Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I’m infected – and neither anti-spyware nor the other forum have resolved it


  • Please log in to reply
10 replies to this topic

#1 Endee

Endee

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:31 PM

Posted 25 April 2009 - 01:55 PM

I started on the “Am I infected?” forum and was referred here by rigel, who confirmed to me after some study of the situation that I have a “very nasty infection”. I’m not sure what exactly it is that I have, but some of the reappearing names I keep noticing when I scan with anti-spyware include those mentioned in the topic description above.

For the full background story, and to see what has already been tried, please see the thread on the other forum at http://www.bleepingcomputer.com/forums/t/221138/im-infected-and-spyware-is-not-helping/

Please note that my firewall is down, and please note also that I have been posting here and downloading and uploading via a separate, non-infected computer (protected by Kaspersky) and a flash drive, due to internet connectivity problems caused by the virus in the infected computer. I am somewhat nervous about accidentally infecting the healthy computer through these actions as well… (so please help me keep it safe as we take steps moving forward… thank you!)

Here is the DDS log as instructed, and I am attaching the zipped Attach.txt file as well.

Thank you SO MUCH in advance for all your help!!

Endee


DDS (Ver_09-03-16.01) - NTFSx86 MINIMAL
Run by Nicole at 15:02:08.18 on Fri 04/24/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.776 [GMT -5:00]

AV: Norton 360 *On-access scanning disabled* (Outdated)
FW: Norton 360 *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Nicole\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dellnet.com/
uSearch Bar = hxxp://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Plaxo: {81ca3009-6200-4a6d-93c6-f1e9a6821c7f} - c:\program files\plaxo\ie toolbar\0.9.5.42\plx_tlbr.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [PlaxoUpdate] c:\program files\plaxo\3.19.0.16\PlaxoHelper_en.exe -a
uRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PlaxoSysTray] c:\program files\plaxo\3.18.0.14\PlaxoSysTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\program files\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quickenw\QWDLLS.EXE
IE: &Search - ?p=ZNxdm824NXUS
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/35.09/uploader2.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124643899213
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: c:\windows\system32\ziwagawu.dll c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\ziwagawu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nicole\applic~1\mozilla\firefox\profiles\8s566xii.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: XUL Cache: {13296F8A-6FDB-4ECF-B247-BC1831EA81B3} - c:\documents and settings\nicole\local settings\application data\{13296F8A-6FDB-4ECF-B247-BC1831EA81B3}

============= SERVICES / DRIVERS ===============

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
S1 32a3bf2c;32a3bf2c;c:\windows\system32\drivers\32a3bf2c.sys [2009-4-19 117742]
S1 adf1768;adf1768;c:\windows\system32\drivers\adf1768.sys [2009-4-20 17376]
S1 dsa5b0f;dsa5b0f;c:\windows\system32\drivers\dsa5b0f.sys [2009-4-19 17376]
S1 ege4d0b;ege4d0b;c:\windows\system32\drivers\ege4d0b.sys [2009-4-20 17376]
S1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
S1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
S2 Access Remote PC Service 4.11;Access Remote PC Service 4.11;c:\program files\access remote pc 4.11\rpcsetup.exe [2006-8-14 1843200]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-19 257024]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 getplus® helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-4-19 33176]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090404.020\NAVENG.SYS [2009-4-4 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090404.020\NAVEX15.SYS [2009-4-4 876144]
S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-1-5 1245064]

