Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System compromise


  • This topic is locked This topic is locked
27 replies to this topic

#1 rchelisjm

rchelisjm

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 18 February 2009 - 05:01 AM

Totally hijacked system... here is dds.txt If I try to attach attach.log - browser is redirected..


DDS (Ver_09-02-01.01) - NTFSx86
Run by Steve at 1:15:39.71 on Wed 02/18/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2557.1835 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\BOINC\GridRepublic.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Stata Labs\SAproxy Pro\sa-gui.exe
C:\Program Files\Stata Labs\SAproxy Pro\saproxy.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
uWindow Title = Windows Internet Explorer provided by Comcast
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LDM] "c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteCenter] "c:\program files\creative\mediasource\remotecontrol\RcMan.exe"
uRun: [RegistryMechanic] "c:\program files\registry mechanic\RegMech.exe" /H
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DMXLauncher] "c:\program files\dell\media experience\DMXLauncher.exe"
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Logitech Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"
mRun: [AGEIA PhysX SysTray] "c:\program files\ageia technologies\TrayIcon.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CTHelper] "c:\windows\system32\CTHELPER.EXE"
mRun: [CTDVDDET] "c:\program files\creative\dvdaudio\CTDVDDET.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\saprox~1.lnk - c:\program files\stata labs\saproxy pro\sa-gui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gridre~1.lnk - c:\program files\boinc\GridRepublic.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: mcafee.com
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226650142359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {0742A5CD-AF77-4B06-B2C0-F63D2974FC3B} = 85.255.112.39,85.255.112.40
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [2006-9-13 108160]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]

=============== Created Last 30 ================

2009-02-17 20:47 20 a--sh--- C:\ArcDeviceInfo
2009-02-17 20:31 94 a------- c:\windows\MusicRip.ini
2009-02-17 20:31 11,776 a------- c:\windows\system32\drivers\afc.sys
2009-02-17 20:31 212,480 a------- c:\windows\PCDLIB32.DLL
2009-02-16 22:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-16 16:29 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-16 16:20 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-16 16:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-16 16:19 <DIR> --d----- c:\program files\Lavasoft
2009-02-16 11:06 <DIR> --d----- C:\Binaries
2009-02-13 23:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-02-13 00:47 <DIR> --d----- c:\program files\freshplay
2009-02-11 23:58 <DIR> --d----- c:\program files\common files\ODBC
2009-02-11 23:57 <DIR> --d----- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$

==================== Find3M ====================

2009-02-18 00:51 187,780 a------- c:\windows\system32\FontInfo.bin
2009-02-18 00:51 59,684 a------- c:\windows\system32\GlyphInfo.bin
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-06 00:00 249,856 -------- c:\windows\Setup1.exe
2009-01-05 23:59 73,216 a------- c:\windows\ST6UNST.EXE
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 23:14 444,952 a------- c:\windows\system32\wrap_oal.dll
2008-12-07 23:14 109,080 a------- c:\windows\system32\OpenAL32.dll
2008-11-13 22:48 61,224 a------- c:\documents and settings\steve\GoToAssistDownloadHelper.exe
2008-09-12 17:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 1:16:17.64 ===============

BC AdBot (Login to Remove)

 


#2 rchelisjm

rchelisjm
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 18 February 2009 - 05:04 AM

I forgot to say thanks to you all for our efforts to help those of use that aren't mechanics to our operating system!

Steve

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:18 AM

Posted 01 March 2009 - 01:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 rchelisjm

rchelisjm
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 01 March 2009 - 07:05 PM

Here is the requested DDS.txt log.

Thanks for your assistance!

Steve


DDS (Ver_09-02-01.01) - NTFSx86
Run by Steve at 14:48:55.64 on Sun 03/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2557.1705 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\BOINC\GridRepublic.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Stata Labs\SAproxy Pro\sa-gui.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Stata Labs\SAproxy Pro\saproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Steve\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
uWindow Title = Windows Internet Explorer provided by Comcast
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LDM] "c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [RemoteCenter] "c:\program files\creative\mediasource\remotecontrol\RcMan.exe"
uRun: [RegistryMechanic] "c:\program files\registry mechanic\RegMech.exe" /H
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DMXLauncher] "c:\program files\dell\media experience\DMXLauncher.exe"
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [ISUSPM Startup] "c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Logitech Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"
mRun: [AGEIA PhysX SysTray] "c:\program files\ageia technologies\TrayIcon.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [CTHelper] "c:\windows\system32\CTHELPER.EXE"
mRun: [CTDVDDET] "c:\program files\creative\dvdaudio\CTDVDDET.EXE"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\saprox~1.lnk - c:\program files\stata labs\saproxy pro\sa-gui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\gridre~1.lnk - c:\program files\boinc\GridRepublic.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: mcafee.com
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226650142359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {0742A5CD-AF77-4B06-B2C0-F63D2974FC3B} = 85.255.112.39,85.255.112.40
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64160]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [2006-9-13 108160]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]

=============== Created Last 30 ================

2009-02-18 00:46 4,194,332 a------- c:\windows\pfirewall.log.old
2009-02-17 20:47 20 a--sh--- C:\ArcDeviceInfo
2009-02-17 20:31 94 a------- c:\windows\MusicRip.ini
2009-02-17 20:31 11,776 a------- c:\windows\system32\drivers\afc.sys
2009-02-17 20:31 212,480 a------- c:\windows\PCDLIB32.DLL
2009-02-16 22:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-16 16:29 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-16 16:20 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-16 16:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-16 16:19 <DIR> --d----- c:\program files\Lavasoft
2009-02-16 11:06 <DIR> --d----- C:\Binaries
2009-02-13 23:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-02-13 00:47 <DIR> --d----- c:\program files\freshplay
2009-02-11 23:58 <DIR> --d----- c:\program files\common files\ODBC
2009-02-11 23:57 <DIR> --d----- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$

