Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with bestwebsearch forwarder and bestscanpc malware


  • This topic is locked This topic is locked
26 replies to this topic

#1 mot1thom

mot1thom

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 20 August 2009 - 02:20 PM

Hey guys, recently my comp has been infected with the "best web search" malware redirector; at first i thought it was the conficker worm as it also blocked access to mcaffe and other anti-virus websites, however the symantec remover found nothing. I've gone thru the 8 steps in the prep guide and have everything except the rootrepeal log as everytime i tried to run it it would crash my computer while trying to initilize. Also last night i came home from work and my wife was doing some projects offline; however my router, modem, and connector light for this computer were flashing like crazy with ethernet traffic even though this is the only machine currently running, i immediatly disconnected it from the network and the trffic has seemed to have ceased since, just thought i'd ad it as it seemed very out of place.

Below is the DDS log, if you could tell me which items to remove to correct this (and anything else that looks out of place) i'd be much appreciative.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Thom at 10:57:27.87 on Thu 08/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.164 [GMT -7:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Documents and Settings\Thom\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SFCDisable=4 (0x4)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [CTSysVol] "c:\program files\creative\sound blaster\surround mixer\CTSysVol.exe" /r
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LXCFCATS] "c:\windows\system32\rundll32.exe" c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\thom\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238559437578
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: 24e9012e658 - c:\windows\system32\deploytk32.dll
AppInit_DLLs: c:\windows\system32\deploytk32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {67CB4C62-16CA-45E3-9BA6-E81277C0F0FE} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\\windows\\system32\\awtsr

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-1-31 1205760]
R3 inibtmgr;WD Bridge Controller Driver;c:\windows\system32\drivers\inibtmgr.sys [2005-8-27 9728]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2004-1-28 632576]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\drivers\ca533av.sys --> c:\windows\system32\drivers\Ca533av.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\ijji\english\gunz\gameguard\dump_wmimmc.sys --> c:\ijji\english\gunz\gameguard\dump_wmimmc.sys [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-1-24 11520]
S3 USBCamera;Icatch(IV) Still Camera Device;c:\windows\system32\drivers\bulk533.sys --> c:\windows\system32\drivers\Bulk533.sys [?]
S3 XDva031;XDva031;\??\c:\windows\system32\xdva031.sys --> c:\windows\system32\XDva031.sys [?]

=============== Created Last 30 ================

2009-08-19 09:26 <DIR> --d----- c:\program files\Trend Micro
2009-08-18 13:32 17,428 a------- c:\windows\GnuHashes.ini
2009-08-18 13:24 616 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-08-18 13:24 518,144 a--sh--- c:\windows\system32\A3.tmp
2009-08-18 12:20 0 a------- c:\windows\system32\A2.tmp
2009-08-18 09:24 <DIR> --dsh--- c:\windows\system32\SystemX86
2009-08-17 20:08 57,344 -------- c:\windows\system32\ImageDrive.cpl
2009-08-17 20:08 89,184 -------- c:\windows\system32\drivers\imagedrv.sys
2009-08-17 20:07 38,912 a------- c:\windows\system32\picn20.dll
2009-08-17 20:07 569,344 a------- c:\windows\system32\imagr5.dll
2009-08-17 20:07 544,768 a------- c:\windows\system32\imagx5.dll
2009-08-17 20:07 283,920 a------- c:\windows\system32\ImagXpr5.dll
2009-08-17 20:06 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-08-17 17:24 122,368 a------- c:\windows\system32\deploytk32.dll
2009-08-17 16:46 <DIR> --d----- c:\docume~1\thom\applic~1\InfraRecorder
2009-08-12 16:23 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 16:23 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-08 17:08 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-05 02:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-20 10:46 106,496 a------- c:\windows\system32\ATL71.DLL
2009-08-20 10:45 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-08-20 09:07 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-01 22:26 1,632 a------- c:\windows\system32\d3d8caps.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-02-26 16:53 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2007-09-26 23:51 2,102,260 ---sh--- c:\windows\system32\rstwa.bak2
2008-09-24 22:22 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat

============= FINISH: 10:59:24.92 ===============


Thanks in advance!
~Thom

Attached Files


Edited by mot1thom, 20 August 2009 - 02:25 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 29 August 2009 - 03:27 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.




We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.


==================



Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 mot1thom

mot1thom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 29 August 2009 - 11:46 PM

Hi Sam thanks for getting back to me! I was getting worried that i would end up burried!
Anyway below are the requested scan results.