=============== Created Last 30 ================

2009-04-23 22:31 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-23 22:31 --d----- c:\program files\SUPERAntiSpyware
2009-04-23 22:31 --d----- c:\docume~1\nicole\applic~1\SUPERAntiSpyware.com
2009-04-23 15:47 38 a------- C:\3A.tmp
2009-04-23 15:47 0 a------- C:\38.tmp
2009-04-23 15:47 0 a------- C:\37.tmp
2009-04-23 15:47 0 a------- C:\36.tmp
2009-04-23 15:47 0 a------- C:\35.tmp
2009-04-23 15:47 0 a------- C:\31.tmp
2009-04-23 15:47 0 a------- C:\2F.tmp
2009-04-23 15:47 0 a------- C:\2C.tmp
2009-04-23 15:47 0 a------- C:\2A.tmp
2009-04-23 15:47 38 a------- C:\29.tmp
2009-04-23 15:47 54,784 a------- C:\1F.tmp
2009-04-23 15:47 21,504 a------- C:\1E.tmp
2009-04-22 22:58 --d----- c:\windows\system\ect
2009-04-22 22:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-22 22:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 22:56 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-21 16:01 0 a------- c:\documents and settings\nicole\settings.dat
2009-04-20 20:20 17,376 a------- c:\windows\system32\drivers\ege4d0b.sys
2009-04-20 20:20 40,960 a------- c:\windows\system32\xz.exe
2009-04-20 19:23 --d----- c:\docume~1\nicole\applic~1\Malwarebytes
2009-04-20 19:22 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-20 16:56 65,536 a------- c:\windows\system32\ak1.exe
2009-04-20 12:45 0 a------- C:\34.tmp
2009-04-20 12:45 0 a------- C:\33.tmp
2009-04-20 12:45 0 a------- C:\32.tmp
2009-04-20 12:45 0 a------- C:\30.tmp
2009-04-20 12:45 0 a------- C:\2E.tmp
2009-04-20 12:45 38 a------- C:\2D.tmp
2009-04-20 12:44 38 a------- C:\2B.tmp
2009-04-20 12:43 0 a------- C:\1B.tmp
2009-04-20 12:43 0 a------- C:\1A.tmp
2009-04-20 12:43 0 a------- C:\19.tmp
2009-04-20 12:43 0 a------- C:\18.tmp
2009-04-20 12:43 52,736 a------- C:\12.tmp
2009-04-20 12:43 23,040 a------- C:\10.tmp
2009-04-20 12:31 --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-04-20 12:30 --d----- c:\program files\common files\iS3
2009-04-20 12:30 --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-04-19 23:02 0 a------- c:\windows\system32\1A.tmp
2009-04-19 23:01 17,376 a------- c:\windows\system32\drivers\dsa5b0f.sys
2009-04-19 23:01 0 a------- C:\17.tmp
2009-04-19 23:01 0 a------- C:\16.tmp
2009-04-19 23:01 0 a------- C:\15.tmp
2009-04-19 23:01 0 a------- C:\14.tmp
2009-04-19 23:01 38 a------- C:\13.tmp
2009-04-19 23:01 80 a------- c:\windows\system32\12.tmp
2009-04-19 23:01 0 a------- C:\11.tmp
2009-04-19 23:01 0 a------- C:\F.tmp
2009-04-19 23:00 0 a------- C:\D.tmp
2009-04-19 23:00 0 a------- C:\C.tmp
2009-04-19 23:00 0 a------- C:\B.tmp
2009-04-19 23:00 38 a------- C:\A.tmp
2009-04-19 23:00 52,736 a------- C:\9.tmp
2009-04-19 23:00 23,040 a------- C:\8.tmp
2009-04-19 20:44 0 a------- C:\7.tmp
2009-04-19 20:44 0 a------- C:\6.tmp
2009-04-19 20:44 0 a------- C:\5.tmp
2009-04-19 20:44 0 a------- C:\4.tmp
2009-04-19 20:44 0 a------- C:\3.tmp
2009-04-19 13:46 172,032 a------- c:\windows\system32\tcpcon.dll
2009-04-19 13:46 10,240 a------- c:\windows\system32\Packer.dll
2009-04-19 13:46 9 a------- c:\windows\system32\riphy.dll
2009-04-19 13:46 9 a------- c:\windows\system32\iphy.dll
2009-04-19 13:46 3 a------- c:\windows\system32\fhpatch.dll
2009-04-19 13:46 --d----- c:\windows\system32\3361
2009-04-19 13:45 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-19 13:45 43 a------- c:\windows\system32\ovfsthxrxoduifm.dat
2009-04-19 13:45 --d----- c:\windows\dhcp
2009-04-19 13:45 --dshr-- c:\program files\ThunMail
2009-04-19 13:45 0 a------- c:\windows\mqcd.dbt
2009-04-19 13:43 69,632 a------- C:\tqpxlyy.exe
2009-04-16 23:48 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 23:48 236,032 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-16 23:48 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-04-23 23:01 117,742 a------- c:\windows\system32\drivers\32a3bf2c.sys
2009-04-22 23:44 1,012,766 a------- c:\windows\system32\ovfsthxwbivmprf.dat
2009-04-20 21:27 17,376 a------- c:\windows\system32\drivers\adf1768.sys
2009-04-19 13:44 18,432 a------- c:\windows\system32\ovfsthxuyvvmlxb.dll
2009-04-19 13:44 18,432 a------- c:\windows\system32\ovfsthxhdhlkdgw.dll
2009-04-19 13:44 83,456 a------- c:\windows\system32\drivers\ovfsthxtxjwxumo.sys
2009-04-19 13:44 60,928 a------- c:\windows\system32\ovfsthxqoehtprw.dll
2009-04-19 13:44 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-19 13:44 43,520 a------- C:\ptrf.exe
2009-04-19 13:44 578,560 a------- c:\windows\system32\user32.DLL
2009-04-19 13:44 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-19 13:44 147,968 a------- c:\windows\iwadirot.dll
2009-04-19 13:44 30,720 a------- C:\cpjopaid.exe
2009-04-19 13:44 290,304 a------- C:\wcfgayg.exe
2009-04-19 13:43 107,520 a--sh--- c:\windows\system32\sunotadi.dll
2009-04-19 13:43 83,968 a--sh--- c:\windows\system32\rovoyato.exe
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 13:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 55,808 a------- c:\windows\system32\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2005-11-01 17:50 76,496 a------- c:\docume~1\nicole\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 15:05:41.14 ============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:31 PM

Posted 25 April 2009 - 02:06 PM

Hello Endee

Welcome to Welcome to BleepingComputer :thumbup2:
=====================
  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download the GMER Rootkit Scanner.
Click the Download exe button and save the randomly named file to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click randomlynamed.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:31 PM

Posted 28 April 2009 - 07:46 PM

Hello kahdah,

Thank you so much for your help! I really appreciate it.

Just for your information, I can’t run except in safe mode anymore – always get a blue screen otherwise.

Here are the scan results. What next?

THANK YOU!!

Endee



OTListIt logfile created on: 4/28/2009 12:48:47 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Nicole\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 782.60 Mb Available Physical Memory | 76.46% Memory free
2.41 Gb Paging File | 2.30 Gb Available in Paging File | 95.62% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.09 Gb Total Space | 9.86 Gb Free Space | 25.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGMONSTER
Current User Name: Nicole
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (Lavasoft AB)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Documents and Settings\Nicole\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (6to4 [Auto | Stopped]) -- C:\WINDOWS\system32\6to4v32.dll ()
SRV - (aawservice [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (Lavasoft AB)
SRV - (Access Remote PC Service 4.11 [Auto | Stopped]) -- C:\Program Files\Access Remote PC 4.11\rpcsetup.exe (Access Remote PC (www.access-remote-pc.com))
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (Automatic LiveUpdate Scheduler [Auto | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe (Symantec Corporation)
SRV - (ccSetMgr [Auto | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (CLTNetCnService [Auto | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (comHost [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (Symantec Corporation)
SRV - (dhcpsrv [Auto | Stopped]) -- C:\WINDOWS\dhcp\svchost.exe ()
SRV - (getplus® helper [On_Demand | Stopped]) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (NOS Microsystems Ltd.)
SRV - (gusvc [Auto | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE (Symantec Corporation)
SRV - (LiveUpdate Notice [Auto | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (Symantec Core LC [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ()
SRV - (WMPNetworkSvc [Auto | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (32a3bf2c [System | Stopped]) -- C:\WINDOWS\System32\drivers\32a3bf2c.sys ()
DRV - (adf1768 [System | Stopped]) -- C:\WINDOWS\System32\drivers\adf1768.sys ()
DRV - (COH_Mon [On_Demand | Stopped]) -- C:\WINDOWS\system32\Drivers\COH_Mon.sys (Symantec Corporation)
DRV - (CO_Mon [Auto | Stopped]) -- C:\WINDOWS\system32\drivers\CO_Mon.sys (Symantec Corporation)
DRV - (dsa5b0f [System | Stopped]) -- C:\WINDOWS\System32\drivers\dsa5b0f.sys ()
DRV - (eeCtrl [System | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (ege4d0b [System | Stopped]) -- C:\WINDOWS\System32\drivers\ege4d0b.sys ()
DRV - (FETND5BV [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys (VIA Technologies, Inc. )
DRV - (FETNDIS [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\fetnd5.sys (VIA Technologies, Inc. )
DRV - (gameenum [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (ms_mpu401 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (MxlW2k [Auto | Running]) -- C:\WINDOWS\System32\drivers\MxlW2k.sys (MusicMatch, Inc.)
DRV - (NAVENG [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090404.020\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090404.020\NAVEX15.SYS (Symantec Corporation)
DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (Ptilink [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (sasdifsv [System | Stopped]) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (sasenum [On_Demand | Stopped]) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (saskutil [System | Stopped]) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SPBBCDrv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (SRTSP [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SRTSPL.SYS (Symantec Corporation)
DRV - (SRTSPX [System | Stopped]) -- C:\WINDOWS\System32\Drivers\SRTSPX.SYS (Symantec Corporation)
DRV - (SYMDNS [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS (Symantec Corporation)
DRV - (SYMFW [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMFW.SYS (Symantec Corporation)
DRV - (SYMIDS [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS (Symantec Corporation)
DRV - (SYMIDSCO [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SymcData\ipsdefs\20090331.004\SymIDSco.sys (Symantec Corporation)
DRV - (SymIM [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SymIM.sys (Symantec Corporation)
DRV - (SymIMMP [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\SymIM.sys (Symantec Corporation)
DRV - (SYMNDIS [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS (Symantec Corporation)
DRV - (SYMREDRV [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (symtdi [System | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)
DRV - (WinDriver6 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\windrvr6.sys (Jungo)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {D5D89B37-D849-4EBD-B26A-170324500DB0}:1.0
FF - prefs.js..extensions.enabledItems: {13296F8A-6FDB-4ECF-B247-BC1831EA81B3}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.1

