Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects in search engine results


  • This topic is locked This topic is locked
14 replies to this topic

#1 Ferrous

Ferrous

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 02 May 2009 - 09:50 PM

Sometimes when I click on a search result in Google or Yahoo, using either internet explorer or Firefox, I get redirects to completely unrelated websites. The examples I can recall right now is redirects to Nationwide, eBay, a site for some sort of anti spy ware software(LOL irony), an animal search site, and a cow survey, which asks me whether a picture of a cow is, in fact, a cow.

I have tried Ad-aware, Spybot Search & Destroy, and Kapersky internet security 2009, all with the current updates. All have not been able to detect the problem. Below is the log produced today by Hijackthis in safe mode. I am hoping someone can interpret this and see if there are any problems.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:51 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8954 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:29 PM

Posted 03 May 2009 - 11:13 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Ferrous

Ferrous
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 03 May 2009 - 05:20 PM

This is the Otlistit2 report. Looking at it myself, I see some O1 logs, which I assume are redirects. I do not recognize some of the URLS, and some of the URLs I think I recognize from some Spybot Search & Destroy logs. I'm going to assume getting rid of them would help but I don't know how to delete them.

OTListIt logfile created on: 5/3/2009 5:59:00 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.3 Folder = C:\Documents and Settings\Nicolas_2\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 442.50 Mb Available Physical Memory | 43.24% Memory free
2.40 Gb Paging File | 1.94 Gb Available in Paging File | 81.08% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 22.41 Gb Free Space | 17.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 38.28 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 650.25 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 186.30 Gb Total Space | 136.28 Gb Free Space | 73.15% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FERRO-8588ED12C
Current User Name: Nicolas_2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/04/29 18:18:27 | 00,953,168 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2006/02/28 13:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/02/13 10:25:10 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2007/07/25 15:50:26 | 00,079,136 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/08/02 12:33:50 | 00,080,528 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcmsvc.exe
PRC - [2006/06/01 18:22:00 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/07/27 08:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/04/29 18:18:27 | 00,516,440 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2004/07/01 06:23:32 | 00,067,584 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/08/22 17:05:02 | 00,081,920 | ---- | M] (DAEMON'S HOME) -- C:\Program Files\D-Tools\daemon.exe
PRC - [2009/02/13 10:25:10 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2007/05/10 23:46:20 | 00,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2007/07/18 17:55:20 | 00,451,872 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
PRC - [2007/06/01 10:21:08 | 00,153,136 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2009/03/11 12:00:54 | 24,095,528 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2007/06/01 10:21:30 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
PRC - [2007/06/01 10:21:30 | 01,209,904 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2008/03/08 10:49:11 | 00,658,432 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/12/29 00:05:26 | 04,578,816 | ---- | M] (Obsidian Entertainment, Inc.) -- C:\Program Files\LucasArts\SWKotOR2\swkotor2.exe
PRC - [2009/04/27 22:04:55 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/05/03 17:57:36 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicolas_2\Desktop\OTListIt2.exe
PRC - [2008/04/13 20:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/03/20 17:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3 [On_Demand | Stopped])
SRV - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/01 21:01:32 | 00,206,088 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe -- (AVP [Auto | Stopped])
SRV - [2006/02/28 13:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/03/08 10:49:11 | 00,658,432 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Running])
SRV - [2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/23 17:53:01 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2006/10/30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/02/13 10:25:10 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/04/29 18:18:27 | 00,953,168 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2007/07/25 15:50:26 | 00,079,136 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2005/07/17 00:29:18 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service [On_Demand | Stopped])
SRV - [2007/02/10 05:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR2 [On_Demand | Stopped])
SRV - [2005/10/14 02:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2007/04/13 21:09:56 | 00,792,112 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
SRV - [2006/10/30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/06/01 10:21:30 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Running])
SRV - [2009/02/17 12:59:00 | 02,794,234 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\system32\GameMon.des -- (npggsvc [On_Demand | Stopped])
SRV - [2007/08/02 12:33:50 | 00,080,528 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcmsvc.exe -- (npkcmsvc [Auto | Running])
SRV - [2006/06/01 18:22:00 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/02/10 05:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Disabled | Stopped])
SRV - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2003/12/10 03:21:16 | 00,004,224 | R--- | M] (ABIT Computer Corp.) -- C:\WINDOWS\System32\Drivers\AC2003.sys -- (AC2003 [On_Demand | Stopped])
DRV - [2004/02/23 23:08:52 | 00,400,384 | ---- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS [On_Demand | Running])
DRV - [2004/07/01 02:49:00 | 00,626,977 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2004/08/22 16:31:10 | 00,155,136 | ---- | M] ( ) -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus [Boot | Running])
DRV - [2004/08/22 16:31:48 | 00,005,248 | ---- | M] ( ) -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt [Boot | Running])
DRV - [2006/06/01 18:47:40 | 00,334,976 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\System32\drivers\dumant.sys -- (DumaNT [On_Demand | Running])
DRV - [2008/07/21 18:34:36 | 00,121,872 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Running])
DRV - [2009/05/01 21:01:32 | 00,033,808 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg [Boot | Running])
DRV - [2008/03/13 19:02:46 | 00,026,640 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\klfltdev.sys -- (KLFLTDEV [On_Demand | Running])
DRV - [2009/05/01 21:01:32 | 00,213,520 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\klif.sys -- (KLIF [System | Running])
DRV - [2008/04/30 18:06:48 | 00,024,592 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\klim5.sys -- (klim5 [On_Demand | Running])
DRV - [2009/04/29 18:18:38 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2007/06/26 10:39:02 | 00,035,600 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcrypt.sys -- (npkcrypt [Auto | Running])
DRV - [2007/04/20 16:49:54 | 00,024,272 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcusb.sys -- (npkcusb [On_Demand | Stopped])
DRV - [2006/06/01 18:22:00 | 03,925,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2007/07/27 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/07 19:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/08/03 18:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2008/09/07 20:02:38 | 00,021,920 | ---- | M] (Screaming Bee LLC) -- C:\WINDOWS\system32\drivers\ScreamingBAudio.sys -- (SCREAMINGBDRIVER [On_Demand | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/06/09 14:25:30 | 00,716,272 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2007/03/01 11:34:36 | 00,028,352 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\DRIVERS\ssmdrv.sys -- (ssmdrv [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\S-1-5-21-1292428093-1592454029-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\S-1-5-21-1292428093-1592454029-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {008E309A-BEF2-490B-8C93-5F4F960212E0}:1.0
FF - prefs.js..extensions.enabledItems: {084DB72C-888A-4FB2-AB7D-6EEEA05CE357}:1.0
FF - prefs.js..extensions.enabledItems: {0A2E1FAB-7AF8-4F7B-812F-1AFDBC8CFB77}:1.0
FF - prefs.js..extensions.enabledItems: {27BFC822-4982-486E-87D0-8EDA5B025594}:1.0
FF - prefs.js..extensions.enabledItems: {3EC0F8E7-5191-4CDC-B5D0-9F9C407C9565}:1.0
FF - prefs.js..extensions.enabledItems: {59E0F413-490D-4EE8-A96B-A525E0D1F4CE}:1.0
FF - prefs.js..extensions.enabledItems: {5CD2542C-B367-493E-946B-3A5CEFF6FD2D}:1.0
FF - prefs.js..extensions.enabledItems: {62160CC9-6A7A-4E20-B86D-DB7BB001AE8A}:1.0
FF - prefs.js..extensions.enabledItems: {6A8A548D-7F64-4BD8-ADD1-9451A552F657}:1.0
FF - prefs.js..extensions.enabledItems: {6E861D53-9364-4632-82B5-3D52C6CDD293}:1.0
FF - prefs.js..extensions.enabledItems: {76C7816B-3FD7-4E2F-ACFF-497F821AC894}:1.0
FF - prefs.js..extensions.enabledItems: {7C7C462A-F7DD-48A0-8E20-AE318F05A660}:1.0
FF - prefs.js..extensions.enabledItems: {83BEEA88-ECD8-47E4-BE07-EA8D54A4E466}:1.0
FF - prefs.js..extensions.enabledItems: {841BD3C0-2E81-427C-A51B-AF54DCCF0697}:1.0
FF - prefs.js..extensions.enabledItems: {A0F2F9EB-CA5C-474D-B5B2-21DB1EB1FD5A}:1.0
FF - prefs.js..extensions.enabledItems: {A112CA34-52F6-43A9-A01A-9BC04FC22B74}:1.0
FF - prefs.js..extensions.enabledItems: {A88EF7BE-9F47-4652-A893-9BE70FB47927}:1.0
FF - prefs.js..extensions.enabledItems: {B04ABCF3-0465-429A-932F-BDAEE9C24E23}:1.0
FF - prefs.js..extensions.enabledItems: {B60E8E39-8A54-482B-91C4-4B11D7641B0E}:1.0
FF - prefs.js..extensions.enabledItems: {BBF18185-B3D0-4303-887C-7F7ED0909768}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CC683057-4CC9-424D-A3CF-9A9BCF65852D}:1.0
FF - prefs.js..extensions.enabledItems: {D0B872BA-8179-4271-9DFF-C479531567A8}:1.0
FF - prefs.js..extensions.enabledItems: {DC3D3503-359F-4C88-AB7B-E21A6604551A}:1.0
FF - prefs.js..extensions.enabledItems: {E473719E-95AB-42B6-A052-44705B2F90DF}:1.0
FF - prefs.js..extensions.enabledItems: {E57C25A9-CFE2-47FC-B213-F81E4A9D971C}:1.0
FF - prefs.js..extensions.enabledItems: {E6DBD082-ABF0-44EE-9AD7-0D71F74BC0E5}:1.0
FF - prefs.js..extensions.enabledItems: {F1A2FB3B-B16A-4988-B308-B22B274CEA30}:1.0
FF - prefs.js..extensions.enabledItems: {F4917B1F-1822-4980-819E-5639140FF8D3}:1.0
FF - prefs.js..extensions.enabledItems: {FB4ED38D-7DB0-46CA-931B-4436158F7F34}:1.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/02/13 10:25:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/30 18:43:54 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/27 22:05:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY INTERNET SECURITY 2009\THBEXT [2009/05/01 20:54:27 | 00,000,000 | ---D | M]