OTL REPORT
OTL logfile created on: 8/29/2009 3:23:44 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Thom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 85.75 Mb Available Physical Memory | 16.76% Memory free
1.44 Gb Paging File | 0.99 Gb Available in Paging File | 68.58% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.00 Gb Total Space | 2.30 Gb Free Space | 14.40% Space Free | Partition Type: NTFS
Drive D: | 41.25 Gb Total Space | 25.23 Gb Free Space | 61.16% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MISCOMPUTER
Current User Name: Thom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/07/16 13:38:10 | 01,205,760 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2004/07/15 12:42:00 | 00,114,755 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2000/06/26 05:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2003/02/17 15:25:16 | 00,053,248 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
PRC - [2009/04/02 16:11:02 | 00,342,312 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/02/24 17:00:26 | 00,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/13 15:40:08 | 06,345,840 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
PRC - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/04/21 18:26:50 | 00,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
PRC - [2009/08/29 15:15:42 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [1999/12/12 23:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Disabled | Stopped])
SRV - [2009/04/22 17:58:50 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2005/07/25 12:25:18 | 00,491,520 | ---- | M] ( ) -- C:\WINDOWS\System32\lxcfcoms.exe -- (lxcf_device [On_Demand | Stopped])
SRV - [2002/12/17 18:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR [On_Demand | Stopped])
SRV - File not found -- -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2004/07/15 12:42:00 | 00,114,755 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2001/07/31 18:39:44 | 00,065,536 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV [On_Demand | Stopped])
SRV - [2002/12/17 18:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR [On_Demand | Stopped])
SRV - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])
SRV - [2000/06/26 05:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2009/07/16 13:38:10 | 01,205,760 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2008/04/13 11:46:20 | 00,048,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\61883.sys -- (61883 [On_Demand | Stopped])
DRV - [2001/08/17 05:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Running])
DRV - [2002/07/17 08:53:02 | 00,016,877 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\Aspi32.sys -- (ASPI32 [System | Running])
DRV - [2008/04/13 11:46:20 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\avc.sys -- (Avc [On_Demand | Stopped])
DRV - [2000/12/05 14:18:02 | 00,003,952 | R--- | M] (Sony Corporation) -- C:\WINDOWS\System32\DRIVERS\DMICall.sys -- (DMICall [System | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2003/12/07 23:53:06 | 00,009,728 | R--- | M] (Western Digital) -- C:\WINDOWS\System32\DRIVERS\inibtmgr.sys -- (inibtmgr [On_Demand | Stopped])
DRV - [2001/11/28 15:40:26 | 00,441,441 | ---- | M] (LT) -- C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys -- (ltmodem5 [On_Demand | Running])
DRV - [2008/04/13 11:46:09 | 00,051,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\msdv.sys -- (MSDV [On_Demand | Stopped])
DRV - [2004/07/15 12:42:00 | 02,459,712 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2003/03/05 10:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\PfModNT.sys -- (PfModNT [Auto | Running])
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/05/19 09:33:44 | 00,020,016 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2009/03/09 05:03:24 | 00,121,984 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 22:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2003/03/24 23:27:00 | 00,632,576 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\DRIVERS\sbusb.sys -- (sbusb [On_Demand | Running])
DRV - [2008/04/13 11:45:33 | 00,011,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\scsiscan.sys -- (scsiscan [On_Demand | Stopped])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/04/21 18:27:02 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV [Boot | Running])
DRV - [2008/01/04 21:34:36 | 00,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\System32\Drivers\sskbfd.sys -- (SSKBFD [On_Demand | Stopped])
DRV - [2008/02/18 11:16:24 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2005/05/26 11:01:18 | 00,021,344 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbbus.sys -- (usbbus [On_Demand | Stopped])
DRV - [2005/05/26 11:01:36 | 00,038,144 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys -- (UsbDiag [On_Demand | Stopped])
DRV - [2005/06/24 18:36:16 | 00,039,036 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys -- (USBModem [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/.../search/ie.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/23 16:18:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/27 20:25:00 | 00,000,000 | ---D | M]