==================== Find3M ====================

2009-02-25 18:40 187,780 a------- c:\windows\system32\FontInfo.bin
2009-02-25 18:40 59,684 a------- c:\windows\system32\GlyphInfo.bin
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-06 00:00 249,856 -------- c:\windows\Setup1.exe
2009-01-05 23:59 73,216 a------- c:\windows\ST6UNST.EXE
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 23:14 444,952 a------- c:\windows\system32\wrap_oal.dll
2008-12-07 23:14 109,080 a------- c:\windows\system32\OpenAL32.dll
2008-11-13 22:48 61,224 a------- c:\documents and settings\steve\GoToAssistDownloadHelper.exe
2008-09-12 17:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 14:49:12.36 ===============

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:18 AM

Posted 02 March 2009 - 08:10 PM

Hello, rchelisjm
Do you live in Bulgaria?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 rchelisjm

rchelisjm
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 03 March 2009 - 02:16 AM

BillyIII,

I'm not sure why the question of living in Bulgaria was asked - I reside in California...

Steve

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:18 AM

Posted 03 March 2009 - 05:39 PM

Hello, rchelisjm

I'm not sure why the question of living in Bulgaria was asked - I reside in California...

Here's why:

TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {0742A5CD-AF77-4B06-B2C0-F63D2974FC3B} = 85.255.112.39,85.255.112.40


Look what happens when I look up those nameservers:
http://whois.domaintools.com/85.255.112.40

Bulgaria Borica Ltd


We need to create an OTListIt2 Report
  • Please download OTListIt2 from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTListIt.txt
  • Extra.txt
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 rchelisjm

rchelisjm
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 04 March 2009 - 02:36 AM

Billy,

Thanks for the explanation - it jumps off the log file if you know what to look for! Here are the three files you requested.

We all appreciate the effort that you folks do to help us out!!