FF - HKLM\software\mozilla\firefox\extensions\\{13296F8A-6FDB-4ECF-B247-BC1831EA81B3}: C:\DOCUMENTS AND SETTINGS\NICOLE\LOCAL SETTINGS\APPLICATION DATA\{13296F8A-6FDB-4ECF-B247-BC1831EA81B3} [2009/04/19 13:56:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/01/05 18:45:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/01/05 14:53:36 | 00,000,000 | ---D | M]

[2008/08/02 10:42:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\mozilla\Extensions
[2008/08/02 10:42:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/08/02 10:42:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\mozilla\Firefox\Profiles\8s566xii.default\extensions
[2009/04/20 18:58:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/08/02 10:42:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/19 13:44:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{D5D89B37-D849-4EBD-B26A-170324500DB0}
[2008/07/02 20:52:45 | 00,023,040 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2008/07/02 20:52:46 | 00,134,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/03/31 22:47:26 | 00,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\mozilla firefox\components\coFFPlgn.dll
[2008/07/02 11:31:38 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/07/02 11:31:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/07/02 11:31:38 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/07/02 11:31:38 | 00,002,642 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/07/02 11:31:38 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/07/02 11:31:38 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/07/02 11:31:38 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (304465 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 jL.chura.pl
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10509 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Plaxo) - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\0.9.5.42\plx_tlbr.dll (Plaxo, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Plaxo) - {81CA3009-6200-4A6D-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\0.9.5.42\plx_tlbr.dll (Plaxo, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
O4 - HKLM..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
O4 - HKLM..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe (MUSICMATCH, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" (Symantec Corporation)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (Microsoft Corporation)
O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKCU..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.18.0.14\PlaxoSysTray.exe (Plaxo, Inc.)
O4 - HKCU..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.19.0.16\PlaxoHelper_en.exe -a (Plaxo, Inc.)
O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk = C:\Program Files\quickenw\BILLMIND.EXE (Intuit)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (Microsoft® Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk = C:\Program Files\quickenw\QWDLLS.EXE (Intuit)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Search - ?p=ZNxdm824NXUS File not found
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm File not found
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm File not found
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm File not found
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [NTDS] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [Network Location Awareness (NLA) Namespace] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www2.snapfish.com/SnapfishActivia.cab (Snapfish Activia)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/35.09/uploader2.cab (UploadListView Class)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (LinkedIn ContactFinderControl)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1124643899213 (WUWebControl Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Filter: - application/octet-stream - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-complus - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-msdownload - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - Class Install Handler - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - lzdhtml - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\ziwagawu.dll) - C:\WINDOWS\system32\ziwagawu.dll File not found
O20 - AppInit_DLLs: (c:\progra~1\ThunMail\testabd.dll) - c:\Program Files\ThunMail\testabd.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\ntos.exe) - C:\WINDOWS\system32\ntos.exe [FILE handle not seen by OS]
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\system32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\system32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\!saswinlogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\system32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\system32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\system32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\system32\PCANotify.dll (Symantec Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\system32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\system32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\system32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - C:\WINDOWS\System32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\system32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\system32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\system32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\system32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[55 C:\*.tmp files]
[3 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/04/28 11:31:34 | 00,523,264 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nicole\Desktop\OTListIt2.exe
[2009/04/24 20:57:34 | 00,003,754 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\Attach.zip
[2009/04/24 15:00:46 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\dds.scr
[2009/04/24 14:53:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Desktop\Resort later
[2009/04/24 14:52:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Desktop\VRS Cleanup
[2009/04/23 22:31:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/04/23 22:31:42 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/04/23 22:31:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Application Data\SUPERAntiSpyware.com
[2009/04/22 22:58:06 | 00,485,339 | ---- | C] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\zchMiB.exe
[2009/04/22 22:58:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\System\ect
[2009/04/22 22:58:02 | 00,041,472 | ---- | C] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\clkw2.exe
[2009/04/22 22:56:11 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/22 22:56:09 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/22 22:56:08 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/20 21:27:43 | 00,017,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\adf1768.sys
[2009/04/20 20:20:58 | 00,017,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\ege4d0b.sys
[2009/04/20 20:20:43 | 00,040,960 | ---- | C] ( ) -- C:\WINDOWS\System32\xz.exe
[2009/04/20 19:23:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Application Data\Malwarebytes
[2009/04/20 19:22:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/20 16:56:21 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ak1.exe
[2009/04/20 12:31:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2009/04/20 12:30:02 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\iS3
[2009/04/20 12:30:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/04/20 12:17:20 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/04/20 12:16:42 | 00,053,760 | -H-- | C] (Microsoft Corporation) -- C:\Documents and Settings\Nicole\Desktop\MSWORKS.EXE
[2009/04/19 23:01:56 | 00,017,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\dsa5b0f.sys
[2009/04/19 16:07:41 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2009/04/19 16:07:40 | 00,000,000 | ---D | C] -- C:\Program Files\NOS
[2009/04/19 13:56:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Local Settings\Application Data\{13296F8A-6FDB-4ECF-B247-BC1831EA81B3}
[2009/04/19 13:46:08 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tcpcon.dll
[2009/04/19 13:46:08 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\Packer.dll
[2009/04/19 13:46:08 | 00,000,009 | ---- | C] () -- C:\WINDOWS\System32\riphy.dll
[2009/04/19 13:46:08 | 00,000,009 | ---- | C] () -- C:\WINDOWS\System32\iphy.dll