O1 HOSTS File: (777 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LXCFCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.DLL ()
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\system32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\system32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKU\S-1-5-21-602162358-1770027372-839522115-1003..\Run: [A00F3B42E.exe] C:\Documents and Settings\Thom\Local Settings\Temp\_A00F3B42E.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Thom\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1238559437578 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\System32\deploytk32.dll) - C:\WINDOWS\System32\deploytk32.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\__c00DCCB5: DllName - C:\WINDOWS\system32\__c00DCCB5.dat - C:\WINDOWS\System32\__c00DCCB5.dat ()
O20 - Winlogon\Notify\24e9012e658: DllName - C:\WINDOWS\System32\deploytk32.dll - C:\WINDOWS\System32\deploytk32.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {67CB4C62-16CA-45E3-9BA6-E81277C0F0FE} - Reg Error: Key error. File not found
O30 - LSA: Authentication Packages - (C:\\WINDOWS\\system32\\awtsr) - File not found
O30 - LSA: Authentication Packages - (l\v1.0\Providers) - File not found
O30 - LSA: Authentication Packages - (settings...) - File not found
O30 - LSA: Authentication Packages - (tings) - File not found
O30 - LSA: Security Packages - (EM\) - File not found
O30 - LSA: Security Packages - (\80\Tools\Binn\ecurity) - File not found
O30 - LSA: Security Packages - (Pack) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/28 22:07:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell - "" = AutoRun
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[2 C:\Documents and Settings\Thom\My Documents\*.tmp files]
[2009/08/29 15:16:47 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Thom\Desktop\qpivyml2.exe
[2009/08/29 15:15:25 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe
[2009/08/29 15:08:02 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\LocalService
[2009/08/23 23:10:44 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\__c002ABB1.dat
[2009/08/23 22:27:18 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\__c004F906.dat
[2009/08/22 14:16:16 | 00,029,184 | ---- | C] () -- C:\WINDOWS\System32\__c005A909.dat
[2009/08/20 17:06:35 | 00,025,600 | ---- | C] () -- C:\WINDOWS\System32\__c00DCCB5.dat
[2009/08/20 10:43:35 | 00,359,932 | ---- | C] () -- C:\Documents and Settings\Thom\Desktop\dds.scr
[2009/08/19 09:26:26 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/18 13:32:18 | 00,017,692 | ---- | C] () -- C:\WINDOWS\GnuHashes.ini
[2009/08/18 13:24:18 | 00,000,541 | -HS- | C] () -- C:\WINDOWS\System32\GroupPolicy000.dat
[2009/08/17 20:52:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Thom\My Documents\TOFencing
[2009/08/17 20:08:19 | 00,057,344 | ---- | C] (Ahead Software AG) -- C:\WINDOWS\System32\ImageDrive.cpl
[2009/08/17 20:08:18 | 00,089,184 | ---- | C] (Ahead Software AG and its licensors) -- C:\WINDOWS\System32\drivers\imagedrv.sys
[2009/08/17 20:07:13 | 00,038,912 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\picn20.dll
[2009/08/17 20:07:05 | 00,569,344 | ---- | C] (Pegasus Software,LLC) -- C:\WINDOWS\System32\imagr5.dll
[2009/08/17 20:07:05 | 00,544,768 | ---- | C] (Pegasus Software, LLC) -- C:\WINDOWS\System32\imagx5.dll
[2009/08/17 20:07:04 | 00,283,920 | ---- | C] (Pegasus Software, LLC) -- C:\WINDOWS\System32\ImagXpr5.dll
[2009/08/17 20:06:54 | 00,155,648 | ---- | C] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe
[2009/08/17 20:06:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead
[2009/08/17 20:06:50 | 00,000,000 | ---D | C] -- C:\Program Files\Ahead
[2009/08/17 17:24:25 | 00,005,556 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658C.manifest
[2009/08/17 17:24:25 | 00,002,469 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658P.manifest
[2009/08/17 17:24:25 | 00,001,111 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658O.manifest
[2009/08/17 17:24:25 | 00,000,011 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658S.manifest
[2009/08/17 17:24:21 | 00,122,368 | ---- | C] () -- C:\WINDOWS\System32\deploytk32.dll
[2009/08/17 16:46:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Thom\Application Data\InfraRecorder
[2009/08/12 16:23:59 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/08/12 16:23:24 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2009/08/08 17:08:00 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/08/08 17:07:59 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/08/08 17:07:59 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/08/08 17:07:59 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/08/05 02:01:48 | 00,204,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/04/22 23:29:30 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/04/21 18:26:56 | 00,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2009/04/21 15:11:36 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/04/21 15:10:09 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/04/21 15:10:08 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2009/04/21 14:54:43 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\virport.dll