Steve

OTListIt logfile created on: 3/3/2009 11:20:21 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.4 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.81 Gb Available Physical Memory | 90.71% Memory free
4.00 Gb Paging File | 3.80 Gb Available in Paging File | 94.89% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 293.40 Gb Total Space | 212.98 Gb Free Space | 72.59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVE_D4MXGRB1
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/01/18 13:34:37 | 00,921,936 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTsvcCDA.exe
PRC - [2006/10/09 15:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe
PRC - [2005/08/05 10:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe
PRC - [2003/06/19 20:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2008/12/18 10:47:08 | 09,158,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
PRC - [2008/10/07 13:33:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/04/24 12:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2005/08/05 10:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
PRC - [2004/08/10 02:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2008/04/13 16:12:40 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2009/01/18 13:34:48 | 00,506,712 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/09/29 11:01:14 | 00,067,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehtray.exe
PRC - [2005/10/05 00:12:00 | 00,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005/09/08 02:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLACTRLW.EXE
PRC - [2004/07/27 13:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2006/08/16 06:56:42 | 00,339,968 | ---- | M] () -- C:\Program Files\AGEIA Technologies\TrayIcon.exe
PRC - [2006/10/23 18:47:16 | 00,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2007/03/09 10:09:58 | 00,063,712 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
PRC - [2008/04/24 12:25:22 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
PRC - [2005/08/05 10:56:28 | 00,046,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehmsas.exe
PRC - [2008/11/20 13:20:54 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008/06/27 17:24:58 | 00,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
PRC - [2003/06/18 01:00:00 | 00,045,056 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
PRC - [2007/02/25 09:39:47 | 00,067,128 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PRC - [2005/11/15 18:44:14 | 01,200,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2008/05/06 00:42:14 | 00,202,088 | ---- | M] (TomTom) -- C:\Program Files\TomTom HOME 2\HOMERunner.exe
PRC - [2004/12/02 18:23:34 | 00,102,400 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
PRC - [2004/08/17 15:07:44 | 00,143,360 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
PRC - [2005/11/15 18:42:22 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2008/07/08 17:41:02 | 02,828,184 | ---- | M] (PC Tools) -- C:\Program Files\Registry Mechanic\RegMech.exe
PRC - [2006/08/07 16:58:02 | 01,990,656 | ---- | M] (GridRepublic) -- C:\Program Files\BOINC\GridRepublic.exe
PRC - [2005/05/10 16:32:18 | 00,135,168 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
PRC - [2005/08/04 01:42:00 | 00,528,384 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2005/05/03 19:07:32 | 00,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
PRC - [2007/06/06 11:35:02 | 00,270,336 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
PRC - [2004/08/17 20:48:00 | 03,190,784 | ---- | M] () -- C:\Program Files\Stata Labs\SAproxy Pro\sa-gui.exe
PRC - [2005/08/04 01:42:00 | 00,028,160 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
PRC - [2006/08/07 16:56:28 | 00,311,296 | ---- | M] (GridRepublic) -- C:\Program Files\BOINC\boinc.exe
PRC - [2004/06/14 17:28:40 | 02,281,534 | ---- | M] (Stata Labs) -- C:\Program Files\Stata Labs\SAproxy Pro\saproxy.exe
PRC - [2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/02/12 08:54:53 | 00,471,040 | ---- | M] () -- C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
PRC - [2004/08/10 02:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe
PRC - [2004/08/10 02:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe
PRC - [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
PRC - [2008/12/18 21:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/02/12 08:54:53 | 00,471,040 | ---- | M] () -- C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
PRC - [2009/03/03 23:17:27 | 00,498,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 00:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [On_Demand | Stopped])
SRV - [2007/10/24 00:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [1999/12/13 01:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Auto | Running])
SRV - [2006/10/09 15:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Running])
SRV - [2005/08/05 10:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Running])
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/11/20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/01/18 13:34:37 | 00,921,936 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2005/08/05 10:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
SRV - [2003/06/19 20:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2004/08/10 01:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2008/12/18 10:47:08 | 09,158,656 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe -- (MSSQL$MICROSOFTSMLBIZ [Auto | Running])
SRV - [2005/05/03 19:50:28 | 00,073,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -- (MSSQLServerADHelper [On_Demand | Stopped])
SRV - [2008/10/07 13:33:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2003/07/28 09:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/03/18 15:55:48 | 00,065,536 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])
SRV - [2008/04/24 12:26:18 | 00,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2 [Auto | Running])
SRV - [2005/05/03 18:42:56 | 00,323,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTSMLBIZ [On_Demand | Stopped])
SRV - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/02/23 14:58:56 | 00,011,776 | ---- | M] (Arcsoft, Inc.) -- C:\WINDOWS\system32\drivers\Afc.sys -- (Afc [On_Demand | Running])
DRV - [2001/08/17 10:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2008/04/13 10:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2001/08/17 10:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 10:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2006/08/16 06:56:42 | 00,108,160 | ---- | M] (AGEIA Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\athena.sys -- (athena [On_Demand | Running])
DRV - [2006/05/04 07:48:14 | 00,143,872 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\DRIVERS\b57xp32.sys -- (b57w2k [On_Demand | Running])
DRV - [2001/08/17 10:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2008/06/27 19:21:18 | 00,099,352 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\COMMONFX.SYS -- (COMMONFX [On_Demand | Stopped])
DRV - [2008/06/27 19:21:18 | 00,099,352 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS [On_Demand | Running])
DRV - [2008/07/07 10:29:58 | 00,511,000 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
DRV - [2008/07/07 10:31:10 | 00,532,376 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
DRV - [2008/06/27 19:21:26 | 00,555,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTAUDFX.SYS -- (CTAUDFX [On_Demand | Stopped])
DRV - [2008/06/27 19:21:26 | 00,555,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS [On_Demand | Running])
DRV - [2008/07/07 10:31:44 | 00,347,080 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k [On_Demand | Stopped])
DRV - [2007/04/12 08:10:20 | 00,280,320 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPFX.DLL -- (CTEDSPFX.DLL [On_Demand | Stopped])
DRV - [2007/04/12 08:10:22 | 00,128,768 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPIO.DLL -- (CTEDSPIO.DLL [On_Demand | Stopped])
DRV - [2007/04/12 08:10:22 | 00,323,328 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTEDSPSY.DLL -- (CTEDSPSY.DLL [On_Demand | Stopped])
DRV - [2008/06/27 19:21:44 | 00,100,888 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTERFXFX.SYS -- (CTERFXFX [On_Demand | Stopped])
DRV - [2008/06/27 19:21:44 | 00,100,888 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS [On_Demand | Stopped])
DRV - [2008/07/07 10:33:40 | 00,014,360 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
DRV - [2008/06/27 19:21:38 | 00,566,296 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\CTSBLFX.SYS -- (CTSBLFX [On_Demand | Stopped])
DRV - [2008/06/27 19:21:38 | 00,566,296 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS [On_Demand | Running])
DRV - [2008/07/07 10:34:08 | 00,157,208 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
DRV - [2001/08/17 10:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2005/09/08 02:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
DRV - [2005/08/25 09:16:52 | 00,005,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
DRV - [2005/09/08 02:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLADResN.SYS -- (DLADResN [Auto | Running])
DRV - [2005/09/08 02:20:00 | 00,086,524 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
DRV - [2005/09/08 02:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
DRV - [2005/09/08 02:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
DRV - [2005/08/25 09:16:16 | 00,022,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DLARTL_N.SYS -- (DLARTL_N [System | Running])
DRV - [2005/09/08 02:20:00 | 00,094,332 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
DRV - [2005/09/08 02:20:00 | 00,087,036 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
DRV - [2005/09/12 00:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2005/08/12 02:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