[2009/04/19 13:46:08 | 00,000,003 | ---- | C] () -- C:\WINDOWS\System32\fhpatch.dll
[2009/04/19 13:46:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\3361
[2009/04/19 13:45:56 | 00,108,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2009/04/19 13:45:51 | 00,000,043 | ---- | C] () -- C:\WINDOWS\System32\ovfsthxrxoduifm.dat
[2009/04/19 13:45:50 | 00,000,000 | ---D | C] -- C:\WINDOWS\dhcp
[2009/04/19 13:45:38 | 00,000,000 | RHSD | C] -- C:\Program Files\ThunMail
[2009/04/19 13:45:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\mqcd.dbt
[2009/04/19 13:44:47 | 01,012,766 | ---- | C] () -- C:\WINDOWS\System32\ovfsthxwbivmprf.dat
[2009/04/19 13:44:47 | 00,018,432 | ---- | C] () -- C:\WINDOWS\System32\ovfsthxuyvvmlxb.dll
[2009/04/19 13:44:47 | 00,018,432 | ---- | C] () -- C:\WINDOWS\System32\ovfsthxhdhlkdgw.dll
[2009/04/19 13:44:46 | 00,083,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\ovfsthxtxjwxumo.sys
[2009/04/19 13:44:46 | 00,060,928 | ---- | C] () -- C:\WINDOWS\System32\ovfsthxqoehtprw.dll
[2009/04/19 13:44:25 | 00,182,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/04/19 13:44:18 | 00,117,742 | ---- | C] () -- C:\WINDOWS\System32\drivers\32a3bf2c.sys
[2009/04/19 13:44:17 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\inqby.sr
[2009/04/19 13:44:16 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\ferryl.cbv
[2009/04/19 13:44:15 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\fairy.an
[2009/04/19 13:44:14 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\dolman.zt
[2009/04/19 13:44:13 | 00,079,360 | ---- | C] () -- C:\WINDOWS\System32\ashl.nq
[2009/04/19 13:44:10 | 00,578,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2009/04/19 13:44:10 | 00,043,520 | ---- | C] () -- C:\ptrf.exe
[2009/04/19 13:44:08 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\nvrsk.dll
[2009/04/19 13:44:07 | 00,000,002 | ---- | C] () -- C:\620376394
[2009/04/19 13:44:06 | 00,030,720 | ---- | C] () -- C:\cpjopaid.exe
[2009/04/19 13:44:01 | 00,290,304 | ---- | C] () -- C:\wcfgayg.exe
[2009/04/19 13:43:58 | 00,069,632 | ---- | C] (MainConcept AG) -- C:\tqpxlyy.exe
[2009/04/16 23:49:26 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/16 23:49:26 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/16 23:49:26 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/16 23:49:26 | 00,248,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/16 23:49:26 | 00,131,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/16 23:49:25 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/16 23:49:25 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/16 23:49:25 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/16 23:49:25 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/16 23:48:56 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/16 23:48:56 | 00,236,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/16 23:48:56 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/01/05 14:53:16 | 00,002,126 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/04/26 11:36:30 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/31 19:58:49 | 00,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2006/01/01 19:36:00 | 00,000,066 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/11/22 01:55:37 | 00,000,044 | ---- | C] () -- C:\WINDOWS\liveup.ini
[2005/06/17 11:41:14 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2003/09/19 06:53:40 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2002/07/07 20:55:24 | 00,036,864 | ---- | C] () -- C:\WINDOWS\System32\FTPStubInstUtils.dll
[2002/07/07 11:37:55 | 00,000,052 | ---- | C] () -- C:\WINDOWS\intuprof.ini
[2002/07/07 11:37:29 | 00,000,834 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2001/08/18 07:00:00 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\6to4v32.dll
[2001/08/18 07:00:00 | 00,000,615 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/18 07:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[55 C:\*.tmp files]
[3 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/04/28 11:33:38 | 00,523,264 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicole\Desktop\OTListIt2.exe
[2009/04/28 11:27:43 | 00,013,084 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/28 11:26:00 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/24 20:57:34 | 00,003,754 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\Attach.zip
[2009/04/24 14:54:14 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\dds.scr
[2009/04/23 23:01:40 | 00,117,742 | ---- | M] () -- C:\WINDOWS\System32\drivers\32a3bf2c.sys
[2009/04/23 23:01:19 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/23 22:57:41 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/04/22 23:44:05 | 01,012,766 | ---- | M] () -- C:\WINDOWS\System32\ovfsthxwbivmprf.dat
[2009/04/22 22:58:07 | 00,485,339 | ---- | M] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\zchMiB.exe
[2009/04/22 22:58:02 | 00,041,472 | ---- | M] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\clkw2.exe
[2009/04/20 22:21:39 | 00,000,043 | ---- | M] () -- C:\WINDOWS\System32\ovfsthxrxoduifm.dat
[2009/04/20 21:27:43 | 00,017,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\adf1768.sys
[2009/04/20 20:21:56 | 00,010,240 | ---- | M] () -- C:\WINDOWS\System32\Packer.dll
[2009/04/20 20:21:56 | 00,000,009 | ---- | M] () -- C:\WINDOWS\System32\iphy.dll
[2009/04/20 20:21:56 | 00,000,003 | ---- | M] () -- C:\WINDOWS\System32\fhpatch.dll
[2009/04/20 20:20:58 | 00,017,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\ege4d0b.sys
[2009/04/20 19:24:16 | 00,040,960 | ---- | M] ( ) -- C:\WINDOWS\System32\xz.exe
[2009/04/20 16:56:22 | 00,065,536 | ---- | M] () -- C:\WINDOWS\System32\ak1.exe
[2009/04/20 01:10:47 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\jarepumu
[2009/04/20 01:09:04 | 00,002,126 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/04/19 23:01:56 | 00,017,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\dsa5b0f.sys
[2009/04/19 18:25:45 | 00,000,077 | -HS- | M] () -- C:\Documents and Settings\Nicole\My Documents\desktop.ini
[2009/04/19 13:46:08 | 00,172,032 | ---- | M] () -- C:\WINDOWS\System32\tcpcon.dll
[2009/04/19 13:46:08 | 00,000,009 | ---- | M] () -- C:\WINDOWS\System32\riphy.dll
[2009/04/19 13:45:59 | 00,108,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2009/04/19 13:45:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\mqcd.dbt
[2009/04/19 13:44:47 | 00,018,432 | ---- | M] () -- C:\WINDOWS\System32\ovfsthxuyvvmlxb.dll
[2009/04/19 13:44:47 | 00,018,432 | ---- | M] () -- C:\WINDOWS\System32\ovfsthxhdhlkdgw.dll
[2009/04/19 13:44:46 | 00,083,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\ovfsthxtxjwxumo.sys
[2009/04/19 13:44:46 | 00,060,928 | ---- | M] () -- C:\WINDOWS\System32\ovfsthxqoehtprw.dll
[2009/04/19 13:44:26 | 00,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ndis.sys
[2009/04/19 13:44:25 | 00,182,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/04/19 13:44:17 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\ferryl.cbv
[2009/04/19 13:44:17 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\inqby.sr
[2009/04/19 13:44:15 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\fairy.an
[2009/04/19 13:44:14 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\dolman.zt
[2009/04/19 13:44:13 | 00,079,360 | ---- | M] () -- C:\WINDOWS\System32\ashl.nq
[2009/04/19 13:44:11 | 00,043,520 | ---- | M] () -- C:\ptrf.exe
[2009/04/19 13:44:08 | 00,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\user32.DLL
[2009/04/19 13:44:08 | 00,578,560 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2009/04/19 13:44:08 | 00,262,144 | ---- | M] () -- C:\WINDOWS\System32\nvrsk.dll
[2009/04/19 13:44:07 | 00,000,002 | ---- | M] () -- C:\620376394
[2009/04/19 13:44:06 | 00,030,720 | ---- | M] () -- C:\cpjopaid.exe
[2009/04/19 13:44:03 | 00,290,304 | ---- | M] () -- C:\wcfgayg.exe
[2009/04/19 13:43:59 | 00,069,632 | ---- | M] (MainConcept AG) -- C:\tqpxlyy.exe
[2009/04/19 13:43:52 | 00,107,520 | -HS- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\System32\sunotadi.dll
[2009/04/19 13:43:51 | 00,083,968 | -HS- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\System32\rovoyato.exe
[2009/04/17 10:27:18 | 00,439,552 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/17 10:27:18 | 00,380,350 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/17 10:27:18 | 00,052,764 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/17 00:26:27 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== LOP Check ==========