[2009/03/03 12:18:04 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009/02/22 18:29:37 | 00,000,128 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2008/05/22 21:19:33 | 00,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2008/05/03 14:38:32 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcfvs.dll
[2008/05/03 14:38:31 | 01,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfserv.dll
[2008/05/03 14:38:31 | 01,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfusb1.dll
[2008/05/03 14:38:30 | 00,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfprox.dll
[2008/05/03 14:38:29 | 00,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfpplc.dll
[2008/05/03 14:38:26 | 00,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomc.dll
[2008/05/03 14:38:26 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomm.dll
[2008/05/03 14:38:25 | 00,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcflmpm.dll
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/24 19:56:35 | 00,693,832 | -HS- | C] () -- C:\WINDOWS\System32\ixbtdiau.ini
[2007/09/23 16:42:00 | 00,693,541 | -HS- | C] () -- C:\WINDOWS\System32\rdfmnpgj.ini
[2007/09/21 20:37:47 | 00,693,832 | -HS- | C] () -- C:\WINDOWS\System32\uywedsim.ini
[2007/09/19 22:22:14 | 00,693,485 | -HS- | C] () -- C:\WINDOWS\System32\ygqfkvoj.ini
[2007/09/18 21:03:38 | 00,693,485 | -HS- | C] () -- C:\WINDOWS\System32\lfhhbhtw.ini
[2007/09/17 18:35:55 | 00,693,484 | -HS- | C] () -- C:\WINDOWS\System32\nkksbmrs.ini
[2007/09/16 12:50:36 | 00,000,377 | ---- | C] () -- C:\WINDOWS\cookies.ini
[2007/09/16 12:49:50 | 00,693,494 | -HS- | C] () -- C:\WINDOWS\System32\whxktapd.ini
[2007/09/15 10:46:40 | 02,101,718 | -HS- | C] () -- C:\WINDOWS\System32\rstwa.ini
[2007/09/15 09:52:37 | 00,693,905 | -HS- | C] () -- C:\WINDOWS\System32\rxrxwqsq.ini
[2007/09/14 19:55:40 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2007/06/18 23:43:04 | 00,000,173 | ---- | C] () -- C:\WINDOWS\dbgmsg32.INI
[2006/04/12 09:48:15 | 00,000,050 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2005/07/11 18:04:27 | 00,000,134 | ---- | C] () -- C:\WINDOWS\AoADVDRipper.INI
[2005/06/22 21:32:39 | 00,000,126 | ---- | C] () -- C:\WINDOWS\srxAdmin.INI
[2005/03/04 23:37:10 | 00,003,784 | ---- | C] () -- C:\WINDOWS\System32\b5ob130g.ini
[2005/02/20 13:34:04 | 00,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2004/11/16 01:22:09 | 00,000,004 | ---- | C] () -- C:\WINDOWS\info147.sys
[2004/06/04 21:31:46 | 00,000,054 | ---- | C] () -- C:\WINDOWS\Weather.Ini
[2004/05/15 00:14:17 | 00,000,227 | ---- | C] () -- C:\WINDOWS\CTWave32.ini
[2004/04/16 17:21:39 | 00,000,093 | ---- | C] () -- C:\WINDOWS\System32\MSrev41.dll
[2004/04/09 17:55:14 | 00,027,105 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/03/08 13:14:17 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\libmySQL.dll
[2004/03/08 13:14:16 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\TrackerNET.dll
[2004/02/22 21:00:13 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS38.DLL
[2004/02/09 19:11:14 | 01,213,440 | ---- | C] () -- C:\WINDOWS\System32\opengl.dll
[2004/02/09 19:11:13 | 00,315,904 | ---- | C] () -- C:\WINDOWS\System32\glu.dll
[2004/02/09 19:11:13 | 00,154,624 | ---- | C] () -- C:\WINDOWS\System32\glut.dll
[2004/02/01 11:56:33 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/02/01 11:50:54 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/01/28 23:49:29 | 00,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2004/01/28 23:49:27 | 00,262,416 | ---- | C] () -- C:\WINDOWS\System32\Asfv2.dll
[2004/01/28 23:17:12 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2004/01/28 23:16:31 | 00,064,000 | ---- | C] () -- C:\WINDOWS\System32\sbusbdll.dll
[2004/01/28 23:16:29 | 00,059,392 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2004/01/28 23:16:27 | 00,005,244 | ---- | C] () -- C:\WINDOWS\System32\SBUSB.INI
[2004/01/28 23:14:37 | 00,000,072 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2004/01/28 22:28:40 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/28 22:16:28 | 00,001,065 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2001/08/23 05:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 05:00:00 | 00,000,274 | ---- | C] () -- C:\WINDOWS\system.ini
[2000/11/29 09:50:40 | 00,471,040 | ---- | C] () -- C:\WINDOWS\System32\QTExporter.dll