[2008/08/27 21:56:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicolas_2\Application Data\mozilla\Extensions
[2008/08/27 21:56:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicolas_2\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/13 10:31:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicolas_2\Application Data\mozilla\Firefox\Profiles\prfsper6.default\extensions
[2008/03/16 22:51:49 | 00,001,878 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\aolsearch.xml
[2008/04/04 22:37:52 | 00,000,891 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\dictionarycom.xml
[2008/03/20 10:41:03 | 00,002,005 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\scrapetorrent.xml
[2008/03/17 17:19:06 | 00,005,549 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\the-free-dictionary.xml
[2008/04/04 22:37:50 | 00,000,888 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\thesauruscom.xml
[2008/03/17 17:42:53 | 00,001,058 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\wikipedia-en.xml
[2008/03/17 17:31:05 | 00,002,109 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\youtube-video-search.xml
[2009/05/03 17:44:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/29 18:20:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{008E309A-BEF2-490B-8C93-5F4F960212E0}
[2009/04/22 16:27:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{084DB72C-888A-4FB2-AB7D-6EEEA05CE357}
[2009/04/21 15:59:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{0A2E1FAB-7AF8-4F7B-812F-1AFDBC8CFB77}
[2009/05/01 21:09:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{27BFC822-4982-486E-87D0-8EDA5B025594}
[2009/04/20 09:46:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3EC0F8E7-5191-4CDC-B5D0-9F9C407C9565}
[2009/05/02 21:54:45 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{59E0F413-490D-4EE8-A96B-A525E0D1F4CE}
[2009/04/20 16:21:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{5CD2542C-B367-493E-946B-3A5CEFF6FD2D}
[2009/04/28 20:18:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{62160CC9-6A7A-4E20-B86D-DB7BB001AE8A}
[2009/05/01 20:52:39 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{6A8A548D-7F64-4BD8-ADD1-9451A552F657}
[2009/04/22 21:24:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{6E861D53-9364-4632-82B5-3D52C6CDD293}
[2009/04/21 06:56:39 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{76C7816B-3FD7-4E2F-ACFF-497F821AC894}
[2009/05/03 10:47:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{7C7C462A-F7DD-48A0-8E20-AE318F05A660}
[2009/04/23 15:56:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{83BEEA88-ECD8-47E4-BE07-EA8D54A4E466}
[2009/04/26 21:53:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{841BD3C0-2E81-427C-A51B-AF54DCCF0697}
[2009/04/22 21:25:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/20 09:07:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{A0F2F9EB-CA5C-474D-B5B2-21DB1EB1FD5A}
[2009/04/19 09:29:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{A112CA34-52F6-43A9-A01A-9BC04FC22B74}
[2009/05/02 22:10:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{A88EF7BE-9F47-4652-A893-9BE70FB47927}
[2009/04/27 17:45:22 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B04ABCF3-0465-429A-932F-BDAEE9C24E23}
[2009/05/02 21:14:26 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B60E8E39-8A54-482B-91C4-4B11D7641B0E}
[2009/04/19 08:45:50 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{BBF18185-B3D0-4303-887C-7F7ED0909768}
[2007/05/11 14:14:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2007/08/09 14:42:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007/11/23 21:51:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/07/30 15:33:01 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/02/13 10:25:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/29 18:14:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CC683057-4CC9-424D-A3CF-9A9BCF65852D}
[2009/05/01 13:36:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{D0B872BA-8179-4271-9DFF-C479531567A8}
[2009/04/28 07:09:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{DC3D3503-359F-4C88-AB7B-E21A6604551A}
[2009/05/03 17:43:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{E473719E-95AB-42B6-A052-44705B2F90DF}
[2009/05/01 20:27:09 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{E57C25A9-CFE2-47FC-B213-F81E4A9D971C}
[2009/04/28 16:35:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{E6DBD082-ABF0-44EE-9AD7-0D71F74BC0E5}
[2009/04/20 09:44:09 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{F1A2FB3B-B16A-4988-B308-B22B274CEA30}
[2009/04/19 21:32:35 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{F4917B1F-1822-4980-819E-5639140FF8D3}
[2009/04/29 21:42:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{FB4ED38D-7DB0-46CA-931B-4436158F7F34}
[2009/04/27 22:04:55 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/27 22:04:55 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/27 06:10:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/27 06:10:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/27 06:10:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/27 06:10:20 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/27 06:10:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/27 06:10:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/27 06:10:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (305826 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10530 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe [2008/12/24 03:40:07 | 00,000,000 | ---D | M]
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe [2008/12/24 03:40:07 | 00,000,000 | ---D | M]
O3 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" (Kaspersky Lab)
O4 - HKLM..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (DAEMON'S HOME)
O4 - HKLM..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount (Alcohol Soft Development Team)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (Nero AG)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (IGN Entertainment)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (Hewlett-Packard Company)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (Skype Technologies S.A.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab (CDownloadCtrl Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/07/17 00:20:52 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/08/04 16:15:21 | 00,000,047 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2005/01/19 10:47:13 | 00,467,456 | R--- | M] (Obsidian Entertainment, Inc.) - F:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2005/01/19 10:47:13 | 00,000,715 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\KIS2009.EXE -- [2008/08/04 16:15:21 | 00,684,664 | R--- | M] (Kaspersky )
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- [2005/01/19 10:47:13 | 00,467,456 | R--- | M] (Obsidian Entertainment, Inc.)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/05/03 17:57:35 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nicolas_2\Desktop\OTListIt2.exe
[2009/05/02 22:37:11 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\dds.scr
[2009/05/02 20:36:54 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\HijackThis.lnk
[2009/05/02 20:36:54 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/05/01 20:54:47 | 00,101,287 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/05/01 20:54:47 | 00,089,601 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/05/01 20:54:13 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2009/05/01 20:54:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
[2009/05/01 20:54:02 | 00,213,520 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/05/01 20:29:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
[2009/04/30 16:42:10 | 00,000,388 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/30 06:59:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
[2009/04/30 06:27:26 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Nicolas_2\Desktop\spybotsd162.exe
[2009/04/29 20:04:41 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\CCleaner.lnk
[2009/04/29 20:04:40 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/04/29 20:00:01 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/29 18:19:01 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/29 18:18:50 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/29 18:17:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
[2009/04/29 07:06:49 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/04/26 22:09:08 | 00,008,192 | ---- | C] () -- C:\WINDOWS\System32\ftp_non_crp.exe
[2009/04/20 18:03:13 | 17,003,4491 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\tsl_ambience_improvement.zip
[2009/04/15 15:29:46 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 15:29:45 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 15:29:45 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 15:29:45 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 15:29:45 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 15:29:45 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 15:29:45 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 15:29:44 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 15:29:44 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 15:29:12 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 15:29:11 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 15:29:11 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/11 20:24:10 | 16,974,2993 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\gv.com.BrokenPixelsS02E01WireheadSegaCD_640x480.wmv
[2009/01/28 15:41:00 | 00,000,441 | ---- | C] () -- C:\WINDOWS\kaillera.ini
[2008/12/25 15:56:34 | 00,394,240 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2008/12/25 15:56:33 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008/12/24 04:28:32 | 00,000,038 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2008/12/24 03:07:20 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/08/20 18:56:27 | 00,003,480 | ---- | C] () -- C:\WINDOWS\scummvm.ini
[2008/08/14 12:55:58 | 00,000,245 | ---- | C] () -- C:\WINDOWS\cncscore.ini
[2008/08/03 21:50:43 | 00,040,960 | R--- | C] () -- C:\WINDOWS\System32\wh2robo.dll
[2008/07/17 14:40:12 | 00,000,776 | ---- | C] () -- C:\WINDOWS\Thps3.INI
[2008/06/12 06:53:25 | 00,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2008/06/12 06:53:25 | 00,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2008/06/09 14:25:29 | 00,716,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/04/08 20:48:08 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/03/17 18:23:41 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/03/17 18:23:41 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/03/16 22:48:46 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2008/03/16 22:48:41 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/07/27 08:00:00 | 00,000,507 | ---- | C] () -- C:\WINDOWS\win.ini
[2007/07/27 08:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/06/01 18:47:40 | 00,368,640 | ---- | C] () -- C:\WINDOWS\System32\nvimage.dll
[2006/06/01 18:47:40 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\stereoi.dll
[2006/06/01 18:22:00 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/06/15 17:20:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/06/15 17:20:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/06/15 17:20:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/06/15 17:20:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/06/15 17:20:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/06/15 17:20:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/22 17:04:56 | 00,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll

========== Files - Modified Within 30 Days ==========

[5 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/05/03 17:57:36 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicolas_2\Desktop\OTListIt2.exe
[2009/05/03 17:44:02 | 00,063,430 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/05/03 17:43:52 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/03 17:43:04 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Nicolas_2\Local Settings\desktop.ini
[2009/05/03 17:42:43 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/05/03 17:42:26 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/03 17:42:16 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/02 22:37:11 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\dds.scr
[2009/05/02 20:36:54 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\HijackThis.lnk
[2009/05/01 21:01:32 | 00,213,520 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/05/01 21:01:32 | 00,033,808 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klbg.sys
[2009/05/01 21:01:31 | 00,101,287 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/05/01 21:01:31 | 00,089,601 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/05/01 17:00:35 | 00,000,388 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/04/30 06:27:51 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Nicolas_2\Desktop\spybotsd162.exe
[2009/04/29 21:53:09 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/29 20:04:41 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\CCleaner.lnk
[2009/04/29 18:19:01 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/29 18:18:47 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/29 18:18:38 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/26 22:09:58 | 00,008,192 | ---- | M] () -- C:\WINDOWS\System32\ftp_non_crp.exe
[2009/04/20 18:08:02 | 17,003,4491 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\tsl_ambience_improvement.zip
[2009/04/16 06:12:00 | 00,575,776 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/16 06:12:00 | 00,479,564 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/16 06:12:00 | 00,085,442 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/11 20:33:26 | 16,974,2993 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\gv.com.BrokenPixelsS02E01WireheadSegaCD_640x480.wmv
[2009/04/09 16:12:20 | 00,000,441 | ---- | M] () -- C:\WINDOWS\kaillera.ini
[2009/04/07 17:23:39 | 00,002,265 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Skype.lnk
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/03 21:09:40 | 01,430,144 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Alternate Data Streams ==========

@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:888AFB86
< End of report >



I also got a log from OTListIt2 called "extra" I'm assuming it would be good to paste that as well. I noticed several errors about starting some server. I was running on normal boot mode and I think I was browsing the internet while doing the scan. I don't know if eithier of those things effect anything.

OTListIt Extras logfile created on: 5/3/2009 5:59:00 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.3 Folder = C:\Documents and Settings\Nicolas_2\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 442.50 Mb Available Physical Memory | 43.24% Memory free
2.40 Gb Paging File | 1.94 Gb Available in Paging File | 81.08% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 22.41 Gb Free Space | 17.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 38.28 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 650.25 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 186.30 Gb Total Space | 136.28 Gb Free Space | 73.15% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FERRO-8588ED12C
Current User Name: Nicolas_2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"3703:TCP" = 3703:TCP:*:Enabled:Adobe Version Cue CS3 Server
"3704:TCP" = 3704:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50900:TCP" = 50900:TCP:*:Enabled:Adobe Version Cue CS3 Server
"50901:TCP" = 50901:TCP:*:Enabled:Adobe Version Cue CS3 Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/03/20 11:08:32 | 00,219,952 | ---- | M] () -- C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
File not found -- C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb
File not found -- C:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray
File not found -- C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client
[2006/02/28 13:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2007/03/20 17:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server
[2008/01/04 02:07:26 | 02,070,016 | ---- | M] (http://www.stepmania.com) -- C:\Program Files\StepMania CVS\Program\StepMania.exe:*:Enabled:StepMania
[2009/03/11 12:00:54 | 24,095,528 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{004685F7-9FB6-4789-812F-59ABB34A55AF}" = Adobe Setup
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3
"{0327FA9D-975C-448C-A086-577D57BB25B8}" = Adobe Soundbooth CS3 Codecs
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0
"{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}" = Sid Meier's Pirates!
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}" = Adobe After Effects CS3 Presets
"{1A6A6531-08FC-47AD-BAC4-C41497E71033}" = Nero 7 Essentials
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1D58229F-C505-45CA-8223-F35F3A34B963}" = Adobe Version Cue CS3 Server
"{1DCC7418-2089-4BDD-B321-3771956160FC}" = ijji Auto Installer
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype・4.0
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SONY_MEDIAMGR2)
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{3293C06B-003F-4027-8380-FFD79E38167D}" = Tony Hawk's American Wasteland ™
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36C9E08A-BE2B-40A0-83C5-576748F7B777}" = TestDrive Client
"{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = Microsoft AppLocale
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{4458C442-7376-4CF9-AF58-E8CEA6722363}" = Adobe Setup
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{485ACF57-F364-440A-8496-E1E81C8FA1AA}" = Adobe Premiere Pro CS3 Third Party Content
"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation
"{5054EB64-22BB-43EF-BD7E-102609CEF478}" = Gamut
"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{54B2EAD9-A110-43F7-B010-2859A1BD2AFE}" = Adobe Encore CS3
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{58DCEEE5-532E-44F4-B1D7-A146EF9E9FDA}" = Adobe Premiere Pro CS3
"{629F65FB-7F3C-4D66-A1C0-20722744B7B6}" = Star Wars® Knights of the Old Republic® II: The Sith Lords™
"{62D53173-8A71-4CBA-B9F8-A64AB61994B8}" = Fa軋de
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files
"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7C9AD221-994C-45B2-B46D-26F5735158CF}" = Sony Vegas Pro 8.0
"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation
"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3
"{7ECEF10B-F1C2-4FD5-861F-A3FCB4653304}" = Adobe After Effects CS3 Third Party Content
"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles
"{8718DC03-D066-4957-94E5-50C3C5042E8E}" = Adobe Creative Suite 3 Master Collection
"{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8FA5B6B7-D8BD-49F7-98D7-701C26B01E97}" = Sony Media Manager 2.3
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A6B23EFA-6590-482C-A11F-5ACE1B91F5B9}" = Adobe Soundbooth CS3
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-0000-7760-000000000003}" = Adobe Acrobat 8 Professional
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B2E3A2C8-283C-4871-A499-B2711F48D64B}" = Yugioh Virtual Dueling
"{B395BC1D-CC06-425E-9049-4CD985EFF004}" = LightScribe 1.8.15.1
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3
"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3
"{B8B7A4D8-80E1-4DAE-BD33-7FD535BA3931}" = Adobe Encore CS3 Codecs
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}" = Adobe Flash Player 9 ActiveX
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C27AF593-1464-4805-9F17-574F595212C0}" = Watchtower Library 2005 - English Edition
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D5A31AB1-345D-47C7-A87B-036A669F6DF1}" = Adobe XMP Panels CS3
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DE5BFF9C-84D1-4B09-9C20-54633044CB85}" = Watchtower Library 2008 - English
"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EB0202F7-016A-410C-ADE4-40F848CCC661}" = Adobe After Effects CS3
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F7049A79-20CC-4C4F-8C14-4C878AFAC27E}" = MorphVOX Junior
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_3675c95c239b992d5d0ee8fce969b9e" = Adobe After Effects CS3 Third Party Content
"Adobe_4dcfd9b7e901b57f81f667144603236" = Add or Remove Adobe Creative Suite 3 Master Collection
"Avidemux 2.4" = Avidemux 2.4
"CCleaner" = CCleaner (remove only)
"Download Manager" = Download Manager 2.3.6
"ElectricSheep" = ElectricSheep 2.6.6
"ffdshow_is1" = ffdshow [rev 1381] [2007-07-29]
"Fraps" = Fraps (remove only)
"Go Beryllium" = Go Beryllium 1.0
"Google Updater" = Google Updater
"GTK 2.0" = GTK+ Runtime 2.12.8 rev a (remove only)
"Gunbound Revolution_is1" = Gunbound Revolution
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}" = Sid Meier's Pirates!
"InstallWIX_{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"LHTTSJPJ" = L&H TTS3000 Japanese
"Mabinogi" = Mabinogi
"Microsoft .NET Framework 3.0" = Microsoft .NET Framework 3.0
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIAStereo" = NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
"Phantasy Star Online Blue Burst_is1" = Phantasy Star Online Blue Burst 1.0
"Pidgin" = Pidgin
"RedOctane Universal PS/PS2 Controller Adapter" = RedOctane Universal PS/PS2 Controller Adapter
"StepMania CVS" = StepMania CVS 4.0 (remove only)
"SystemRequirementsLab" = System Requirements Lab
"The Rosetta Stone" = The Rosetta Stone
"Tony Hawk's Pro Skater 3®" = Tony Hawk's Pro Skater 3®
"VDMSound" = VDMSound
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"zbattle.net_is1" = zbattle.net 1.09 SR-1 beta

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ijji.com" = ijji
"uTorrent" = µTorrent

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ijji.com" = ijji
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/30/2009 4:04:25 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/1/2009 9:19:03 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1002
Description = Hanging application avp.exe, version 8.0.0.476, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/1/2009 9:19:54 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1002
Description = Hanging application avp.exe, version 8.0.0.476, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/1/2009 9:20:19 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1002
Description = Hanging application avp.exe, version 8.0.0.476, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/1/2009 9:20:26 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1001
Description = Fault bucket 1129826734.