[2009/04/23 22:31:59 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/01/05 17:39:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/04/19 17:04:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2005/10/29 16:16:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2009/01/13 12:34:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/04/22 22:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google Updater
[2005/10/29 16:16:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ipswitch
[2007/12/10 10:11:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/04/20 19:22:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2007/10/26 11:48:39 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2005/10/29 16:16:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2009/04/19 16:07:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NOS
[2005/10/29 16:16:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/04/20 18:50:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard
[2006/07/03 14:37:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/04/19 23:01:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2009/04/20 20:32:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla!
[2009/04/23 22:31:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/01/07 09:34:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2005/10/29 16:17:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2005/08/21 19:34:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2006/12/15 08:19:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\yahoo!
[2008/07/16 09:59:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/04/23 22:31:42 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Nicole\Application Data
[2008/07/02 09:54:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Adobe
[2005/10/29 19:35:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\AdobeUM
[2005/10/29 16:17:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Ahead
[2005/10/29 16:17:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Google
[2005/10/29 14:51:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Help
[2009/04/19 18:25:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Identities
[2005/10/29 16:20:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\InterVideo
[2005/10/29 16:20:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Leadertech
[2005/10/29 16:20:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Macromedia
[2009/04/20 19:23:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Malwarebytes
[2007/11/14 23:27:05 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Nicole\Application Data\Microsoft
[2008/08/02 10:42:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Mozilla
[2007/11/19 19:27:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\MSN6
[2005/11/07 02:28:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Plaxo
[2008/03/25 19:27:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Real
[2009/04/22 22:50:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Skype
[2008/11/24 15:09:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Snapfish
[2009/04/23 22:31:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\SUPERAntiSpyware.com
[2009/01/05 17:52:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Symantec
[2007/10/31 09:53:52 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Nicole\Application Data\yahoo!
[2001/08/18 07:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/04/23 22:57:41 | 00,000,868 | ---- | M] () -- C:\WINDOWS\Tasks\Google Software Updater.job
[2009/04/23 23:01:19 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

< End of report >





OTListIt Extras logfile created on: 4/28/2009 12:48:47 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Nicole\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 782.60 Mb Available Physical Memory | 76.46% Memory free
2.41 Gb Paging File | 2.30 Gb Available in Paging File | 95.62% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.09 Gb Total Space | 9.86 Gb Free Space | 25.90% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIGMONSTER
Current User Name: Nicole
Logged in as Administrator.