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2 C:\Documents and Settings\Thom\My Documents\*.tmp files]
[2009/08/29 15:29:31 | 00,002,469 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658P.manifest
[2009/08/29 15:16:48 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Thom\Desktop\qpivyml2.exe
[2009/08/29 15:15:42 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe
[2009/08/29 15:08:40 | 00,005,556 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658C.manifest
[2009/08/29 15:08:03 | 00,000,541 | -HS- | M] () -- C:\WINDOWS\System32\GroupPolicy000.dat
[2009/08/29 15:08:02 | 00,004,452 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/08/29 15:07:47 | 00,001,111 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658O.manifest
[2009/08/29 15:07:47 | 00,000,011 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658S.manifest
[2009/08/29 15:07:45 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/29 15:05:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/29 15:05:31 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/29 15:05:28 | 53,644,9024 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/24 22:58:07 | 08,032,418 | -H-- | M] () -- C:\Documents and Settings\Thom\Local Settings\Application Data\IconCache.db
[2009/08/24 22:39:14 | 00,001,744 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/08/24 22:34:43 | 50,302,976 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/08/23 23:15:10 | 00,017,692 | ---- | M] () -- C:\WINDOWS\GnuHashes.ini
[2009/08/23 22:27:39 | 00,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/08/23 22:26:00 | 00,025,600 | ---- | M] () -- C:\WINDOWS\System32\__c00DCCB5.dat
[2009/08/20 10:46:55 | 00,106,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ATL71.DLL
[2009/08/20 10:43:42 | 00,359,932 | ---- | M] () -- C:\Documents and Settings\Thom\Desktop\dds.scr
[2009/08/20 09:10:00 | 00,000,128 | ---- | M] () -- C:\WINDOWS\ViewNX.INI
[2009/08/19 00:00:00 | 00,001,638 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_L4DE8B1406C60400A89680257A4DF047A.job
[2009/08/18 20:53:22 | 00,503,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/17 21:02:35 | 00,122,648 | ---- | M] () -- C:\Documents and Settings\Thom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/17 17:24:21 | 00,122,368 | ---- | M] () -- C:\WINDOWS\System32\deploytk32.dll
[2009/08/12 17:32:33 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/05 02:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswebdvd.dll
[2009/08/05 02:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/01 22:26:07 | 00,001,632 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/08/01 22:05:59 | 00,000,072 | ---- | M] () -- C:\WINDOWS\SBWIN.INI