Error - 5/1/2009 9:21:10 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1002
Description = Hanging application avp.exe, version 8.0.0.476, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/1/2009 10:30:54 PM | Computer Name = FERRO-8588ED12C | Source = nview_info | ID = 11141121
Description =

Error - 5/1/2009 10:32:14 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/1/2009 10:33:48 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/2/2009 8:30:45 PM | Computer Name = FERRO-8588ED12C | Source = Application Hang | ID = 1002
Description = Hanging application avp.exe, version 8.0.0.476, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/2/2009 9:14:45 PM | Computer Name = FERRO-8588ED12C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/2/2009 9:14:59 PM | Computer Name = FERRO-8588ED12C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/2/2009 9:24:07 PM | Computer Name = FERRO-8588ED12C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/2/2009 9:24:13 PM | Computer Name = FERRO-8588ED12C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/2/2009 9:24:20 PM | Computer Name = FERRO-8588ED12C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 5/2/2009 9:46:05 PM | Computer Name = FERRO-8588ED12C | Source = LDMS | ID = 16780239
Description = The Logical Disk Manager Service failed while registering for device
handle notifications on device \\?\STORAGE#RemovableMedia#7&383f5450&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Win32 Error: 565.

Error - 5/2/2009 9:49:00 PM | Computer Name = FERRO-8588ED12C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/2/2009 9:49:33 PM | Computer Name = FERRO-8588ED12C | Source = LDMS | ID = 16780239
Description = The Logical Disk Manager Service failed while registering for device
handle notifications on device \\?\STORAGE#RemovableMedia#7&383f5450&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Win32 Error: 565.

Error - 5/2/2009 9:53:35 PM | Computer Name = FERRO-8588ED12C | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/3/2009 5:43:38 PM | Computer Name = FERRO-8588ED12C | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.


< End of report >




And here is the GMER log:


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-03 18:06:29
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x62 ? 86F67BF8
INT 0x63 ? 86CDBBF8
INT 0x63 ? 86CDBBF8
INT 0x73 ? 86F67BF8
INT 0x73 ? 86F67BF8
INT 0x73 ? 86CDBBF8
INT 0x73 ? 86F67BF8
INT 0x82 ? 86F67BF8
INT 0xA4 ? 86CDBBF8

Code 86C0FE80 ZwEnumerateKey
Code 86CB8148 ZwFlushInstructionCache
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
Code 86C060B6 IofCallDriver
Code 86BFD09E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 86C060BB
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 86BFD0A3
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 86CB814C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 86C0FE84
? spns.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F5EDC8AC 5 Bytes JMP 86CDB1D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F732ED92] spns.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86FD71F8
Device \FileSystem\Udfs \UdfsCdRom 868151F8
Device \FileSystem\Udfs \UdfsCdRom 86D631A8
Device \FileSystem\Udfs \UdfsDisk 868151F8
Device \FileSystem\Udfs \UdfsDisk 86D631A8
Device \Driver\NetBT \Device\NetBT_Tcpip_{F3305A1C-5B38-4AA7-9193-0B61A99DA34B} 86C55500

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 DumaNT.SYS (DumaNT Auxillary Driver for Stereo/Windows ® 2000 DDK provider)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 DumaNT.SYS (DumaNT Auxillary Driver for Stereo/Windows ® 2000 DDK provider)

Device \Driver\usbuhci \Device\USBPDO-0 86D141F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86FD91F8
Device \Driver\dmio \Device\DmControl\DmConfig 86FD91F8
Device \Driver\dmio \Device\DmControl\DmPnP 86FD91F8
Device \Driver\dmio \Device\DmControl\DmInfo 86FD91F8
Device \Driver\usbuhci \Device\USBPDO-1 86D141F8
Device \Driver\usbuhci \Device\USBPDO-2 86D141F8
Device \Driver\usbuhci \Device\USBPDO-3 86D141F8
Device \Driver\PCI_PNP5124 \Device\00000047 spns.sys
Device \Driver\usbehci \Device\USBPDO-4 86B9C500

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86F681F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86F681F8
Device \Driver\Cdrom \Device\CdRom0 86C0F008
Device \FileSystem\Rdbss \Device\FsWrap 86D4E428
Device \Driver\Cdrom \Device\CdRom1 86C0F008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 86D49B50
Device \Driver\atapi \Device\Ide\IdePort0 86D49B50
Device \Driver\atapi \Device\Ide\IdePort1 86D49B50
Device \Driver\atapi \Device\Ide\IdePort2 86D49B50
Device \Driver\atapi \Device\Ide\IdePort3 86D49B50
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1c 86D49B50
Device \Driver\Cdrom \Device\CdRom2 86C0F008
Device \Driver\sptd \Device\4119056374 spns.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 86C55500
Device \Driver\NetBT \Device\NetbiosSmb 86C55500
Device \FileSystem\Srv \Device\LanmanServer 86C87118
Device \Driver\usbuhci \Device\USBFDO-0 86D141F8
Device \Driver\usbuhci \Device\USBFDO-1 86D141F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 868281F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86D49240
Device \Driver\usbuhci \Device\USBFDO-2 86D141F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 868281F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86D49240
Device \Driver\usbuhci \Device\USBFDO-3 86D141F8
Device \FileSystem\Npfs \Device\NamedPipe 86D3D6C8
Device \Driver\usbehci \Device\USBFDO-4 86B9C500
Device \Driver\Ftdisk \Device\FtControl 86F681F8
Device \FileSystem\Msfs \Device\Mailslot 86CBA1A0
Device \Driver\aj0tck2o \Device\Scsi\aj0tck2o1 86C57500
Device \Driver\d347prt \Device\Scsi\d347prt1Port4Path0Target0Lun0 86CB8178
Device \Driver\d347prt \Device\Scsi\d347prt1 86CB8178
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 86CB3AA0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 86CB3AA0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 86CB3AA0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 86CB3AA0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 86CB3AA0
Device \FileSystem\Cdfs \Cdfs 868181F8
Device \FileSystem\Cdfs \Cdfs 86D5BF80

---- Modules - GMER 1.0.15 ----

Module _________ F7243000-F725B000 (98304 bytes)

---- EOF - GMER 1.0.15 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:29 PM

Posted 04 May 2009 - 09:05 AM

Those 01 lines are actually good. They're there to prevent those sites from ever loading on your computer.


Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    C:\WINDOWS\System32\ftp_non_crp.exe
    
    :Commands
    [purity]
    [emptytemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

================


Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

===============


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Ferrous

Ferrous
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 04 May 2009 - 04:13 PM

I forgot to edit my post to say I actually read the hosts file at C:\WINDOWS\System32\drivers\etc\Hosts and found out that Spybot Search & Destroy created it. I'm glad to learn it isn't harmful.

I believe you just had me delete my temporary internet files, uninstall old java versions, install the latest Java Run time Environment SE, and scanned my computer for a trojan called Goored. I was under the impression deleting the temporary internet files might have fixed the problem, but I still get random redirects.

I'm also going to post how I downloaded Java just to make sure I didn't accidenly choose the wrong version. When installing Java, I chose to download from http://java.sun.com/javase/downloads/index.jsp

I clicked on the JRE 6 Update 13 link, on the subsequent page, chose my platform as windows, and clicked on the first download link which said jre-6u13-windows-i586-p.exe

Now for some scan logs. Here is how the OTlistit2 custom fix you posted went:

========== FILES ==========
C:\WINDOWS\System32\ftp_non_crp.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Nicolas_2\Local Settings\Temp\etilqs_0oG6uwabGT3NmqhJyGwY scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicolas_2\Local Settings\Temp\etilqs_KQgJnzJWw8rMvB1CPtHz scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nicolas_2\Local Settings\Temp\etilqs_laRCwGCp9XnUHcNacHc7 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_724.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTListIt2 by OldTimer - Version 2.0.15.3 log created on 05042009_161429

Files moved on Reboot...
File C:\Documents and Settings\Nicolas_2\Local Settings\Temp\etilqs_0oG6uwabGT3NmqhJyGwY not found!
File C:\Documents and Settings\Nicolas_2\Local Settings\Temp\etilqs_KQgJnzJWw8rMvB1CPtHz not found!
File C:\Documents and Settings\Nicolas_2\Local Settings\Temp\etilqs_laRCwGCp9XnUHcNacHc7 not found!
File C:\WINDOWS\temp\Perflib_Perfdata_724.dat not found!