DRV - [2001/08/17 09:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2008/07/07 10:35:46 | 00,092,696 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
DRV - [2008/04/13 11:45:30 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008/07/07 10:36:10 | 00,797,720 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
DRV - [2008/07/07 10:36:36 | 00,162,840 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\hap16v2k.sys -- (hap16v2k [On_Demand | Running])
DRV - [2008/07/07 10:37:04 | 00,189,464 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\hap17v2k.sys -- (hap17v2k [On_Demand | Stopped])
DRV - [2001/08/17 14:02:32 | 00,008,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\hidgame.sys -- (hidgame [On_Demand | Stopped])
DRV - [2004/03/22 04:35:48 | 00,051,088 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Running])
DRV - [2004/03/22 04:35:52 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Running])
DRV - [2004/03/22 04:35:58 | 00,021,744 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Running])
DRV - [2005/07/22 22:40:58 | 00,013,440 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys -- (L8042Kbd [On_Demand | Stopped])
DRV - [2009/01/18 13:30:13 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2005/07/22 22:41:46 | 00,026,112 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\DRIVERS\LHidKE.Sys -- (LHidKe [On_Demand | Running])
DRV - [2005/07/22 22:41:42 | 00,068,864 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\system32\DRIVERS\LMouKE.Sys -- (LMouKE [On_Demand | Running])
DRV - [2001/08/17 10:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2008/10/07 13:33:00 | 06,133,856 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2006/08/15 07:44:32 | 00,105,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus [Boot | Running])
DRV - [2006/08/15 07:44:32 | 00,089,344 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvraid.sys -- (nvraid [Boot | Running])
DRV - [2008/07/07 10:33:16 | 00,127,512 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
DRV - [2004/08/10 02:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005/01/25 23:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 10:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 10:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 10:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2008/04/13 10:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2001/08/17 11:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2001/08/17 11:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 11:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 11:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 11:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2001/08/17 10:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2005/06/14 17:13:14 | 00,104,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\wceusbsh.sys -- (wceusbsh [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\S-1-5-21-3933747565-3057544991-2247025310-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\S-1-5-21-3933747565-3057544991-2247025310-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/...html?channel=us
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007\S-1-5-21-3933747565-3057544991-2247025310-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-500\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/hws/sb/dell-usuk/en/...html?channel=us
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060913
IE - HKU\S-1-5-21-3933747565-3057544991-2247025310-500\S-1-5-21-3933747565-3057544991-2247025310-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O3 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-3933747565-3057544991-2247025310-500\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" (Lavasoft)
O4 - HKLM..\Run: [AGEIA PhysX SysTray] "C:\Program Files\AGEIA Technologies\TrayIcon.exe" ()
O4 - HKLM..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" (Apple Inc.)
O4 - HKLM..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" File not found
O4 - HKLM..\Run: [CTDVDDET] "C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE" (Creative Technology Ltd)
O4 - HKLM..\Run: [CTHelper] "C:\WINDOWS\system32\CTHELPER.EXE" (Creative Technology Ltd)
O4 - HKLM..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2 (SupportSoft, Inc.)
O4 - HKLM..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" ()
O4 - HKLM..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE" (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install ()
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R (Creative Technology Ltd)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe" (Microsoft Corporation)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" (Logitech Inc.)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006..\Run: [RegistryMechanic] "C:\Program Files\Registry Mechanic\RegMech.exe" /H (PC Tools)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006..\Run: [RemoteCenter] "C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe" (Creative Technology Ltd)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" (TomTom)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S File not found
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" (Logitech Inc.)
O4 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GridRepublic Desktop.lnk = C:\Program Files\BOINC\GridRepublic.exe (GridRepublic)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk = C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe (ArcSoft, Inc.)
O4 - Startup: C:\Documents and Settings\Steve\Start Menu\Programs\Startup\SAproxy Pro.lnk = C:\Program Files\Stata Labs\SAproxy Pro\sa-gui.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3933747565-3057544991-2247025310-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\..Trusted Sites: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3933747565-3057544991-2247025310-1006\..Trusted Sites: mcafee.com ([]https in Trusted sites)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/OAS/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab (System Requirements Lab Class)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1226650142359 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe (Virtools WebPlayer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{0742A5CD-AF77-4B06-B2C0-F63D2974FC3B}\\NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\ipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp Reg Error: Value error. - Reg Error: Key error. File not found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 01:43:04 | 00,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{5da5ba86-6ae0-11dd-82da-00188b151d74}\Shell\AutoRun\command - "" = J:\InstallTomTomHOME.exe -- File not found
O33 - MountPoints2\{fc807927-2819-11dc-829b-00188b151d74}\Shell\AutoRun\command - "" = J:\InstallTomTomHOME.exe -- File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\*.tmp files]
[2009/03/03 23:18:15 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\gmer.zip
[2009/03/03 23:17:26 | 00,498,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTListIt2.exe
[2009/03/01 14:53:29 | 00,004,133 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Attach.zip
[2009/03/01 14:42:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\My Documents\PC debug
[2009/02/19 01:38:33 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Steve\My Documents\The Attorney General has proved himself unworthy of the honor he received by being appoint to the position as Attorney General of the United States.doc
[2009/02/17 20:47:48 | 00,000,020 | -HS- | C] () -- C:\ArcDeviceInfo
[2009/02/17 20:31:43 | 00,000,094 | ---- | C] () -- C:\WINDOWS\MusicRip.ini
[2009/02/17 20:31:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Application Data\ArcSoft
[2009/02/17 20:31:04 | 00,011,776 | ---- | C] (Arcsoft, Inc.) -- C:\WINDOWS\System32\drivers\afc.sys
[2009/02/17 20:31:04 | 00,001,748 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
[2009/02/17 20:31:04 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TotalMedia Backup & Record.lnk
[2009/02/17 20:31:00 | 00,212,480 | ---- | C] (Eastman Kodak) -- C:\WINDOWS\PCDLIB32.DLL
[2009/02/17 20:31:00 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[2009/02/17 20:30:59 | 00,000,000 | ---D | C] -- C:\Program Files\ArcSoft
[2009/02/16 22:27:17 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/02/16 16:29:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/02/16 16:27:52 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/02/16 16:21:25 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/16 16:20:49 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/02/16 16:19:55 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/02/16 16:19:55 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2009/02/16 16:19:52 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/02/16 16:19:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/02/16 15:51:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/02/16 15:51:23 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\STKIT432.DLL
[2009/02/16 15:51:23 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/02/16 15:51:22 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2009/02/16 11:06:07 | 00,000,000 | ---D | C] -- C:\Binaries
[2009/02/15 23:14:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\My Documents\2009 political letters
[2009/02/14 00:30:12 | 26,817,69984 | -HS- | C] () -- C:\hiberfil.sys
[2009/02/13 23:15:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2009/02/13 00:47:32 | 00,000,000 | ---D | C] -- C:\Program Files\freshplay
[2009/02/13 00:44:19 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Steve\My Documents\I.doc
[2009/02/11 23:58:06 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC
[2009/02/11 23:57:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$
[2009/02/07 15:00:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\My Documents\2008 taxes

