:\fsaua.data
[2008/11/26 09:28:21 | 00,142,096 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2008/11/26 09:18:04 | 00,096,978 | ---- | C] (Business Information Solutions) -- C:\Documents and Settings\Kevin\Desktop\VirtumundoBeGone.exe
[2008/11/26 07:34:01 | 00,000,000 | ---D | C] -- C:\Program Files\MindDate Software
[2008/11/26 07:27:24 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdjpn.dll
[2008/11/26 07:27:24 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdjpn.dll
[2008/11/26 07:27:24 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkor.dll
[2008/11/26 07:27:24 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbdkor.dll
[2008/11/26 07:27:24 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd106.dll
[2008/11/26 07:27:24 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd106.dll
[2008/11/26 07:27:23 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101c.dll
[2008/11/26 07:27:23 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101c.dll
[2008/11/26 07:27:23 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd103.dll
[2008/11/26 07:27:23 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd103.dll
[2008/11/26 07:27:21 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbd101b.dll
[2008/11/26 07:27:21 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\kbd101b.dll
[2008/11/22 11:04:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Desktop\4chan
[2008/11/22 10:31:25 | 01,673,180 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\WRT54GS-v5v6_1.52.5.002_fw.bin
[2008/11/21 14:14:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2008/11/21 12:24:43 | 00,135,712 | ---- | C] () -- C:\WINDOWS\System32\drivers\ethqgobh.sys
[2008/11/21 12:21:31 | 00,000,000 | ---D | C] -- C:\WINDOWS\NV7041096.TMP
[2008/11/21 12:21:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\NV35643568.TMP
[2008/11/21 12:20:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood(2)
[2008/11/21 08:10:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2008/11/21 02:57:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
[2008/11/21 02:55:48 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/11/21 02:55:48 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/21 02:55:45 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/21 02:55:44 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/11/21 02:55:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/21 02:43:53 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2008/11/21 01:11:51 | 00,000,226 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\fix.reg
[2008/11/21 01:11:09 | 00,001,436 | ---- | C] () -- C:\Documents and Settings\Kevin\My Documents\GoodCopy.reg
[2008/11/21 00:01:46 | 00,000,101 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/11/20 23:38:16 | 03,739,744 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\spybotsd_includes.exe
[2008/11/20 23:12:01 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/11/20 11:35:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Local Settings\Application Data\Symantec
[2008/11/20 11:31:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2008/11/20 11:31:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2008/11/20 11:15:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PrevxCSI
[2008/11/20 09:59:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Kevin\Application Data\Uniblue
[2008/11/20 09:32:12 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2008/11/20 09:32:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2008/11/20 09:30:54 | 15,083,520 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Kevin\Desktop\spybotsd160.exe
[2008/11/20 07:54:51 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2008/11/20 07:52:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
[2008/11/20 05:32:32 | 00,000,000 | ---D | C] -- C:\smitrem
[2008/11/20 04:44:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2008/11/20 03:58:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2008/11/20 03:55:31 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2008/11/20 03:55:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2008/11/20 03:25:27 | 00,027,904 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ndisprot.sys
[2008/11/20 03:24:57 | 00,000,000 | ---D | C] -- C:\WINDOWS\HDTV Player
[2008/11/20 03:20:33 | 00,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2008/11/12 21:12:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2008/11/09 22:21:01 | 04,966,728 | ---- | C] (Amazing Planet (www.amazingplanet.com)) -- C:\Documents and Settings\Kevin\Desktop\Update_Nov_08_2008.exe
[2008/11/07 17:58:28 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\New Bitmap Image.bmp
[2008/11/06 23:35:14 | 00,044,922 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\3E33E4REEEEEEERRT444.jpg
[2008/11/01 03:06:03 | 00,001,814 | ---- | C] () -- C:\Documents and Settings\Kevin\Desktop\Pokemon Global.lnk