========== Files - Unicode (All) ==========
[2003/09/14 20:16:11 | 00,000,000 | ---D | M](C:\WINDOWS\?ssembly) -- C:\WINDOWS\аssembly
[2007/09/14 20:16:00 | 00,000,000 | ---D | C](C:\WINDOWS\?ssembly) -- C:\WINDOWS\аssembly
< End of report >



OTL EXTRAS
OTL Extras logfile created on: 8/29/2009 3:23:44 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Thom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 85.75 Mb Available Physical Memory | 16.76% Memory free
1.44 Gb Paging File | 0.99 Gb Available in Paging File | 68.58% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.00 Gb Total Space | 2.30 Gb Free Space | 14.40% Space Free | Partition Type: NTFS
Drive D: | 41.25 Gb Total Space | 25.23 Gb Free Space | 61.16% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MISCOMPUTER
Current User Name: Thom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.js [@ = jsfile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"FirewallOverride" = 0
"AntiVirusOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"135:TCP" = 135:TCP:*:Enabled:TCP Port 135
"5000:TCP" = 5000:TCP:*:Enabled:TCP Port 5000
"5001:TCP" = 5001:TCP:*:Enabled:TCP Port 5001
"5002:TCP" = 5002:TCP:*:Enabled:TCP Port 5002
"5003:TCP" = 5003:TCP:*:Enabled:TCP Port 5003
"5004:TCP" = 5004:TCP:*:Enabled:TCP Port 5004
"5005:TCP" = 5005:TCP:*:Enabled:TCP Port 5005
"5006:TCP" = 5006:TCP:*:Enabled:TCP Port 5006
"5007:TCP" = 5007:TCP:*:Enabled:TCP Port 5007
"5008:TCP" = 5008:TCP:*:Enabled:TCP Port 5008
"5009:TCP" = 5009:TCP:*:Enabled:TCP Port 5009
"5010:TCP" = 5010:TCP:*:Enabled:TCP Port 5010
"5011:TCP" = 5011:TCP:*:Enabled:TCP Port 5011
"5012:TCP" = 5012:TCP:*:Enabled:TCP Port 5012
"5013:TCP" = 5013:TCP:*:Enabled:TCP Port 5013
"5014:TCP" = 5014:TCP:*:Enabled:TCP Port 5014
"5015:TCP" = 5015:TCP:*:Enabled:TCP Port 5015
"5016:TCP" = 5016:TCP:*:Enabled:TCP Port 5016
"5017:TCP" = 5017:TCP:*:Enabled:TCP Port 5017
"5018:TCP" = 5018:TCP:*:Enabled:TCP Port 5018
"5019:TCP" = 5019:TCP:*:Enabled:TCP Port 5019
"5020:TCP" = 5020:TCP:*:Enabled:TCP Port 5020