Current Boot Mode: SafeMode
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 (Microsoft Corporation)
C:\Program Files\Access Remote PC 4.11\rpcsetup.exe:*:Enabled:Access Remote PC (Access Remote PC (www.access-remote-pc.com))
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 (Microsoft Corporation)
C:\Program Files\Eisenworld\Alohabob\AlohaBob.exe:*:Enabled:Alohabob PC Relocator (Eisenworld)
C:\Program Files\Symantec\pcAnywhere\AWHOST32.EXE:*:Disabled:pcAnywhere Host Service (Symantec Corporation)
C:\Program Files\Symantec\pcAnywhere\awrem32.exe:*:Disabled:pcAnywhere Remote Service (Symantec Corporation)
C:\Program Files\Access Remote PC 4.11\rpcsetup.exe:*:Enabled:Access Remote PC (Access Remote PC (www.access-remote-pc.com))
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger (Yahoo! Inc.)
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe:*:Enabled:Reader_sl (Adobe Systems Incorporated)
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe:*:Enabled:TeaTimer (Safer-Networking Ltd.)
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe:*:Enabled:wkcalrem (Microsoft® Corporation)
C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:IEXPLORE (Microsoft Corporation)
C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE:*:Enabled:ccSvcHst (Symantec Corporation)
C:\WINDOWS\system32\3361\svchost.exe:*:Enabled:SVCHOST.EXE (All)
\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1 (Microsoft Corporation)
C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype ()
C:\Documents and Settings\Nicole\Local Settings\Application Data\zchMiB.exe:*:Enabled:Windows Time Synchronization ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01001202-823E-46CD-A70E-BEE818F97169}" = Microsoft Encarta Encyclopedia Standard 2002
"{0BDD3FAD-61CD-4BF3-B9C4-4CEFD43F53F8}" = Norton 360 HTMLHelp
"{10C0E968-6E50-47F3-9787-9862BE009FF0}" = SymNet
"{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}" = Microsoft Streets and Trips 2002
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{21829177-4DED-4209-AD08-490B3AC9C01A}" = Norton 360
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24DF7221-644B-4C3A-A478-459502D40522}" = Backup
"{2D617065-1C52-4240-B5BC-C0AE12157777}" = Norton 360
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{45690715-80A6-4445-B61D-ADEC5888E8CD}" = Symantec Technical Support Controls
"{538D98C6-CFC9-4BD3-B373-653B7A382CE8}" = IE2K
"{55A6283C-638A-4EE0-B491-51118554BDA2}" = Norton Confidential Core
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC 32bit
"{77E70C3C-DBB9-4C47-8663-1E1F81FEC623}" = Logitech QuickCam
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{91190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{95D885F5-B696-11D5-9D1D-0050DAB14E03}" = Shockwave Player
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
"{A2F67EA3-0721-4E0D-A7B9-AE8F321303AF}" = D-Link AirPlus XtremeG+ Wireless LAN Adapter
"{AAE10BE5-F398-41C1-9AAF-A59EBF17DFDE}" = Norton Spyware Scan
"{ac76ba86-7ad7-1033-7b44-a81300000003}" = Adobe Reader 8.1.4
"{ac76ba86-7ad7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{ADF98CF7-1458-412F-976F-BF761A26F2A0}" = Alohabob PC Relocator Ultra Control
"{B24E05CC-46FF-4787-BBB8-5CD516AFB118}" = ccCommon
"{b4092c6d-e886-4cb2-ba68-fe5a88d31de6}_is1" = Spybot - Search & Destroy
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{C05E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word
"{C769A271-7E1C-48F9-B331-474600DD4C06}" = Microsoft Picture It! Photo 2002
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{cddcbbf1-2703-46bc-938b-bcc81a1eeaaa}" = SUPERAntiSpyware Free Edition
"{CEA5EF64-B694-4B79-9A2C-0FF738906A1D}" = DriverGuide Toolkit
"{cf40acc5-e1bb-4aff-ac72-04c2f616bca7}" = getPlus® for Adobe
"{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}" = Microsoft Money 2002 System Pack
"{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}" = Symantec Real Time Storage Protection Component
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware 2007
"{E7298FD5-1386-11D5-8D6C-0050DAD32D95}" = Microsoft Money 2002
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Access Remote PC 4.11" = Access Remote PC 4.11
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"FTW" = Family Tree Maker
"getPlus®_ocx" = getPlus®_ocx
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{538D98C6-CFC9-4BD3-B373-653B7A382CE8}" = Dell Picture Studio - Image Expert 2000
"InstallShield_{ADF98CF7-1458-412F-976F-BF761A26F2A0}" = Alohabob PC Relocator Ultra Control
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.1)" = Mozilla Firefox (3.0.1)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MUSICMATCH Jukebox" = MUSICMATCH Jukebox
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Norton Spyware Scan provided by Yahoo!" = Norton Spyware Scan provided by Yahoo!
"Plaxo" = Plaxo Toolbar for Windows
"Plaxo IE Toolbar" = Plaxo Toolbar for Internet Explorer
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"Quicken 2001 Deluxe" = Quicken 2001 Deluxe
"RealPlayer 6.0" = RealPlayer
"Shockwave" = Shockwave
"Skype_is1" = Skype 2.5
"SymSetup.{2D617065-1C52-4240-B5BC-C0AE12157777}" = Norton 360 (Symantec Corporation)
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WS_FTP Pro" = Ipswitch WS_FTP Pro
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Customizations" = Yahoo! extras
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/20/2009 9:21:13 PM | Computer Name = BIGMONSTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/20/2009 9:21:13 PM | Computer Name = BIGMONSTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/20/2009 9:21:13 PM | Computer Name = BIGMONSTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/20/2009 9:21:14 PM | Computer Name = BIGMONSTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/20/2009 9:21:30 PM | Computer Name = BIGMONSTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/20/2009 9:21:31 PM | Computer Name = BIGMONSTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/20/2009 9:23:17 PM | Computer Name = BIGMONSTER | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 4/20/2009 10:27:49 PM | Computer Name = BIGMONSTER | Source = Application Error | ID = 1000
Description = Faulting application E.tmp, version 0.0.0.0, faulting module E.tmp,
version 0.0.0.0, fault address 0x00001220.

Error - 4/22/2009 11:57:55 PM | Computer Name = BIGMONSTER | Source = Application Error | ID = 1000
Description = Faulting application VRT3.tmp, version 0.0.0.0, faulting module VRT3.tmp,
version 0.0.0.0, fault address 0x000012e5.