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2008/11/29 18:26:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/11/29 18:26:23 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/11/29 13:59:16 | 00,000,345 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2008/11/29 13:56:38 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2008/11/29 13:56:38 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/11/29 13:56:38 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/11/29 13:55:38 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\gmer.zip
[2008/11/29 13:50:13 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/11/29 13:49:55 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/11/29 13:49:50 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/29 13:47:01 | 00,000,279 | RHS- | M] () -- C:\boot.ini
[2008/11/29 13:43:44 | 03,055,735 | R--- | M] () -- C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
[2008/11/29 06:22:46 | 00,000,410 | -H-- | M] () -- C:\IPH.PH
[2008/11/29 06:22:11 | 00,001,674 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AIM 6.lnk
[2008/11/28 03:11:17 | 00,000,588 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2008/11/28 03:11:17 | 00,000,588 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2008/11/27 15:18:00 | 01,529,241 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\SDFix.exe
[2008/11/27 15:11:02 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\svchost.exe
[2008/11/27 15:11:02 | 00,014,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\svchost.exe
[2008/11/27 15:09:24 | 04,840,486 | -H-- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\IconCache.db
[2008/11/27 14:57:58 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/11/27 14:57:58 | 00,000,209 | ---- | M] () -- C:\Boot.bak
[2008/11/27 14:45:23 | 00,090,624 | ---- | M] () -- C:\WINDOWS\System32\bEvtSvcE.exe
[2008/11/27 13:32:07 | 00,001,683 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\fixnoflashsound.reg
[2008/11/27 13:17:16 | 52,035,774 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\badcopy.reg
[2008/11/27 13:02:49 | 00,001,683 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\missing.reg
[2008/11/27 12:33:11 | 00,000,066 | ---- | M] () -- C:\WINDOWS\SBWIN.INI
[2008/11/27 03:20:17 | 00,038,237 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\n508943592_10312_3570.jpg
[2008/11/26 16:51:33 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Kevin\Desktop\OTViewIt.exe
[2008/11/26 14:22:07 | 00,162,001 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2008/11/26 13:38:59 | 00,302,928 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\dxwebsetup.exe
[2008/11/26 13:38:10 | 00,894,504 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Kevin\Desktop\WGAPluginInstall.exe
[2008/11/26 13:30:41 | 02,576,600 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Windower-3.41(2).exe
[2008/11/26 11:34:08 | 00,091,648 | ---- | M] () -- C:\WINDOWS\System32\bEvtService.exe
[2008/11/26 10:04:29 | 00,011,231 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\New Rich Text Document.rtf
[2008/11/26 09:28:21 | 00,142,096 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2008/11/26 09:17:56 | 00,096,978 | ---- | M] (Business Information Solutions) -- C:\Documents and Settings\Kevin\Desktop\VirtumundoBeGone.exe
[2008/11/25 17:21:16 | 00,119,744 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/11/25 13:34:57 | 00,019,576 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/11/22 23:17:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008/11/22 10:31:21 | 01,673,180 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\WRT54GS-v5v6_1.52.5.002_fw.bin
[2008/11/21 12:24:43 | 00,135,712 | ---- | M] () -- C:\WINDOWS\System32\drivers\ethqgobh.sys
[2008/11/21 02:55:48 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/21 01:11:51 | 00,000,226 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\fix.reg
[2008/11/21 01:11:09 | 00,001,436 | ---- | M] () -- C:\Documents and Settings\Kevin\My Documents\GoodCopy.reg
[2008/11/21 00:01:46 | 00,000,101 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2008/11/20 23:38:23 | 03,739,744 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\spybotsd_includes.exe
[2008/11/20 09:31:09 | 15,083,520 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Kevin\Desktop\spybotsd160.exe
[2008/11/20 03:26:18 | 00,000,915 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20081120-233539.backup
[2008/11/20 03:25:27 | 00,027,904 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\ndisprot.sys
[2008/11/20 03:20:33 | 00,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2008/11/20 03:20:06 | 00,001,469 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\DivX Movies.lnk
[2008/11/20 03:18:12 | 00,005,632 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/12 21:12:57 | 00,001,541 | ---- | M] () -- C:\WINDOWS\mozver.dat
[2008/11/09 22:21:15 | 04,966,728 | ---- | M] (Amazing Planet (www.amazingplanet.com)) -- C:\Documents and Settings\Kevin\Desktop\Update_Nov_08_2008.exe
[2008/11/07 17:58:28 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\New Bitmap Image.bmp
[2008/11/06 23:35:15 | 00,044,922 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\3E33E4REEEEEEERRT444.jpg
[2008/11/01 03:06:03 | 00,001,814 | ---- | M] () -- C:\Documents and Settings\Kevin\Desktop\Pokemon Global.lnk
< End of report >