========== Files - Modified Within 30 Days ==========

[11 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/03/03 23:18:18 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\gmer.zip
[2009/03/03 23:17:27 | 00,498,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTListIt2.exe
[2009/03/03 19:10:04 | 04,958,588 | ---- | M] () -- C:\WINDOWS\{00000004-00000000-00000005-00001102-00000004-20011102}.CDF
[2009/03/03 19:09:54 | 00,196,152 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/03/03 19:09:52 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/03 19:08:28 | 00,187,780 | ---- | M] () -- C:\WINDOWS\System32\FontInfo.bin
[2009/03/03 19:08:28 | 00,059,684 | ---- | M] () -- C:\WINDOWS\System32\GlyphInfo.bin
[2009/03/03 19:08:14 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/03 19:08:12 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/03 19:08:10 | 26,817,69984 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/03 10:00:15 | 00,032,592 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000005-00001102-00000004-20011102}.rfx
[2009/03/03 10:00:15 | 00,032,592 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000004-00000000-00000005-00001102-00000004-20011102}.rfx
[2009/03/03 10:00:15 | 00,031,608 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000004-00000000-00000005-00001102-00000004-20011102}.rfx
[2009/03/03 10:00:15 | 00,031,608 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000004-00000000-00000005-00001102-00000004-20011102}.rfx
[2009/03/03 10:00:15 | 00,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000004-00000000-00000005-00001102-00000004-20011102}.rfx
[2009/03/03 10:00:04 | 04,958,588 | ---- | M] () -- C:\WINDOWS\{00000004-00000000-00000005-00001102-00000004-20011102}.BAK
[2009/03/01 23:16:33 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/03/01 14:53:29 | 00,004,133 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Attach.zip
[2009/02/25 23:08:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/02/24 23:50:08 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2009/02/23 16:20:00 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/02/19 01:38:34 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Steve\My Documents\The Attorney General has proved himself unworthy of the honor he received by being appoint to the position as Attorney General of the United States.doc
[2009/02/17 20:47:48 | 00,000,020 | -HS- | M] () -- C:\ArcDeviceInfo
[2009/02/17 20:31:43 | 00,000,094 | ---- | M] () -- C:\WINDOWS\MusicRip.ini
[2009/02/17 20:31:04 | 00,001,748 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
[2009/02/17 20:31:04 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TotalMedia Backup & Record.lnk
[2009/02/16 23:26:31 | 00,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/02/16 17:15:26 | 00,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/02/16 16:19:55 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/02/16 15:52:38 | 00,510,270 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/02/16 15:52:38 | 00,428,404 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/02/16 15:52:38 | 00,072,796 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/02/16 15:51:23 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/02/16 11:06:25 | 00,000,847 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/02/13 00:44:19 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Steve\My Documents\I.doc
[2009/02/11 23:58:10 | 00,000,063 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2009/02/11 23:56:49 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/02/03 15:21:12 | 21,244,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Steve\My Documents\QBW32.EXE:SummaryInformation
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Steve\My Documents\Thumbs.db:encryptable
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Steve\My Documents\QBW32.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
< End of report >


OTListIt Extras logfile created on: 3/3/2009 11:20:21 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.4 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.81 Gb Available Physical Memory | 90.71% Memory free
4.00 Gb Paging File | 3.80 Gb Available in Paging File | 94.89% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 293.40 Gb Total Space | 212.98 Gb Free Space | 72.59% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVE_D4MXGRB1
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/02/25 09:39:47 | 00,067,128 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger
[2005/11/15 18:42:22 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
[2005/11/15 18:44:14 | 01,200,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
[2005/11/15 18:43:04 | 01,970,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/12/18 21:25:25 | 00,634,024 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
[2008/11/20 13:20:48 | 14,294,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2005/11/15 18:43:04 | 01,970,176 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
[2005/11/15 18:44:14 | 01,200,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
[2005/11/15 18:42:22 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour
[2007/02/25 09:39:47 | 00,067,128 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger
[2008/04/13 16:12:17 | 00,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server
[2008/04/13 16:12:18 | 01,298,432 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dxdiag.exe:*:Disabled:Microsoft DirectX Diagnostic Tool
[2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000
[2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{07F10264-2F75-45F5-B584-DA94A6EE5335}" = PhoenixCreator 1.01.b [beta] update
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{123E3792-565C-4DC8-A68A-BBB12C41B390}" = MapSource - MetroGuide USA v5
"{14D7BE12-B66C-4510-8FC0-4DD306625C0C}" = PhoenixRC
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD LE
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Advanced Control Suite
"{28FB74E9-7D5D-4E21-B57E-CEFBE76AC24C}" = LEADTOOLS ePrint 5 Professional
"{2C7D6B7D-1314-4FA7-97BF-62B978728110}" = AGEIA PhysX Engines
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{34F85A4D-03CC-428A-80A4-880228646518}" = Safari
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B46E867-97B7-471C-BA0D-F46183CC9729}" = GridRepublic
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4687559F-D4FF-4968-9E31-77278AE46638}" = AirMagnet
"{46C73DE4-E96D-4F7C-8371-F28052183B12}" = Sonic Advanced Decoder
"{52D97366-9779-43AB-98A2-91600DCD9102}" = Enterprise
"{584267B8-0BB0-4D18-9FFA-726576619E9A}" = Doom 3
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}" = MapSource
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6DA9102E-199F-43A0-A36B-6EF48081A658}" = MobileMe Control Panel
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8795CBED-55E2-4693-9F14-84EC446935BE}" = SpeechRedist
"{895F0E11-E2AD-4E57-B667-1C18B2FD194E}" = SAproxy Pro
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8E34369A-99A4-4973-99D4-E6AB8F7737C0}" = PhoenixCreator
"{900A92BA-19EF-4A34-86CF-7B6C85BDD971}" = VC_MergeModuleToMSI
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{91510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A346205-EA92-4406-B1AB-50379DA3F057}" = Autodesk DWF Viewer 7
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC1314E7-D28C-40A1-B322-80D2868D35CE}" = HP PSC & Officejet 4.2 Corporate Edition
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B208806F-A231-4FA0-AB3F-5C1B8979223E}" = Microsoft ActiveSync 4.0
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}" = Creative MediaSource 5
"{BF0B0922-5992-489F-97EF-0E4A83F18ACA}" = PhoenixCreator
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D37C6152-89DF-4D29-83CF-666200D5F398}" = iPAQ WebReg
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{E42BD75A-FC23-4E3F-9F91-2658334C644F}" = Internet Service Offers Launcher
"{E744BFEA-E027-441E-83A2-36202F661E31}" = Light-O-Rama
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}" = Doom 3
"{EF6F70D0-C242-4047-946B-98EA8208481A}" = ArcSoft TotalMedia Backup & Record
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F3B76517-C1BC-40A7-814C-4C0A87E7D9DF}" = Garmin MapSource
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"AGEIA PhysX v2.5.1" = AGEIA PhysX v2.5.1
"AudioConSole" = Creative Audio Console
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Creative MediaSource DVD-Audio Player" = Creative MediaSource DVD-Audio Player
"DTS Console" = DTS Neo:6 Settings
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESPNMotion" = ESPNMotion
"FMS" = FMS
"Free Internet TV_is1" = Free Internet TV v7.0
"freshplay" = freshplay
"GTRemote Client" = DellConnect
"Hangar_of_Doom" = Hangar_of_Doom_PhysX
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{123E3792-565C-4DC8-A68A-BBB12C41B390}" = MapSource - MetroGuide USA v5
"InstallShield_{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}" = Doom 3
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 6.0" = RealPlayer
"Registry Mechanic_is1" = Registry Mechanic 8.0
"SearchAssist" = SearchAssist
"Sound Blaster for Media Center" = Sound Blaster for Media Center
"ST6UNST #1" = Light-O-Rama Demo
"ST6UNST #2" = Light-O-Rama
"SystemRequirementsLab" = System Requirements Lab
"TomTom HOME" = TomTom HOME
"UT2004" = Unreal Tournament 2004
"voxware_is1" = Voxware Audio decoder 1.6
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WLAN network adaptor_WINCE400" = IEEE 802.11b WLAN network adaptor for Windows CE 4.00
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xfire" = Xfire (remove only)
"XnView_is1" = XnView 1.94.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/27/2009 3:43:17 AM | Computer Name = STEVE_D4MXGRB1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/27/2009 3:43:17 AM | Computer Name = STEVE_D4MXGRB1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/27/2009 3:46:21 AM | Computer Name = STEVE_D4MXGRB1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/27/2009 3:46:21 AM | Computer Name = STEVE_D4MXGRB1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/27/2009 3:46:31 AM | Computer Name = STEVE_D4MXGRB1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/27/2009 3:46:31 AM | Computer Name = STEVE_D4MXGRB1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/27/2009 3:46:31 AM | Computer Name = STEVE_D4MXGRB1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/27/2009 3:46:31 AM | Computer Name = STEVE_D4MXGRB1 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/28/2009 3:21:14 AM | Computer Name = STEVE_D4MXGRB1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16791, faulting
module ieframe.dll, version 7.0.6000.16791, fault address 0x000c5125.