Registry entries deleted on Reboot...


The latest OtListIt scan:

OTListIt logfile created on: 5/4/2009 4:52:22 PM - Run 4
OTListIt2 by OldTimer - Version 2.0.15.3 Folder = C:\Program Files\Computer scanners
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 536.53 Mb Available Physical Memory | 52.42% Memory free
2.40 Gb Paging File | 2.06 Gb Available in Paging File | 85.89% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 127.99 Gb Total Space | 23.03 Gb Free Space | 17.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 38.28 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF
Drive F: | 650.25 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 186.30 Gb Total Space | 136.26 Gb Free Space | 73.14% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FERRO-8588ED12C
Current User Name: Nicolas_2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/04/29 18:18:27 | 00,953,168 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2006/02/28 13:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2007/07/25 15:50:26 | 00,079,136 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2007/08/02 12:33:50 | 00,080,528 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcmsvc.exe
PRC - [2006/06/01 18:22:00 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/07/27 08:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2007/06/01 10:21:30 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
PRC - [2008/03/08 10:49:11 | 00,658,432 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/07/01 06:23:32 | 00,067,584 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/08/22 17:05:02 | 00,081,920 | ---- | M] (DAEMON'S HOME) -- C:\Program Files\D-Tools\daemon.exe
PRC - [2007/05/10 23:46:20 | 00,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2009/04/29 18:18:27 | 00,516,440 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2007/07/18 17:55:20 | 00,451,872 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
PRC - [2007/06/01 10:21:08 | 00,153,136 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2009/03/11 12:00:54 | 24,095,528 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2007/06/01 10:21:30 | 01,209,904 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
PRC - [2008/04/13 20:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2009/05/04 16:32:24 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/04 16:32:24 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/03 17:57:36 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Program Files\Computer scanners\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/03/20 17:41:24 | 00,153,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3 [On_Demand | Stopped])
SRV - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/01 21:01:32 | 00,206,088 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe -- (AVP [Auto | Stopped])
SRV - [2006/02/28 13:42:38 | 00,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/03/08 10:49:11 | 00,658,432 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Running])
SRV - [2006/10/20 21:21:24 | 00,036,864 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/23 17:53:01 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2006/10/30 03:33:58 | 00,741,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/29 18:18:27 | 00,953,168 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2007/07/25 15:50:26 | 00,079,136 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2005/07/17 00:29:18 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service [On_Demand | Stopped])
SRV - [2007/02/10 05:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR2 [On_Demand | Stopped])
SRV - [2005/10/14 02:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2007/04/13 21:09:56 | 00,792,112 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
SRV - [2006/10/30 03:34:02 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/06/01 10:21:30 | 00,271,920 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Running])
SRV - [2009/02/17 12:59:00 | 02,794,234 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\system32\GameMon.des -- (npggsvc [On_Demand | Stopped])
SRV - [2007/08/02 12:33:50 | 00,080,528 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcmsvc.exe -- (npkcmsvc [Auto | Running])
SRV - [2006/06/01 18:22:00 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/02/10 05:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Disabled | Stopped])
SRV - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2009/05/04 16:32:24 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2003/12/10 03:21:16 | 00,004,224 | R--- | M] (ABIT Computer Corp.) -- C:\WINDOWS\System32\Drivers\AC2003.sys -- (AC2003 [On_Demand | Stopped])
DRV - [2004/02/23 23:08:52 | 00,400,384 | ---- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS [On_Demand | Running])
DRV - [2004/07/01 02:49:00 | 00,626,977 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2004/08/22 16:31:10 | 00,155,136 | ---- | M] ( ) -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus [Boot | Running])
DRV - [2004/08/22 16:31:48 | 00,005,248 | ---- | M] ( ) -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt [Boot | Running])
DRV - [2006/06/01 18:47:40 | 00,334,976 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\System32\drivers\dumant.sys -- (DumaNT [On_Demand | Running])
DRV - [2008/07/21 18:34:36 | 00,121,872 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Running])
DRV - [2009/05/01 21:01:32 | 00,033,808 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg [Boot | Running])
DRV - [2008/03/13 19:02:46 | 00,026,640 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\klfltdev.sys -- (KLFLTDEV [On_Demand | Running])
DRV - [2009/05/01 21:01:32 | 00,213,520 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\klif.sys -- (KLIF [System | Running])
DRV - [2008/04/30 18:06:48 | 00,024,592 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\DRIVERS\klim5.sys -- (klim5 [On_Demand | Running])
DRV - [2009/04/29 18:18:38 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2007/06/26 10:39:02 | 00,035,600 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcrypt.sys -- (npkcrypt [Auto | Running])
DRV - [2007/04/20 16:49:54 | 00,024,272 | ---- | M] (INCA Internet Co., Ltd.) -- C:\Nexon\Mabinogi\npkcusb.sys -- (npkcusb [On_Demand | Stopped])
DRV - [2006/06/01 18:22:00 | 03,925,920 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2007/07/27 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/07 19:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/08/03 18:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2008/09/07 20:02:38 | 00,021,920 | ---- | M] (Screaming Bee LLC) -- C:\WINDOWS\system32\drivers\ScreamingBAudio.sys -- (SCREAMINGBDRIVER [On_Demand | Running])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/06/09 14:25:30 | 00,716,272 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2007/03/01 11:34:36 | 00,028,352 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\DRIVERS\ssmdrv.sys -- (ssmdrv [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\S-1-5-21-1292428093-1592454029-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\S-1-5-21-1292428093-1592454029-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {008E309A-BEF2-490B-8C93-5F4F960212E0}:1.0
FF - prefs.js..extensions.enabledItems: {084DB72C-888A-4FB2-AB7D-6EEEA05CE357}:1.0
FF - prefs.js..extensions.enabledItems: {0A2E1FAB-7AF8-4F7B-812F-1AFDBC8CFB77}:1.0
FF - prefs.js..extensions.enabledItems: {1768527C-FEA1-4C54-BA62-021F5AE6CA7D}:1.0
FF - prefs.js..extensions.enabledItems: {27BFC822-4982-486E-87D0-8EDA5B025594}:1.0
FF - prefs.js..extensions.enabledItems: {3EC0F8E7-5191-4CDC-B5D0-9F9C407C9565}:1.0
FF - prefs.js..extensions.enabledItems: {550B39AF-D922-406C-87D0-66D808EEC7CD}:1.0
FF - prefs.js..extensions.enabledItems: {59E0F413-490D-4EE8-A96B-A525E0D1F4CE}:1.0
FF - prefs.js..extensions.enabledItems: {5CD2542C-B367-493E-946B-3A5CEFF6FD2D}:1.0
FF - prefs.js..extensions.enabledItems: {62160CC9-6A7A-4E20-B86D-DB7BB001AE8A}:1.0
FF - prefs.js..extensions.enabledItems: {6A8A548D-7F64-4BD8-ADD1-9451A552F657}:1.0
FF - prefs.js..extensions.enabledItems: {6E861D53-9364-4632-82B5-3D52C6CDD293}:1.0
FF - prefs.js..extensions.enabledItems: {76C7816B-3FD7-4E2F-ACFF-497F821AC894}:1.0
FF - prefs.js..extensions.enabledItems: {7C7C462A-F7DD-48A0-8E20-AE318F05A660}:1.0
FF - prefs.js..extensions.enabledItems: {83BEEA88-ECD8-47E4-BE07-EA8D54A4E466}:1.0
FF - prefs.js..extensions.enabledItems: {841BD3C0-2E81-427C-A51B-AF54DCCF0697}:1.0
FF - prefs.js..extensions.enabledItems: {A0F2F9EB-CA5C-474D-B5B2-21DB1EB1FD5A}:1.0
FF - prefs.js..extensions.enabledItems: {A112CA34-52F6-43A9-A01A-9BC04FC22B74}:1.0
FF - prefs.js..extensions.enabledItems: {A88EF7BE-9F47-4652-A893-9BE70FB47927}:1.0
FF - prefs.js..extensions.enabledItems: {B04ABCF3-0465-429A-932F-BDAEE9C24E23}:1.0
FF - prefs.js..extensions.enabledItems: {B60E8E39-8A54-482B-91C4-4B11D7641B0E}:1.0
FF - prefs.js..extensions.enabledItems: {BBF18185-B3D0-4303-887C-7F7ED0909768}:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CC683057-4CC9-424D-A3CF-9A9BCF65852D}:1.0
FF - prefs.js..extensions.enabledItems: {D0B872BA-8179-4271-9DFF-C479531567A8}:1.0
FF - prefs.js..extensions.enabledItems: {DC3D3503-359F-4C88-AB7B-E21A6604551A}:1.0
FF - prefs.js..extensions.enabledItems: {E473719E-95AB-42B6-A052-44705B2F90DF}:1.0
FF - prefs.js..extensions.enabledItems: {E57C25A9-CFE2-47FC-B213-F81E4A9D971C}:1.0
FF - prefs.js..extensions.enabledItems: {E6DBD082-ABF0-44EE-9AD7-0D71F74BC0E5}:1.0
FF - prefs.js..extensions.enabledItems: {F1A2FB3B-B16A-4988-B308-B22B274CEA30}:1.0
FF - prefs.js..extensions.enabledItems: {F4917B1F-1822-4980-819E-5639140FF8D3}:1.0
FF - prefs.js..extensions.enabledItems: {F9F92DA8-E4E5-4635-AA8C-1C8AA294D394}:1.0
FF - prefs.js..extensions.enabledItems: {FB4ED38D-7DB0-46CA-931B-4436158F7F34}:1.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/05/04 16:32:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/30 18:43:54 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/27 22:05:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY INTERNET SECURITY 2009\THBEXT [2009/05/01 20:54:27 | 00,000,000 | ---D | M]