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\kdx\khost.exe" = C:\WINDOWS\kdx\khost.exe:*:Enabled:Secure Delivery Plug-In -- File not found
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- File not found
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Steam\SteamApps\trotsky_kitfox\team fortress classic\hl.exe" = C:\Program Files\Steam\SteamApps\trotsky_kitfox\team fortress classic\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Program Files\Steam\SteamApps\trotsky_kitfox\counter-strike\hl.exe" = C:\Program Files\Steam\SteamApps\trotsky_kitfox\counter-strike\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Program Files\AliasWavefront\Maya5.0\bin\maya.exe" = C:\Program Files\AliasWavefront\Maya5.0\bin\maya.exe:*:Enabled:Maya -- File not found
"C:\Program Files\GameHouse\Collapse II\Relapse.exe" = C:\Program Files\GameHouse\Collapse II\Relapse.exe:*:Enabled:Super Collapse! II -- File not found
"C:\Program Files\Steam\SteamApps\trotsky_kitfox\day of defeat\hl.exe" = C:\Program Files\Steam\SteamApps\trotsky_kitfox\day of defeat\hl.exe:*:Enabled:Half-Life Launcher -- File not found
"C:\Sierra\Counter-Strike\cstrike.exe" = C:\Sierra\Counter-Strike\cstrike.exe:*:Enabled:CounterStrike Launcher -- File not found
"C:\Program Files\Macromedia\Flash MX\Flash.exe" = C:\Program Files\Macromedia\Flash MX\Flash.exe:*:Enabled:Flash 6.0 r25 -- File not found
"C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" = C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe:*:Enabled:Dreamweaver MX -- File not found
"C:\Program Files\Ipswitch\WS_FTP Home\wsftpgui.exe" = C:\Program Files\Ipswitch\WS_FTP Home\wsftpgui.exe:*:Enabled:WS_FTP Pro Application -- File not found
"C:\Program Files\Yahoo! Games\Polar Golfer\golf.exe" = C:\Program Files\Yahoo! Games\Polar Golfer\golf.exe:*:Enabled:golf -- File not found
"C:\Program Files\Yahoo! Games\Hamsterball\Hamsterball.exe" = C:\Program Files\Yahoo! Games\Hamsterball\Hamsterball.exe:*:Disabled:Hamsterball -- File not found
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger -- File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\Kazaa\kazaa.exe" = C:\Program Files\Kazaa\kazaa.exe:*:Enabled:Kazaa -- File not found
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- File not found
"C:\Program Files\GameSpy Arcade\Aphex.exe" = C:\Program Files\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade -- File not found
"C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe" = C:\Program Files\Macromedia\Fireworks MX\Fireworks.exe:*:Enabled:Fireworks MX -- File not found
"C:\Program Files\LeechFTP\Leechftp.exe" = C:\Program Files\LeechFTP\Leechftp.exe:*:Enabled:LeechFTP -- File not found
"C:\Program Files\Steam\SteamApps\trotsky_kitfox\half-life\hl.exe" = C:\Program Files\Steam\SteamApps\trotsky_kitfox\half-life\hl.exe:*:Enabled:Half-Life Launcher -- File not found
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater -- File not found
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\WINDOWS\system32\P2P Networking\P2P Networking.exe" = C:\WINDOWS\system32\P2P Networking\P2P Networking.exe:*:Enabled:P2P Networking -- File not found
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- File not found
"C:\Program Files\MAIET\Gunz\GunzLauncher.exe" = C:\Program Files\MAIET\Gunz\GunzLauncher.exe:*:Enabled:GunzLauncher -- File not found
"C:\Program Files\MAIET\Gunz\Gunz.exe" = C:\Program Files\MAIET\Gunz\Gunz.exe:*:Enabled:Gunz -- File not found
"C:\Program Files\MAIET\Gunz\BAReport.exe" = C:\Program Files\MAIET\Gunz\BAReport.exe:*:Enabled:BAReport MFC ?? ???? -- File not found
"C:\Program Files\Team17\Worms Armageddon\Landgen.exe" = C:\Program Files\Team17\Worms Armageddon\Landgen.exe:*:Enabled:Landgen -- File not found
"C:\Program Files\Team17\Worms Armageddon\WA.exe" = C:\Program Files\Team17\Worms Armageddon\WA.exe:*:Enabled:Worms Armageddon -- File not found
"C:\Program Files\MicroProse\Worms Armageddon\wa.exe" = C:\Program Files\MicroProse\Worms Armageddon\wa.exe:*:Disabled:Worms Armageddon -- File not found
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\WINDOWS\TEMP\winE81.tmp.exe" = C:\WINDOWS\TEMP\winE81.tmp.exe:*:Enabled:winE81.tmp -- File not found
"C:\WINDOWS\system32\vkqhrkkj.exe" = C:\WINDOWS\system32\vkqhMP.EXE:*:ENABLED:WINE81 -- File not found
"C:\WINDOWS\system32\lxcfcoms.exe" = C:\WINDOWS\system32\lxcfcoms.exe:*:Enabled:730 Series Server -- ( )
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxcfpswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxcfpswx.exe:*:Enabled:730 Series Printer Status -- ()
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\ijji\ENGLISH\u_gunz.exe" = C:\ijji\ENGLISH\u_gunz.exe:*:Enabled:<ijji Downloader> -- (NHN USA inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"D:\Limewire\TF2_1023\TF2_1023\Team Fortress 2\hl2.exe" = D:\Limewire\TF2_1023\TF2_1023\Team Fortress 2\hl2.exe:*:Enabled:hl2 -- File not found
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\TmNationsForever\TmForever.exe" = C:\Program Files\TmNationsForever\TmForever.exe:*:Enabled:TmForever -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Disabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1DCC7418-2089-4BDD-B321-3771956160FC}" = ijji Auto Installer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1" = Webroot AntiVirus with AntiSpyware
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{2A539CD9-0F75-4875-9A32-E06DD93C4114}" = Adobe Extension Manager CS3
"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}" = Adobe Setup
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{412300C0-2A03-11D7-908C-00A0C98173F1}" = Sound Blaster
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{581125F9-D1C6-4797-93BB-47A992D69AA8}" = Screen Grab Pro
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A228A09C-4826-42E0-A3D8-95B2BAAB5049}" = OpenMG Secure Module
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D00353E1-9A80-11D8-A6E6-0000E24CCC1B}" = Digital Camera
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}" = Safari
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F01D5ED5-D53A-4468-B428-149DC2CB3110}" = Adobe Dreamweaver CS3
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F3CB4DC0-4FC0-11D5-9254-0000F460E7A9}" = CD-R Writing Module
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FFC1ADE3-944B-4231-894E-3903C37271D2}" = Adobe Setup
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Premiere 6.0" = Adobe Premiere 6.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2
"Adobe_435a6af7459cb02a9c1138113a26e93" = Adobe Dreamweaver CS3
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_c3c7fe8b09d497ab2b3fd91c9353390" = Adobe Flash CS3 Professional
"AOL Instant Messenger" = AOL Instant Messenger
"Cleaner 5 EZ" = Cleaner 5 EZ
"DivX Codec" = Remove DivX Codec
"EPSON Scanner" = EPSON Scan
"FileZilla Client" = FileZilla Client 3.2.3.1
"Finale PrintMusic 2009" = Finale PrintMusic 2009
"Gunz" = ijji - Gunz
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Lexmark 730 Series" = Lexmark 730 Series
"LG USB Drivers" = LG USB Drivers
"LimeWire" = LimeWire 4.18.8
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Nero - Burning Rom!UninstallKey" = Ahead Nero Burning ROM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Pdf995" = Pdf995
"RealPlayer 6.0" = RealPlayer
"SBC.MCCInstall" = AT&T Self Support Tool
"Steam App 10" = Counter-Strike
"Steam App 20" = Team Fortress Classic
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ijji.com" = ijji