Error - 2/28/2009 3:21:52 AM | Computer Name = STEVE_D4MXGRB1 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16791, faulting
module ieframe.dll, version 7.0.6000.16791, fault address 0x000c5125.

[ System Events ]
Error - 2/20/2009 3:50:22 AM | Computer Name = STEVE_D4MXGRB1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 2/20/2009 3:50:59 AM | Computer Name = STEVE_D4MXGRB1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 2/20/2009 3:51:55 AM | Computer Name = STEVE_D4MXGRB1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 2/21/2009 2:13:14 AM | Computer Name = STEVE_D4MXGRB1 | Source = DCOM | ID = 10010
Description = The server {0002DF01-0000-0000-C000-000000000046} did not register
with DCOM within the required timeout.

Error - 2/22/2009 12:03:50 AM | Computer Name = STEVE_D4MXGRB1 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 2/24/2009 12:03:52 AM | Computer Name = STEVE_D4MXGRB1 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 2/26/2009 12:03:53 AM | Computer Name = STEVE_D4MXGRB1 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 2/28/2009 12:03:54 AM | Computer Name = STEVE_D4MXGRB1 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 3/2/2009 12:03:55 AM | Computer Name = STEVE_D4MXGRB1 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 3/4/2009 12:03:56 AM | Computer Name = STEVE_D4MXGRB1 | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-03 23:28:47
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E] <-- ROOTKIT !!!
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8C10] <-- ROOTKIT !!!

Code 8A893EB8 ZwEnumerateKey
Code 8A8949C0 ZwFlushInstructionCache
Code 8A895EB8 ZwQueryValueKey
Code 8A90C7D6 IofCallDriver
Code 8A45CE5E IofCompleteRequest

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8A90C7DB
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A45CE63
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8A8949C4
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 5 Bytes JMP 8A895EBC
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 4 Bytes JMP 8A893EBC

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 0017F9D7
.text C:\Program Files\Internet Explorer\iexplore.exe[2676] WININET.dll!HttpSendRequestW 78080825 5 Bytes JMP 0017FA14

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 013CBCA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 013CBC50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 013C7EA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 013C9100
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 013CAA10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 013C9370
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 013C9180
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 013CA010
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 013CB950
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 013CB990
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 013CBD30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 013CB810
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 013CA970
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 013C9930
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013C92E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 013C9660
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 013CC2B0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 013CA360
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 013CA7D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 013CAE90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 013CAC20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 013CAE10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 013CB2F0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 013CB000
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 013C9250
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013C97E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 013CBA70
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 013CAD60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 013CA910
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 013CA790
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 013CAB20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 013CBD50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 013CAB60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 013CBFF0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 013CBF90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 013CC1E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 013CC280
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3164] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 013CC0B0

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\Fastfat \Fat AFF3FD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\gaopdxnwyayepp.sys (*** hidden *** ) B2A08000-B2A32000 (172032 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\gaopdxnwyayepp.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxnwyayepp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxnwyayepp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxvusddjct.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxnwyayepp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxnwyayepp.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxvusddjct.dll

---- EOF - GMER 1.0.14 ----

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:18 AM

Posted 05 March 2009 - 12:10 AM

Hello, rchelisjm
Your System is Infected with a Backdoor!!
Backdoors cause severe damage to windows' internals, and allow an attacker complete control over the infected system. Because this state allows the attacker to download new malware on demand, log keystrokes, execute programs, and/or view the system's screen, it is recommended to reformat and reinstall the operating system on this machine. Several experts in the security community believe that once a system is infected with one of these types of backdoors, the system itself can never be trusted again.