[2008/08/27 21:56:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicolas_2\Application Data\mozilla\Extensions
[2008/08/27 21:56:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicolas_2\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/02/13 10:31:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nicolas_2\Application Data\mozilla\Firefox\Profiles\prfsper6.default\extensions
[2008/03/16 22:51:49 | 00,001,878 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\aolsearch.xml
[2008/04/04 22:37:52 | 00,000,891 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\dictionarycom.xml
[2008/03/20 10:41:03 | 00,002,005 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\scrapetorrent.xml
[2008/03/17 17:19:06 | 00,005,549 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\the-free-dictionary.xml
[2008/04/04 22:37:50 | 00,000,888 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\thesauruscom.xml
[2008/03/17 17:42:53 | 00,001,058 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\wikipedia-en.xml
[2008/03/17 17:31:05 | 00,002,109 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Application Data\Mozilla\FireFox\Profiles\prfsper6.default\searchplugins\youtube-video-search.xml
[2009/05/04 16:32:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/29 18:20:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{008E309A-BEF2-490B-8C93-5F4F960212E0}
[2009/04/22 16:27:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{084DB72C-888A-4FB2-AB7D-6EEEA05CE357}
[2009/04/21 15:59:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{0A2E1FAB-7AF8-4F7B-812F-1AFDBC8CFB77}
[2009/05/04 16:19:32 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{1768527C-FEA1-4C54-BA62-021F5AE6CA7D}
[2009/05/01 21:09:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{27BFC822-4982-486E-87D0-8EDA5B025594}
[2009/04/20 09:46:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3EC0F8E7-5191-4CDC-B5D0-9F9C407C9565}
[2009/05/04 16:25:29 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{550B39AF-D922-406C-87D0-66D808EEC7CD}
[2009/05/02 21:54:45 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{59E0F413-490D-4EE8-A96B-A525E0D1F4CE}
[2009/04/20 16:21:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{5CD2542C-B367-493E-946B-3A5CEFF6FD2D}
[2009/04/28 20:18:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{62160CC9-6A7A-4E20-B86D-DB7BB001AE8A}
[2009/05/01 20:52:39 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{6A8A548D-7F64-4BD8-ADD1-9451A552F657}
[2009/04/22 21:24:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{6E861D53-9364-4632-82B5-3D52C6CDD293}
[2009/04/21 06:56:39 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{76C7816B-3FD7-4E2F-ACFF-497F821AC894}
[2009/05/03 10:47:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{7C7C462A-F7DD-48A0-8E20-AE318F05A660}
[2009/04/23 15:56:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{83BEEA88-ECD8-47E4-BE07-EA8D54A4E466}
[2009/04/26 21:53:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{841BD3C0-2E81-427C-A51B-AF54DCCF0697}
[2009/04/22 21:25:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/04/20 09:07:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{A0F2F9EB-CA5C-474D-B5B2-21DB1EB1FD5A}
[2009/04/19 09:29:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{A112CA34-52F6-43A9-A01A-9BC04FC22B74}
[2009/05/02 22:10:16 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{A88EF7BE-9F47-4652-A893-9BE70FB47927}
[2009/04/27 17:45:22 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B04ABCF3-0465-429A-932F-BDAEE9C24E23}
[2009/05/02 21:14:26 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{B60E8E39-8A54-482B-91C4-4B11D7641B0E}
[2009/04/19 08:45:50 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{BBF18185-B3D0-4303-887C-7F7ED0909768}
[2007/05/11 14:14:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2007/08/09 14:42:43 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007/11/23 21:51:05 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/07/30 15:33:01 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/05/04 16:32:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/29 18:14:23 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CC683057-4CC9-424D-A3CF-9A9BCF65852D}
[2009/05/01 13:36:52 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{D0B872BA-8179-4271-9DFF-C479531567A8}
[2009/04/28 07:09:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{DC3D3503-359F-4C88-AB7B-E21A6604551A}
[2009/05/03 17:43:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{E473719E-95AB-42B6-A052-44705B2F90DF}
[2009/05/01 20:27:09 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{E57C25A9-CFE2-47FC-B213-F81E4A9D971C}
[2009/04/28 16:35:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{E6DBD082-ABF0-44EE-9AD7-0D71F74BC0E5}
[2009/04/20 09:44:09 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{F1A2FB3B-B16A-4988-B308-B22B274CEA30}
[2009/04/19 21:32:35 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{F4917B1F-1822-4980-819E-5639140FF8D3}
[2009/05/04 16:01:37 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{F9F92DA8-E4E5-4635-AA8C-1C8AA294D394}
[2009/04/29 21:42:40 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{FB4ED38D-7DB0-46CA-931B-4436158F7F34}
[2009/04/27 22:04:55 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/27 22:04:55 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/27 06:10:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/27 06:10:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/27 06:10:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/27 06:10:20 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/27 06:10:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/27 06:10:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/27 06:10:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (305826 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 10530 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe [2008/12/24 03:40:07 | 00,000,000 | ---D | M]
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe [2008/12/24 03:40:07 | 00,000,000 | ---D | M]
O3 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" (Kaspersky Lab)
O4 - HKLM..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 (DAEMON'S HOME)
O4 - HKLM..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount (Alcohol Soft Development Team)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (Nero AG)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (IGN Entertainment)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (Hewlett-Packard Company)
O4 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (Skype Technologies S.A.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html (Adobe Systems Incorporated)
O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1292428093-1592454029-725345543-1006\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab (CDownloadCtrl Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/07/17 00:20:52 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/08/04 16:15:21 | 00,000,047 | R--- | M] () - E:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2005/01/19 10:47:13 | 00,467,456 | R--- | M] (Obsidian Entertainment, Inc.) - F:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2005/01/19 10:47:13 | 00,000,715 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{ab075692-05c6-11dd-bb47-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{ab075692-05c6-11dd-bb47-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ab075692-05c6-11dd-bb47-806d6172696f}\Shell\AutoRun\command - "" = E:\KIS2009.EXE -- [2008/08/04 16:15:21 | 00,684,664 | R--- | M] (Kaspersky )
O33 - MountPoints2\{f99aded0-386d-11dd-af29-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{f99aded0-386d-11dd-af29-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f99aded0-386d-11dd-af29-806d6172696f}\Shell\AutoRun\command - "" = F:\autorun.exe -- [2005/01/19 10:47:13 | 00,467,456 | R--- | M] (Obsidian Entertainment, Inc.)
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\KIS2009.EXE -- [2008/08/04 16:15:21 | 00,684,664 | R--- | M] (Kaspersky )
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\autorun.exe -- [2005/01/19 10:47:13 | 00,467,456 | R--- | M] (Obsidian Entertainment, Inc.)
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[2009/05/04 16:34:13 | 00,094,208 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\GooredFix.exe
[2009/05/04 16:32:21 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/05/04 16:14:29 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/05/04 16:11:52 | 00,000,000 | ---D | C] -- C:\Program Files\Computer scanners
[2009/05/01 20:54:47 | 00,101,287 | ---- | C] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/05/01 20:54:47 | 00,089,601 | ---- | C] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/05/01 20:54:13 | 00,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
[2009/05/01 20:54:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
[2009/05/01 20:54:02 | 00,213,520 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/05/01 20:29:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
[2009/04/30 16:42:10 | 00,000,388 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/04/30 06:59:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
[2009/04/30 06:27:26 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Nicolas_2\Desktop\spybotsd162.exe
[2009/04/29 20:04:41 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\CCleaner.lnk
[2009/04/29 20:04:40 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/04/29 20:00:01 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/29 18:19:01 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/29 18:18:50 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/29 18:17:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
[2009/04/29 07:06:49 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/04/20 18:03:13 | 17,003,4491 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\tsl_ambience_improvement.zip
[2009/04/15 15:29:46 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/15 15:29:45 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/15 15:29:45 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/15 15:29:45 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/15 15:29:45 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/15 15:29:45 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/15 15:29:45 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/15 15:29:44 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/15 15:29:44 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/15 15:29:12 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/15 15:29:11 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/04/15 15:29:11 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/11 20:24:10 | 16,974,2993 | ---- | C] () -- C:\Documents and Settings\Nicolas_2\Desktop\gv.com.BrokenPixelsS02E01WireheadSegaCD_640x480.wmv
[2009/01/28 15:41:00 | 00,000,441 | ---- | C] () -- C:\WINDOWS\kaillera.ini
[2008/12/25 15:56:34 | 00,394,240 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2008/12/25 15:56:33 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2008/12/24 04:28:32 | 00,000,038 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2008/12/24 03:07:20 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2008/08/20 18:56:27 | 00,003,480 | ---- | C] () -- C:\WINDOWS\scummvm.ini
[2008/08/14 12:55:58 | 00,000,245 | ---- | C] () -- C:\WINDOWS\cncscore.ini
[2008/08/03 21:50:43 | 00,040,960 | R--- | C] () -- C:\WINDOWS\System32\wh2robo.dll
[2008/07/17 14:40:12 | 00,000,776 | ---- | C] () -- C:\WINDOWS\Thps3.INI
[2008/06/12 06:53:25 | 00,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2008/06/12 06:53:25 | 00,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2008/06/09 14:25:29 | 00,716,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/04/08 20:48:08 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/03/17 18:23:41 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/03/17 18:23:41 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/03/16 22:48:46 | 00,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
[2008/03/16 22:48:41 | 00,155,648 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2007/07/27 08:00:00 | 00,000,507 | ---- | C] () -- C:\WINDOWS\win.ini
[2007/07/27 08:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2006/06/01 18:47:40 | 00,368,640 | ---- | C] () -- C:\WINDOWS\System32\nvimage.dll
[2006/06/01 18:47:40 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\stereoi.dll
[2006/06/01 18:22:00 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2005/06/15 17:20:00 | 01,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/06/15 17:20:00 | 01,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/06/15 17:20:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/06/15 17:20:00 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/06/15 17:20:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/06/15 17:20:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/22 17:04:56 | 00,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll

========== Files - Modified Within 30 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/05/04 16:46:52 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/04 16:34:13 | 00,094,208 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\GooredFix.exe
[2009/05/04 16:25:34 | 00,063,430 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/05/04 16:25:30 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/04 16:19:28 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Nicolas_2\Local Settings\desktop.ini
[2009/05/04 16:17:15 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/05/04 16:16:57 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/04 16:16:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/01 21:01:32 | 00,213,520 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/05/01 21:01:32 | 00,033,808 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klbg.sys
[2009/05/01 21:01:31 | 00,101,287 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/05/01 21:01:31 | 00,089,601 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/05/01 17:00:35 | 00,000,388 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/04/30 06:27:51 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Nicolas_2\Desktop\spybotsd162.exe
[2009/04/29 20:04:41 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\CCleaner.lnk
[2009/04/29 18:19:01 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/04/29 18:18:47 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/29 18:18:38 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/20 18:08:02 | 17,003,4491 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\tsl_ambience_improvement.zip
[2009/04/16 06:12:00 | 00,575,776 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/16 06:12:00 | 00,479,564 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/16 06:12:00 | 00,085,442 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/04/11 20:33:26 | 16,974,2993 | ---- | M] () -- C:\Documents and Settings\Nicolas_2\Desktop\gv.com.BrokenPixelsS02E01WireheadSegaCD_640x480.wmv
[2009/04/09 16:12:20 | 00,000,441 | ---- | M] () -- C:\WINDOWS\kaillera.ini
[2009/04/07 17:23:39 | 00,002,265 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Skype.lnk
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP:888AFB86
< End of report >



And Finnaly, the Goored log:

GooredFix v1.92 by jpshortstuff
Log created at 16:34 on 04/05/2009 running Option #1 (Nicolas_2)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{FB4ED38D-7DB0-46CA-931B-4436158F7F34}

C:\Program Files\Mozilla Firefox\extensions\{F9F92DA8-E4E5-4635-AA8C-1C8AA294D394}

C:\Program Files\Mozilla Firefox\extensions\{F4917B1F-1822-4980-819E-5639140FF8D3}

C:\Program Files\Mozilla Firefox\extensions\{F1A2FB3B-B16A-4988-B308-B22B274CEA30}

C:\Program Files\Mozilla Firefox\extensions\{E6DBD082-ABF0-44EE-9AD7-0D71F74BC0E5}

C:\Program Files\Mozilla Firefox\extensions\{E57C25A9-CFE2-47FC-B213-F81E4A9D971C}

C:\Program Files\Mozilla Firefox\extensions\{E473719E-95AB-42B6-A052-44705B2F90DF}

C:\Program Files\Mozilla Firefox\extensions\{DC3D3503-359F-4C88-AB7B-E21A6604551A}

C:\Program Files\Mozilla Firefox\extensions\{D0B872BA-8179-4271-9DFF-C479531567A8}

C:\Program Files\Mozilla Firefox\extensions\{CC683057-4CC9-424D-A3CF-9A9BCF65852D}

C:\Program Files\Mozilla Firefox\extensions\{BBF18185-B3D0-4303-887C-7F7ED0909768}

C:\Program Files\Mozilla Firefox\extensions\{B60E8E39-8A54-482B-91C4-4B11D7641B0E}

C:\Program Files\Mozilla Firefox\extensions\{B04ABCF3-0465-429A-932F-BDAEE9C24E23}

C:\Program Files\Mozilla Firefox\extensions\{A88EF7BE-9F47-4652-A893-9BE70FB47927}

C:\Program Files\Mozilla Firefox\extensions\{A112CA34-52F6-43A9-A01A-9BC04FC22B74}

C:\Program Files\Mozilla Firefox\extensions\{A0F2F9EB-CA5C-474D-B5B2-21DB1EB1FD5A}

C:\Program Files\Mozilla Firefox\extensions\{841BD3C0-2E81-427C-A51B-AF54DCCF0697}

C:\Program Files\Mozilla Firefox\extensions\{83BEEA88-ECD8-47E4-BE07-EA8D54A4E466}

C:\Program Files\Mozilla Firefox\extensions\{7C7C462A-F7DD-48A0-8E20-AE318F05A660}

C:\Program Files\Mozilla Firefox\extensions\{76C7816B-3FD7-4E2F-ACFF-497F821AC894}

C:\Program Files\Mozilla Firefox\extensions\{6E861D53-9364-4632-82B5-3D52C6CDD293}

C:\Program Files\Mozilla Firefox\extensions\{6A8A548D-7F64-4BD8-ADD1-9451A552F657}

C:\Program Files\Mozilla Firefox\extensions\{62160CC9-6A7A-4E20-B86D-DB7BB001AE8A}

C:\Program Files\Mozilla Firefox\extensions\{5CD2542C-B367-493E-946B-3A5CEFF6FD2D}

C:\Program Files\Mozilla Firefox\extensions\{59E0F413-490D-4EE8-A96B-A525E0D1F4CE}

C:\Program Files\Mozilla Firefox\extensions\{550B39AF-D922-406C-87D0-66D808EEC7CD}

C:\Program Files\Mozilla Firefox\extensions\{3EC0F8E7-5191-4CDC-B5D0-9F9C407C9565}

C:\Program Files\Mozilla Firefox\extensions\{27BFC822-4982-486E-87D0-8EDA5B025594}

C:\Program Files\Mozilla Firefox\extensions\{1768527C-FEA1-4C54-BA62-021F5AE6CA7D}

C:\Program Files\Mozilla Firefox\extensions\{0A2E1FAB-7AF8-4F7B-812F-1AFDBC8CFB77}

C:\Program Files\Mozilla Firefox\extensions\{084DB72C-888A-4FB2-AB7D-6EEEA05CE357}

C:\Program Files\Mozilla Firefox\extensions\{008E309A-BEF2-490B-8C93-5F4F960212E0}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Edited by Ferrous, 04 May 2009 - 04:15 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:29 PM

Posted 05 May 2009 - 09:22 AM

Looks like you performed the Java update perfectly! :thumbup2:

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt)


Now open up Firefox and check to see if you are still being redirected.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Ferrous

Ferrous
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 05 May 2009 - 07:19 PM

I got rid of the problem in Firefox using the Gooredfix. I read it's supposed to fix a trojan called goored that was included in a firefox update. However, using search engines on Internet explorer still gets me redirects, so the problem probably isn't just Goored. Here is the Gooredlog