OTViewIt Extras logfile created on: 11/29/2008 7:06:59 PM - Run 3
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Kevin\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 701.90 Mb Available Physical Memory | 68.61% Memory free
2.40 Gb Paging File | 2.22 Gb Available in Paging File | 92.45% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 50.50 Gb Free Space | 67.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 65.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MCMASTER-4CA64F
Current User Name: Kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=1
"DisableNotifications"=0
"DoNotAllowExceptions"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/10 07:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/03/10 16:05:20 | 01,691,648 | ---- | M] (SQUARE ENIX CO., LTD.) -- C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe:*:Disabled:PlayOnline Viewer
[2004/08/10 07:00:00 | 00,140,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019
[2008/09/26 19:14:06 | 03,660,848 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Disabled:Veoh Client
[2004/08/04 01:06:34 | 01,667,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2008/10/09 17:11:10 | 03,502,840 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player
[2006/11/03 02:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2008/10/21 12:09:59 | 00,050,472 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 02:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2003/08/01 15:09:04 | 08,086,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 22:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0405E51E-9582-4207-8F38-AC44201D3808}"=VeohTV BETA
"{15095BF3-A3D7-4DDF-B193-3A496881E003}"=Microsoft .NET Framework 3.0
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}"=Google Earth
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3C0619B4-4A2C-4244-8077-488E420DF907}"=FINAL FANTASY XI: Chains of Promathia
"{47004155-7376-403E-89E9-4C9F44AAF0D0}"=PlayOnline Viewer and Tetra Master
"{491DD792-AD81-429C-9EB4-86DD3D22E333}"=Windows Communication Foundation
"{5B037ED7-0755-48D4-9554-808E5AF50F17}"=FINAL FANTASY XI: Wings of the Goddess
"{678F6475-D227-432A-94FF-806178A34520}"=FINAL FANTASY XI
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}"=Windows Media Player Firefox Plugin
"{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}"=FINAL FANTASY XI: Rise of the Zilart
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{789289CA-F73A-4A16-A331-54D498CE069F}"=Ventrilo Client
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}"=NVIDIA nTune
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}"=Windows Workflow Foundation
"{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{90110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}"=Sound Blaster Live!
"{A606C6FF-12E7-40BE-B777-D8F360FF00CD}"=FINAL FANTASY XI: Treasures of Aht Urhgan
"{AC76BA86-7AD7-1033-7B44-A81200000003}"=Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}"=Windows Presentation Foundation
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"Adobe Flash Player ActiveX"=Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"AIM_6"=AIM 6
"Applian FLV Player2.0.24"=Applian FLV Player
"ArtMoney SE_is1"=ArtMoney SE v7.27
"BitComet"=BitComet 1.01
"Computer Alarm Clock"=Computer Alarm Clock
"Dell AIO Printer A940"=Dell AIO Printer A940
"FFXI AppBeta June 26"=FFXI App
"HijackThis"=HijackThis 2.0.2
"InstallShield_{0405E51E-9582-4207-8F38-AC44201D3808}"=VeohTV BETA
"InstallShield_{3C0619B4-4A2C-4244-8077-488E420DF907}"=FINAL FANTASY XI: Chains of Promathia
"InstallShield_{47004155-7376-403E-89E9-4C9F44AAF0D0}"=PlayOnline Viewer and Tetra Master
"InstallShield_{5B037ED7-0755-48D4-9554-808E5AF50F17}"=FINAL FANTASY XI: Wings of the Goddess
"InstallShield_{678F6475-D227-432A-94FF-806178A34520}"=FINAL FANTASY XI
"InstallShield_{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}"=FINAL FANTASY XI: Rise of the Zilart
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}"=NVIDIA nTune
"InstallShield_{A606C6FF-12E7-40BE-B777-D8F360FF00CD}"=FINAL FANTASY XI: Treasures of Aht Urhgan
"InterCasinoPoker"=InterPoker
"KanjiBrowze 2006.1"=KanjiBrowze 2006.1
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Microsoft .NET Framework 3.0"=Microsoft .NET Framework 3.0
"Mozilla Firefox (2.0.0.18)"=Mozilla Firefox (2.0.0.18)
"Notepad++"=Notepad++
"NVIDIA Drivers"=NVIDIA Drivers
"POLUtils"=POLUtils
"PROSet"=Intel® PRO Network Adapters and Drivers
"SopCast"=SopCast 3.0.3
"SpeedFan"=SpeedFan (remove only)
"Veoh Web Player Beta"=Veoh Web Player Beta
"ViewpointMediaPlayer"=Viewpoint Media Player
"WIC"=Windows Imaging Component
"WinRAR archiver"=WinRAR archiver
"XpsEPSC"=XML Paper Specification Shared Components Pack 1.0
"Xvid_is1"=Xvid 1.1.3 final uninstall