I ask that you disconnect this system from the internet NOW!. While it is attached to the internet, the attacker can modify the system, and prevent fixes from working as intended.

Another danger of this type of infection is that of Identity Theft. Because such malware can read all of your passwords, bank account numbers, etc. from your keystrokes, I would recomend contacting banking institutions accessed from this machine to ensure your accounts are secure. Most banks will not charge to send you new credit/debit cards, and getting these numbers replaced would be a good idea. It would also be a good idea to change passwords for anything you commonly use online. Online stores, Facebook/Myspace, Email, etc. If it has been on that machine it may have been read by someone else. Don't do it from this machine, as it is now compromised. Do it from another known clean machine. A good place to do this is at your local public library.

I would strongly recomend format and reinstallation of this machine. For more information, you may wish to read one of these excellent articles:Please let me know if you wish to continue to clean this machine or if you wish to format.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 rchelisjm

rchelisjm
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 05 March 2009 - 03:46 AM

Billy,

I expected bad news - but not that bad! I read the links you provided, and agree that I should plan to reformat and start over at some point. The computer is off the net at this point (once infected it was only turned on to do email and bleepingcomputer - then turned off).

I would like to go ahead and do a cleanup on the machine, and treat it as untrusted until I have a chance to make sure I can do the reformat and have all of the disks and license keys to reinstall all of my app's :thumbup2:

I used to have zonealarm and spysweeper as my primary firewall and anti-malware products - and never had a problem. I installed a security suite from my service provider to save some dollars - the first thing their tech support had me do when I thought I was hacked - was to un-install their product (firewall, anti-virus, anti-spyware), it was down hill from there....

Once we clean the machine, is there a recommended group of products that will provide the best protection?

Thanks
Steve

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:18 AM

Posted 06 March 2009 - 05:44 PM

Hello, rchelisjm
Sure.. I generally recommend the following for a newly installed system:

Set Up Security
Before copying your data back over from your backups to your shiny new Windows installation, you need to ensure the system is protected. It is very possible -- and in fact likely -- that some leftovers from the malware are "hiding" inside your backups. Once protection is operational however, you can be reasonably safe in restoring your data back to the machine.

Note that these are recommended security practices. Several opinions exist on what exactly best protects a system. Rather than set in stone instructions, the following are general guidelines which will do a good job of protecting the system.

Update the System
This step is very important. Several Anti Virus utilities require an updated copy of Windows in order to install correctly. In addition, an unpatched system leaves you vulnerable to infiltration. The best Anti Virus program in the world can't protect you if your Windows installation is holey as Swiss cheese.

If you are using Windows XP
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
Install an Anti Virus Application
New malware and viruses emerge every hour of every day. It'd sure be a shame for one to pour all that effort into setting up a fresh machine, only to have it riddled with malware once again after a short period. Generally, these applications are simple to install. Choose ONE anti-virus program. Using more than one AntiVirus at once can cause system problems, including freezing or hanging, instability, and Blue Screens of Death. Having more than one installed can also be less effective than one product, as the two AntiViruses interfere with each other. Finally, using more than one product can severely hamper the performance of your PC.

To use, download, run, and follow the onscreen instructions.

Some free AntiVirus programs for non commercial home use are (alphabetical order):Some commercial AntiVirus programs are (alphabetical order):Install an Anti Spyware Application
Anti-Spyware applications supplement the removal capacity of your anti-virus, generally don't run in the background or affect the running system, and run as standalone scanners. Therefore, these applications are safe to use alongside your AntiVirus. I don't recommend using more than one, but using more than one *shouldn't* cause serious problems.

While there are several of these, I would recommend either Malwarebytes' Anti-Malware or SUPERAnti-Spyware.

Install Spyware Blaster
Spyware Blaster provides a type of passive protection. Unlike the Anti-Malware applications, Spyware Blaster operates by setting "killbits" -- settings that are designed to deny known malware websites access to your system. It's a very useful layer of defense. However, because it simply modifies settings, it does not run in the background, or use system resources during everyday use. It doesn't scan or clean, but it helps to prevent infection from entering your machine in the first place.

Install the MVPs HOSTS File
The HOSTS file is a settings file located inside of Windows which allows redirection of a web address to a different IP address. In English: it allows us to block certain websites. Modifying the hosts file to block known malicious sites is another layer of protection that requires no resident running in the background. In addition, the HOSTS file can be used to block advertisements and data mining tools. For instructions on installing the HOSTS file, as well as why you should install one, see the MVPs Hosts File Homepage.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 rchelisjm

rchelisjm
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 06 March 2009 - 09:29 PM

Billy,

I need to clean the machine so I can use it while getting prepared for a reformat if needed after the cleanup.

Once it's cleaned I'll get all of the anti-malware/spyware/virus and firewall installed.

Steve

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:08:18 AM

Posted 08 March 2009 - 02:58 PM

Hello, rchelisjm
Okie Dokie

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbup2:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII

Edited by Billy O'Neal, 08 March 2009 - 02:58 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 rchelisjm

rchelisjm
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 08 March 2009 - 04:36 PM

Hi Billy,

ComboFix found a root kit and deleted two files:

c:\windows\system32\drivers\gaopdxnwyayapp.sys
c:\windows\system32\\gaopdxvusddjct.dll

I was instructed to write them down, then reboot the machine.