GooredFix v1.92 by jpshortstuff
Log created at 16:15 on 05/05/2009 running Option #2 (Nicolas_2)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{FB4ED38D-7DB0-46CA-931B-4436158F7F34}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{F9F92DA8-E4E5-4635-AA8C-1C8AA294D394}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{F4917B1F-1822-4980-819E-5639140FF8D3}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{F1A2FB3B-B16A-4988-B308-B22B274CEA30}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{E6DBD082-ABF0-44EE-9AD7-0D71F74BC0E5}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{E57C25A9-CFE2-47FC-B213-F81E4A9D971C}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{E473719E-95AB-42B6-A052-44705B2F90DF}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{DC3D3503-359F-4C88-AB7B-E21A6604551A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{D0B872BA-8179-4271-9DFF-C479531567A8}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{CC683057-4CC9-424D-A3CF-9A9BCF65852D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{BBF18185-B3D0-4303-887C-7F7ED0909768}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{B60E8E39-8A54-482B-91C4-4B11D7641B0E}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{B04ABCF3-0465-429A-932F-BDAEE9C24E23}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{A88EF7BE-9F47-4652-A893-9BE70FB47927}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{A112CA34-52F6-43A9-A01A-9BC04FC22B74}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{A0F2F9EB-CA5C-474D-B5B2-21DB1EB1FD5A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{841BD3C0-2E81-427C-A51B-AF54DCCF0697}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{83BEEA88-ECD8-47E4-BE07-EA8D54A4E466}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{7C7C462A-F7DD-48A0-8E20-AE318F05A660}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{76C7816B-3FD7-4E2F-ACFF-497F821AC894}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{6E861D53-9364-4632-82B5-3D52C6CDD293}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{6A8A548D-7F64-4BD8-ADD1-9451A552F657}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{62160CC9-6A7A-4E20-B86D-DB7BB001AE8A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{5CD2542C-B367-493E-946B-3A5CEFF6FD2D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{59E0F413-490D-4EE8-A96B-A525E0D1F4CE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{550B39AF-D922-406C-87D0-66D808EEC7CD}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{3EC0F8E7-5191-4CDC-B5D0-9F9C407C9565}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{27BFC822-4982-486E-87D0-8EDA5B025594}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{184D7080-E736-4A8D-A9BF-0E35635A8101}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{1768527C-FEA1-4C54-BA62-021F5AE6CA7D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{0A2E1FAB-7AF8-4F7B-812F-1AFDBC8CFB77}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{084DB72C-888A-4FB2-AB7D-6EEEA05CE357}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{008E309A-BEF2-490B-8C93-5F4F960212E0}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:29 PM

Posted 06 May 2009 - 08:38 AM

A redirection with IE is a separate issue.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Ferrous

Ferrous
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 07 May 2009 - 04:05 PM

So Internet explorer is fixed, but for some reason google searches in firefox are getting me redirected again. Anyways, here is the log for combofix.

ComboFix 09-05-06.02 - Nicolas_2 05/06/2009 20:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.641 [GMT -4:00]
Running from: c:\documents and settings\Nicolas_2\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)
FW: Kaspersky Internet Security *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\drivers\ovfsthvuyqcsrqhmhtfydvheurgaorgrgqsnom.sys
c:\windows\system32\ovfsthesqsalccdnosjlfppxvjdcwbirmmdlyx.dll
c:\windows\system32\ovfsthfnbaivkkpkarenyppqmyxhusnabbeelt.dat
c:\windows\system32\ovfsthmuplgevgxfefnprlhvygrhxnvfarwbrn.dll
c:\windows\system32\ovfsthotqvohfxwnfuplhvanynuadfoulpvolp.dat
c:\windows\system32\ovfsthyiyevpkbklrkkuddhjhtvpjjiqcfcfvo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthtaxtndjkdsmlkaybabuyxmyyopvxmovv


((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-07 00:15 . 2009-05-07 00:39 491552 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-07 00:15 . 2009-05-07 00:40 1637920 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-04 20:32 . 2009-05-04 20:32 -------- d-----w c:\program files\Java
2009-05-04 20:14 . 2009-05-04 20:14 -------- d-----w C:\_OTListIt
2009-05-04 20:11 . 2009-05-04 20:23 -------- d-----w c:\program files\Computer scanners
2009-05-02 00:54 . 2009-05-02 01:01 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-05-02 00:54 . 2009-05-02 01:01 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-05-02 00:54 . 2009-05-02 00:54 -------- d-----w c:\program files\Kaspersky Lab
2009-05-02 00:54 . 2009-05-07 00:39 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-05-02 00:29 . 2009-05-02 00:29 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2009-04-30 10:59 . 2009-05-02 00:50 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-04-30 00:04 . 2009-04-30 00:04 -------- d-----w c:\program files\CCleaner
2009-04-30 00:00 . 2009-04-29 22:18 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-29 22:18 . 2009-04-29 22:18 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-29 22:17 . 2009-04-29 22:18 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-04-29 11:06 . 2009-04-29 22:17 -------- dc-h--w c:\documents and settings\All Users.WINDOWS\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-21 10:05 . 2009-04-21 10:05 21704 ----a-w c:\documents and settings\Rosita.FERRO-8588ED12C\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-20 13:51 . 2009-04-20 13:51 -------- d-----w c:\documents and settings\Spare.FERRO-8588ED12C\Application Data\ICAClient
2009-04-20 13:50 . 2009-04-20 13:50 -------- d-----w c:\documents and settings\Spare.FERRO-8588ED12C\Application Data\Runaware
2009-04-20 13:08 . 2009-04-20 13:08 -------- d-----w c:\documents and settings\Spare.FERRO-8588ED12C\Local Settings\Application Data\Mozilla
2009-04-20 13:08 . 2009-04-20 13:08 -------- d-----w c:\documents and settings\Spare.FERRO-8588ED12C\Local Settings\Application Data\Adobe
2009-04-15 19:29 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 19:29 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 19:29 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 19:29 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 19:29 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 19:29 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 19:29 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 19:29 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 19:29 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 19:29 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 19:29 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 00:40 . 2009-05-07 00:15 15008 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-07 00:35 . 2009-05-07 00:15 3780 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-04 20:32 . 2009-02-13 14:25 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-04 20:32 . 2009-05-04 20:32 0 ----a-w c:\windows\system32\RENF.tmp
2009-05-04 20:32 . 2009-05-04 20:32 0 ----a-w c:\windows\system32\REN11.tmp
2009-05-04 20:32 . 2009-05-04 20:32 0 ----a-w c:\windows\system32\REN10.tmp
2009-05-02 01:01 . 2008-01-29 22:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-05-02 00:50 . 2005-07-17 05:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-29 22:17 . 2005-07-17 05:35 -------- d-----w c:\program files\Lavasoft
2009-04-20 22:33 . 2008-06-05 22:56 -------- d-----w c:\program files\StepMania CVS
2009-04-06 23:42 . 2008-08-11 02:46 -------- d-----w c:\program files\Avidemux 2.4
2009-04-03 22:37 . 2009-03-10 01:37 -------- d-----w c:\program files\Oldgames
2009-04-03 21:12 . 2008-03-17 02:36 21704 ----a-w c:\documents and settings\Nicolas_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 21:09 . 2009-04-03 21:09 -------- d-----w c:\program files\Screaming Bee
2009-03-25 23:48 . 2009-03-25 23:48 -------- d-----r c:\program files\Skype
2009-03-16 23:39 . 2008-08-04 01:48 -------- d-----w c:\program files\Watchtower
2009-03-06 14:22 . 2007-07-27 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2007-07-27 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2007-07-27 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2007-07-27 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2007-07-27 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2007-07-27 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2007-07-27 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2007-07-27 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2007-07-27 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2007-07-27 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2007-07-27 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-03-20 216520]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-11 24095528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-27 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2007-07-27 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2007-07-27 455168]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-29 516440]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-05-02 206088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-06-01 1519616]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-01 67584]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-06-01 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\StepMania CVS\\Program\\StepMania.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/29/2009 6:18 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 953168]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [9/7/2008 8:02 PM 21920]
S3 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [3/16/2008 10:48 PM 4224]
S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\KIS2009.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:18]

2009-05-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-17 21:53]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\documents and settings\Nicolas_2\Application Data\Mozilla\Firefox\Profiles\prfsper6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1976)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-05-07 20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 00:48

Pre-Run: 24,547,221,504 bytes free
Post-Run: 33,942,011,904 bytes free

214 --- E O F --- 2009-04-16 02:20

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:29 PM

Posted 07 May 2009 - 04:46 PM

Run option 1 again from GooredFix and post that log for me.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Ferrous

Ferrous
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 08 May 2009 - 01:16 PM

Okay. Another GooredLog. Also, is a extension from a Firefox update actually what causes Goored to be on my computer in the first place?
GooredFix v1.92 by jpshortstuff
Log created at 13:47 on 08/05/2009 running Option #1 (Nicolas_2)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{474D2AE3-92CE-4C74-ABA4-57C4FF450DCF}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:29 PM

Posted 09 May 2009 - 01:06 PM

Yes, that is my understanding.

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Ferrous

Ferrous
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 11 May 2009 - 07:22 PM

I think you finally fixed it. I tried rebooting the computer since some people reported that that made the trojan return, and even after the reboot, the Google searches were not redirected. It seems strange that the virus would come from a legitimate Firefox update though. Anyways, here's the log

GooredFix v1.92 by jpshortstuff
Log created at 18:58 on 10/05/2009 running Option #2 (Nicolas_2)
Firefox version 3.0.10 (en-US)
(Subsequent Run)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{474D2AE3-92CE-4C74-ABA4-57C4FF450DCF}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

I thank you so much for taking up your time to help some random guy on the internet.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:29 PM

Posted 12 May 2009 - 10:30 AM

It's not a legitimate Firefox update. It's a malicious extension.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:29 PM

Posted 29 May 2009 - 12:29 PM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users