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Pokemon Global"=Pokemon Global

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1343024091-706699826-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Pokemon Global"=Pokemon Global

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/25/2008 8:32:52 AM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x13149fce.

Error - 11/26/2008 6:30:34 AM | Computer Name = MCMASTER-4CA64F | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BF from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 11/26/2008 2:07:31 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application pol.exe, version 1.18.7.0, faulting module pol.exe,
version 1.18.7.0, fault address 0x0000a7c2.

Error - 11/26/2008 3:09:42 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application pol.exe, version 1.18.7.0, faulting module hook.dll,
version 3.3.0.0, fault address 0x00010ef6.

Error - 11/26/2008 3:33:49 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.8.20081.2918, faulting
module unknown, version 0.0.0.0, fault address 0x300d4eef.

Error - 11/27/2008 2:35:37 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module gosnqyxm32.dll,
version 0.0.0.0, fault address 0x00001149.

Error - 11/27/2008 2:37:23 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
gosnqyxm32.dll, version 0.0.0.0, fault address 0x00001149.

Error - 11/27/2008 2:39:45 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module gosnqyxm.dll,
version 0.0.0.0, fault address 0x00001149.

Error - 11/27/2008 2:41:56 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
gosnqyxm.dll, version 0.0.0.0, fault address 0x00001149.

Error - 11/27/2008 3:45:39 PM | Computer Name = MCMASTER-4CA64F | Source = Application Error | ID = 1000
Description = Faulting application services.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

[ System Events ]
Error - 11/29/2008 2:50:35 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%2

Error - 11/29/2008 2:58:34 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7001
Description = The Print Spooler service depends on the LexBce Server service which
failed to start because of the following error: %%1058

Error - 11/29/2008 2:58:34 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 11/29/2008 2:58:35 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%2

Error - 11/29/2008 6:54:04 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7001
Description = The Print Spooler service depends on the LexBce Server service which
failed to start because of the following error: %%1058

Error - 11/29/2008 6:54:06 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 11/29/2008 6:54:07 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%2

Error - 11/29/2008 7:26:37 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7001
Description = The Print Spooler service depends on the LexBce Server service which
failed to start because of the following error: %%1058

Error - 11/29/2008 7:26:38 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep

Error - 11/29/2008 7:26:40 PM | Computer Name = MCMASTER-4CA64F | Source = Service Control Manager | ID = 7000
Description = The Application Layer Gateway Service service failed to start due
to the following error: %%2


< End of report >

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 30 November 2008 - 09:45 AM

Hello.

Your log looks better :thumbsup:

Some prorams I need to warn you about though.

ViewPoint and P2P Program Warning

Viewpoint Manager and Viewpoint Media Player is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Your log also shows that you are using so called peer-to-peer or file-sharing programs (in your case BitComet 1.01). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.


Let's continue with the fix. We still have some work to do.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Driver::
    ethqgobh
    bEvtService
    bEvtSvcE
    
    File::
    c:\windows\system32\drivers\ethqgobh.sys
    c:\windows\System32\bEvtService.exe
    c:\windows\System32\bEvtSvcE.exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update Java to Version 6 Update 10

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 10...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Please post back with:
-Combofix log
-Kaspersky Scan log
-Fresh OTViewIT logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 03 December 2008 - 04:54 PM

Hello Kevooo.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5 days the topic will need to be closed.

Thanks for understanding. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:10 PM

Posted 05 December 2008 - 11:51 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users