Here is the ComboFix log:

ComboFix 09-03-06.02 - Steve 2009-03-08 14:05:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2557.2159 [GMT -7:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Steve\Start Menu\Programs\freshplay
c:\documents and settings\Steve\Start Menu\Programs\freshplay\Uninstall.lnk
c:\program files\freshplay
c:\program files\freshplay\Uninstall.exe
c:\recycler\S-7-7-93-100018769-100031368-100007990-1340.com
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\gaopdxnwyayepp.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxvusddjct.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

2009-03-07 00:24 . 2009-03-07 00:25 4,212 ---h----- c:\windows\system32\zllictbl.dat
2009-03-07 00:23 . 2009-03-07 00:23 <DIR> d-------- c:\documents and settings\Steve\Application Data\Wireshark
2009-03-07 00:22 . 2009-03-07 00:44 <DIR> d-------- c:\windows\Internet Logs
2009-03-06 00:44 . 2009-03-06 00:44 <DIR> d-------- c:\program files\Avira GmbH
2009-03-06 00:42 . 2009-03-06 00:42 <DIR> d-------- c:\program files\Wireshark
2009-03-06 00:42 . 2009-03-06 00:42 <DIR> d-------- c:\program files\WinPcap
2009-03-04 00:25 . 2009-03-04 00:25 250 --a------ c:\windows\gmer.ini
2009-02-18 01:46 . 2009-03-01 19:58 4,194,314 --a------ c:\windows\pfirewall.log.old
2009-02-17 21:47 . 2009-02-17 21:47 20 --ahs---- C:\ArcDeviceInfo
2009-02-17 21:31 . 2009-02-17 21:31 <DIR> d-------- c:\program files\Common Files\ArcSoft
2009-02-17 21:31 . 2009-02-17 21:31 <DIR> d-------- c:\documents and settings\Steve\Application Data\ArcSoft
2009-02-17 21:31 . 1995-08-01 05:44 212,480 --a------ c:\windows\PCDLIB32.DLL
2009-02-17 21:31 . 2005-02-23 15:58 11,776 --a------ c:\windows\system32\drivers\afc.sys
2009-02-17 21:31 . 2009-02-17 21:31 94 --a------ c:\windows\MusicRip.ini
2009-02-17 21:30 . 2009-02-17 21:30 <DIR> d-------- c:\program files\ArcSoft
2009-02-16 23:27 . 2009-01-18 14:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-16 17:29 . 2009-02-16 18:15 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-16 17:20 . 2009-01-18 14:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-16 17:19 . 2009-02-16 17:19 <DIR> d-------- c:\program files\Lavasoft
2009-02-16 17:19 . 2009-02-16 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-16 17:19 . 2009-02-16 17:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-16 16:51 . 2009-03-08 13:50 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 12:06 . 2009-02-16 12:06 <DIR> d-------- C:\Binaries
2009-02-14 00:15 . 2009-02-14 00:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix
2009-02-12 00:57 . 2009-02-12 00:57 <DIR> d-------- c:\windows\$SQLUninstallSQL2000-KB960082-v8.00.2055-x86-ENU$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 21:04 59,684 ----a-w c:\windows\system32\GlyphInfo.bin
2009-03-08 21:04 187,780 ----a-w c:\windows\system32\FontInfo.bin
2009-03-08 20:57 --------- d-----w c:\program files\BOINC
2009-03-07 07:33 90,112 ----a-w c:\windows\DUMP5e6b.tmp
2009-03-07 07:31 90,112 ----a-w c:\windows\DUMP7261.tmp
2009-03-06 07:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-18 03:23 --------- d-----w c:\documents and settings\Steve\Application Data\Apple Computer
2009-02-17 00:29 --------- d-----w c:\program files\Common Files\Autodesk Shared
2009-02-17 00:29 --------- d-----w c:\program files\AutoCAD LT 2008
2009-02-17 00:29 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2009-01-17 05:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-06 08:00 249,856 ------w c:\windows\Setup1.exe
2009-01-06 07:59 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-08 07:14 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2008-12-08 07:14 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2008-11-14 06:48 61,224 ----a-w c:\documents and settings\Steve\GoToAssistDownloadHelper.exe
2008-09-13 01:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-25 67128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2005-11-15 1200128]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RcMan.exe" [2004-08-17 143360]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Logitech Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2005-07-22 28160]
"AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-08-16 339968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-23 185896]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"nwiz"="c:\windows\system32\nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"CTHelper"="c:\windows\system32\CTHELPER.EXE" [2008-06-27 19456]
"CTDVDDET"="c:\program files\Creative\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
SAproxy Pro.lnk - c:\program files\Stata Labs\SAproxy Pro\sa-gui.exe [2006-11-25 3190784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GridRepublic Desktop.lnk - c:\program files\BOINC\GridRepublic.exe [2006-08-07 1990656]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-02-25 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2006-09-21 528384]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2009-02-17 270336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Application
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Disabled:ActiveSync RAPI Manager
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Disabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-16 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [2006-09-13 108160]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5da5ba86-6ae0-11dd-82da-00188b151d74}]
\Shell\AutoRun\command - J:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc807927-2819-11dc-829b-00188b151d74}]
\Shell\AutoRun\command - J:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 14:34]

2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-AudioDrvEmulator - c:\program files\Creative\Shared Files\Module Loader\DLLML.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 14:11:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-08 14:15:13
ComboFix-quarantined-files.txt 2009-03-08 21:14:08

Pre-Run: 229,169,532,928 bytes free
Post-Run: 230,357,774,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

200 --- E O F --- 2009-02-12 08:01:04

#15 rchelisjm

rchelisjm
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 08 March 2009 - 04:48 PM

Billy,

Are we at a point where I should install Anti-Virus/malware and firewall software - or keep my machine off the internet while we proceed?

Steve




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users