Error - 4/23/2009 4:47:29 PM | Computer Name = BIGMONSTER | Source = Application Error | ID = 1000
Description = Faulting application 1E.tmp, version 0.0.0.0, faulting module 1E.tmp,
version 0.0.0.0, fault address 0x00001220.

[ System Events ]
Error - 4/28/2009 12:27:42 PM | Computer Name = BIGMONSTER | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 4/28/2009 12:27:42 PM | Computer Name = BIGMONSTER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sasdifsv saskutil SRTSPX symtdi
Tcpip

Error - 4/28/2009 12:28:08 PM | Computer Name = BIGMONSTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/28/2009 12:31:18 PM | Computer Name = BIGMONSTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/28/2009 12:43:21 PM | Computer Name = BIGMONSTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/28/2009 12:43:29 PM | Computer Name = BIGMONSTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 4/28/2009 1:42:51 PM | Computer Name = BIGMONSTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/28/2009 1:43:06 PM | Computer Name = BIGMONSTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/28/2009 1:45:06 PM | Computer Name = BIGMONSTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 4/28/2009 1:45:26 PM | Computer Name = BIGMONSTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >










GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 19:40:40
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 86F664D0 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x86EC7200, 0x32E2A, 0xE0000060]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\WINDOWS\system32\winlogon.exe[232] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A
.text C:\WINDOWS\system32\services.exe[280] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\WINDOWS\system32\services.exe[280] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\WINDOWS\system32\services.exe[280] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\WINDOWS\system32\services.exe[280] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\WINDOWS\system32\services.exe[280] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\WINDOWS\system32\services.exe[280] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A
.text C:\WINDOWS\system32\svchost.exe[456] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[456] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A
.text C:\WINDOWS\system32\svchost.exe[564] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[564] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\WINDOWS\system32\svchost.exe[564] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A
.text C:\WINDOWS\system32\svchost.exe[696] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[696] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040]
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\WINDOWS\system32\svchost.exe[696] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A
.text C:\WINDOWS\Explorer.EXE[984] Explorer.EXE 0101A57C 4 Bytes [FF, 15, 1C, 11]
.text C:\WINDOWS\Explorer.EXE[984] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44C09, 0xE0000060]
.reloc C:\WINDOWS\Explorer.EXE[984] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040]
.text C:\WINDOWS\Explorer.EXE[984] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\WINDOWS\Explorer.EXE[984] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\WINDOWS\Explorer.EXE[984] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\WINDOWS\Explorer.EXE[984] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\WINDOWS\Explorer.EXE[984] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\WINDOWS\Explorer.EXE[984] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A
.text C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA474D
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA47DC
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA47E9
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4A63
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA47D2
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA482A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00044416
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00044416
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 000443A8
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 0004436A
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00044337
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00044416
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!PeekMessageW] 00044A7E
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetMessageW] 00044A23
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 0004471E
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 000449F7
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00044A23
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00044A4F
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00044A7E
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0004471E
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00044A23
IAT C:\WINDOWS\system32\services.exe[280] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00044A7E
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00CF4416
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00CF43A8
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00CF436A
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00CF4337
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00CF43A8
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00CF4416
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00CF43A8
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00CF436A
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00CF471E
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00CF4A23
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00CF4A7E
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 00CF4A7E
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 00CF4A23
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00CF471E
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 00CF49F7
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00CF4A23
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00CF4A4F
IAT C:\WINDOWS\system32\lsass.exe[296] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00CF4A7E
IAT C:\WINDOWS\system32\svchost.exe[456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00AA4337
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B64416
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B643A8
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B6436A
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B64337
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B6471E
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00B64A23
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00B64A7E
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 00B64A7E
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 00B64A23
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B6471E
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 00B649F7
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00B64A23
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00B64A4F
IAT C:\WINDOWS\system32\svchost.exe[564] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00B64A7E
IAT C:\WINDOWS\system32\svchost.exe[564] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B64416
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 012A4416
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 012A43A8
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 012A436A
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 012A4337
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 012A4A7E
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 012A4A23
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 012A471E
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 012A49F7
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 012A4A23
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 012A4A4F
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 012A4A7E
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 012A471E
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 012A4A23
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 012A4A7E
IAT C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[612] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 012A4416
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 015B4416
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 015B43A8
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 015B436A
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 015B4337
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 015B471E
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 015B4A23
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 015B4A7E
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 015B4A7E
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 015B4A23
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 015B471E
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 015B49F7
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 015B4A23
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 015B4A4F
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 015B4A7E
IAT C:\WINDOWS\system32\svchost.exe[696] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 015B4416
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\Explorer.EXE [USER32.dll!GetMessageW] 01694A23
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\Explorer.EXE [USER32.dll!PeekMessageW] 01694A7E
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 01694416
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 016943A8
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 0169436A
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01694337
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0169471E
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 01694A23
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 01694A7E
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 016949F7
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 01694A23
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 01694A4F
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 01694A7E
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 01694A7E
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 01694A23
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 0169471E
IAT C:\WINDOWS\Explorer.EXE[984] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 01694416
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00134416
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 001343A8
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 0013436A
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00134337
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!PeekMessageW] 00134A7E
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetMessageW] 00134A23
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 0013471E
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 001349F7
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00134A23
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00134A4F
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00134A7E
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00134416
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0013471E
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00134A23
IAT C:\Documents and Settings\Nicole\Desktop\vtykhzs2.exe[1016] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00134A7E
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00084416
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 000843A8
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 0008436A
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00084337
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0008471E
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00084A23
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00084A7E
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 00084A7E
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 00084A23
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 0008471E
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 000849F7
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00084A23
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00084A4F
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00084A7E
IAT C:\WINDOWS\system32\ctfmon.exe[1484] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00084416

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [86ECE984] NDIS.sys[.reloc]

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\ovfsthxtxjwxumo.sys (*** hidden *** ) [SYSTEM] ovfsthxlqtymotp <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp@imagepath \systemroot\system32\drivers\ovfsthxtxjwxumo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp@inst 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main@ver icv140409
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main@cid 01
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main@bid 620376394-1645522239-879983540-839522115
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main@aid 303352
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main@sid 5
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main@cmddelay 14401
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main\ff
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{D5D89B37-D849-4EBD-B26A-170324500DB0}
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main\ff@version 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main\injector@iexplore.exe ovfsthxwi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main\injector@explorer.exe ovfsthxff.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\modules@ovfsthx.sys \systemroot\system32\drivers\ovfsthxtxjwxumo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\modules@ovfsthx.dll \systemroot\system32\ovfsthxqoehtprw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\modules@ovfsthxlog.dat \systemroot\system32\ovfsthxwbivmprf.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\modules@ovfsthxwi.dll \systemroot\system32\ovfsthxhdhlkdgw.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\modules@ovfsthxff.dll \systemroot\system32\ovfsthxuyvvmlxb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthxlqtymotp\modules@ovfsthx.dat \systemroot\system32\ovfsthxrxoduifm.dat
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp@imagepath \systemroot\system32\drivers\ovfsthxtxjwxumo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp@inst 0
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main@ver icv140409
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main@cid 01
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main@bid 620376394-1645522239-879983540-839522115
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main@aid 303352
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main@sid 5
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main@cmddelay 14401
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main\ff
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{D5D89B37-D849-4EBD-B26A-170324500DB0}
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main\injector@iexplore.exe ovfsthxwi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main\injector@explorer.exe ovfsthxff.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\modules
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\modules@ovfsthx.sys \systemroot\system32\drivers\ovfsthxtxjwxumo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\modules@ovfsthx.dll \systemroot\system32\ovfsthxqoehtprw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\modules@ovfsthxlog.dat \systemroot\system32\ovfsthxwbivmprf.dat
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\modules@ovfsthxwi.dll \systemroot\system32\ovfsthxhdhlkdgw.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\modules@ovfsthxff.dll \systemroot\system32\ovfsthxuyvvmlxb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ovfsthxlqtymotp\modules@ovfsthx.dat \systemroot\system32\ovfsthxrxoduifm.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\dllcache\ndis.sys (size mismatch) 213120/182656 bytes executable
File C:\WINDOWS\system32\drivers\ndis.sys (size mismatch) 213120/182656 bytes executable
File C:\WINDOWS\system32\drivers\symndis.sys (size mismatch) 37424/182656 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\ntos.exe 348160 bytes executable
File C:\WINDOWS\system32\wsnpoem 0 bytes
File C:\WINDOWS\system32\wsnpoem\audio.dll 0 bytes
File C:\WINDOWS\system32\wsnpoem\video.dll 36086 bytes
File C:\WINDOWS\$NtServicePackUninstall$\ndis.sys (size mismatch) 182912/182656 bytes executable

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\Drivers\SYMNDIS.SYS (NDIS Filter Driver/Symantec Corporation) [MANUAL] SYMNDIS <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#4 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:31 PM

Posted 25 May 2009 - 01:35 PM

I know we are not supposed to "bump" topics but I haven't heard back from anyone since my April 28 posting and I believe I must have slipped through the cracks. Can anyone help me with this?

Thanks in advance.

Endee

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:31 PM

Posted 25 May 2009 - 01:44 PM

So sorry for not replying sooner I was never notified via my email that you had posted.
I am very sorry.

If you are not connected to the internet then please transfer this via a usb stick or cd.
============================================
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:31 PM

Posted 02 June 2009 - 01:12 PM

Not a problem - thank you for your reply!

Well, I just tried ComboFix but - even though renamed - it's not working. I copy/paste it to my infected desktop, then double-click, and then it thinks and thinks, and then posts me an error message and, as soon as I click OK to the error message, I see that the icon has also already been removed from my desktop. I guess the virus is finding it immediately and annihilating it.

Do I have any other options?

Thanks so much!
Endee

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:31 PM

Posted 02 June 2009 - 05:45 PM

Does it happen to say that you are infected with Virut?

If so then there is no recovery.

Let me know if that is what it says.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:31 PM

Posted 02 June 2009 - 11:00 PM

Not as part of the error message - it was illegible, unfortunately, because I was forced to work in safe mode and can only see part of the screen.

However, as part of a previous scan (I forget which and where; I've done so many!) I noticed a file called Virus.Win32.virut.ce and made myself a note of it. Presumably this is the Virut virus, then?

You say there is no recovery? What does that mean, exactly? I mean, do I have to junk the computer now? Or do you just mean that I can't salvage my data, but I could re-format or something? What would you recommend?

Thanks so much.

Endee

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:31 PM

Posted 02 June 2009 - 11:30 PM

However, as part of a previous scan (I forget which and where; I've done so many!) I noticed a file called Virus.Win32.virut.ce and made myself a note of it. Presumably this is the Virut virus, then?

You say there is no recovery? What does that mean, exactly? I mean, do I have to junk the computer now? Or do you just mean that I can't salvage my data, but I could re-format or something? What would you recommend?

Thanks so much.

Endee

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html
https://forums2.symantec.com/t5/Malicious-C...age/ba-p/388834
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

What this means is we cannot proceed with any sort of fix as your legitimate files have already been corrupted and this action is, unfortunately, irreversible. I apologize but there is nothing else I can do or advise to completely clear your machine. You must reformat your pc to rid yourself of this deadly virus.
=============================
Guide to reformat\reinstall can be found here > http://www.geekstogo.com/forum/Reformat-In...up+reinstall+XP

You can use a linux live cd to attempt to back up any salvageable files instructions are below.
http://www.howtogeek.com/howto/windows-vis...ndows-computer/
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 Endee

Endee
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wisconsin, USA
  • Local time:03:31 PM

Posted 03 June 2009 - 01:55 PM

Dear Kahdah,

Thank you so much for all your detailed help and for the link to instructions for attempting to back up any salvageable files.

One question in that regard: if I attempt the backup, won't I have to worry that I am backing up files containing the virus? And that I would then be reloading the virus back onto my PC after reformatting? I am trying to decide whether I should bother at all, or whether it would be better to just use my last pre-virus backup and cut my more recent losses.

Thanks again for your advice.

Best regards,

Endee

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:31 PM

Posted 03 June 2009 - 06:05 PM

The only way to for sure know that there is no virus attached to anything is to scan the files before reimplementing them back onto the new install.
Better to burn the files to disk not transfer them to removable drive to avoid any transferring of the virus.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users