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/18/2009 1:40:52 AM | Computer Name = MISCOMPUTER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\NERO\NERO
6 ULTRA EDITION\NERO BACKITUP.LNK> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 8/18/2009 1:40:52 AM | Computer Name = MISCOMPUTER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\NERO\NERO
6 ULTRA EDITION\NERO BURNING ROM.LNK> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 8/18/2009 1:40:52 AM | Computer Name = MISCOMPUTER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\NERO\NERO
6 ULTRA EDITION\NERO BURNING ROM.LNK> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 8/18/2009 1:40:52 AM | Computer Name = MISCOMPUTER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\NERO\NERO
6 ULTRA EDITION\NERO COVER DESIGNER.LNK> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 8/18/2009 1:40:53 AM | Computer Name = MISCOMPUTER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\NERO\NERO
6 ULTRA EDITION\NERO COVER DESIGNER.LNK> in the hash map cannot be updated. Context:
Application, SystemIndex Catalog Details: A device attached to the system is not
functioning. (0x8007001f)

Error - 8/20/2009 1:04:55 PM | Computer Name = MISCOMPUTER | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module deploytk32.dll, version 0.0.0.0, fault address 0x0000f223.

Error - 8/20/2009 1:06:05 PM | Computer Name = MISCOMPUTER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\KAT.MISCOMPUTER\MY DOCUMENTS\HOMECOMING
REFRAIN.MUS> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 8/20/2009 2:52:58 PM | Computer Name = MISCOMPUTER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\KAT.MISCOMPUTER\MY DOCUMENTS\HOMECOMING
REFRAINLESS.MUS> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 8/20/2009 2:53:00 PM | Computer Name = MISCOMPUTER | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\KAT.MISCOMPUTER\MY DOCUMENTS\HOMECOMING
REFRAIN.MUS> in the hash map cannot be updated. Context: Application, SystemIndex
Catalog Details: A device attached to the system is not functioning. (0x8007001f)


Error - 8/20/2009 8:03:25 PM | Computer Name = MISCOMPUTER | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module CtxMenu_1_0_0_10.dll, version 1.0.0.10, fault address 0x0000f223.

[ System Events ]
Error - 8/25/2009 1:37:58 AM | Computer Name = MISCOMPUTER | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 8/25/2009 1:38:53 AM | Computer Name = MISCOMPUTER | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Search service, but
this action failed with the following error: %%1056

Error - 8/25/2009 1:58:09 AM | Computer Name = MISCOMPUTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service lxcf_device
with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E44106F}

Error - 8/25/2009 1:58:09 AM | Computer Name = MISCOMPUTER | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxcf_device service to
connect.

Error - 8/25/2009 1:58:09 AM | Computer Name = MISCOMPUTER | Source = Service Control Manager | ID = 7000
Description = The lxcf_device service failed to start due to the following error:
%%1053

Error - 8/25/2009 1:58:15 AM | Computer Name = MISCOMPUTER | Source = SSIDRV | ID = 131098
Description = Failed to set monitor event rule.

Error - 8/25/2009 1:58:29 AM | Computer Name = MISCOMPUTER | Source = DCOM | ID = 10005
Description = DCOM got error "%1053" attempting to start the service lxcf_device
with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E44106F}

Error - 8/29/2009 6:05:53 PM | Computer Name = MISCOMPUTER | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Microsoft XPS Document Writer
share name Printer2.

Error - 8/29/2009 6:05:58 PM | Computer Name = MISCOMPUTER | Source = Service Control Manager | ID = 7000
Description = The Icatch(IV) Video Camera Device service failed to start due to
the following error: %%2

Error - 8/29/2009 6:08:26 PM | Computer Name = MISCOMPUTER | Source = System Error | ID = 1003
Description = Error code 000000ce, parameter1 f3a70182, parameter2 00000000, parameter3
f3a70182, parameter4 00000000.


< End of report >




GMER LOG
GMER 1.0.15.15077 [qpivyml2.exe] - http://www.gmer.net
Rootkit scan 2009-08-29 21:30:53
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8335FA80 ZwAllocateVirtualMemory
SSDT 833B03D0 ZwCreateKey
SSDT 8335FFA8 ZwCreateProcess
SSDT 8335FF30 ZwCreateProcessEx
SSDT 8335FD50 ZwCreateThread
SSDT 833CBC58 ZwDeleteKey
SSDT 83386150 ZwDeleteValueKey
SSDT 8335FAF8 ZwQueueApcThread
SSDT 8335F990 ZwReadVirtualMemory
SSDT 833A10A8 ZwRenameKey
SSDT 8335FBE8 ZwSetContextThread
SSDT 83386240 ZwSetInformationKey
SSDT 8335FE40 ZwSetInformationProcess
SSDT 8335FC60 ZwSetInformationThread
SSDT 833861C8 ZwSetValueKey
SSDT 8335FDC8 ZwSuspendProcess
SSDT 8335FB70 ZwSuspendThread
SSDT 8335FEB8 ZwTerminateProcess
SSDT 8335FCD8 ZwTerminateThread
SSDT 8335FA08 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 3A0 804E29FC 4 Bytes CALL 56D15FFC

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 1000E3DF C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 1000E387 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 1000E4C6 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 1000E451 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 5 Bytes JMP 1000E53B C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10011C05 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ws2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 10011B2C C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ws2_32.dll!bind 71AB4480 5 Bytes JMP 10011AB6 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10011B8F C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[512] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 10011BC4 C:\WINDOWS\System32\deploytk32.dll
.text C:\WINDOWS\system32\SearchIndexer.exe[844] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 1000E3DF C:\WINDOWS\System32\deploytk32.dll
.text C:\WINDOWS\Explorer.EXE[2204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 1000E387 C:\WINDOWS\System32\deploytk32.dll
.text C:\WINDOWS\Explorer.EXE[2204] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 1000E4C6 C:\WINDOWS\System32\deploytk32.dll
.text C:\WINDOWS\Explorer.EXE[2204] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 1000E451 C:\WINDOWS\System32\deploytk32.dll
.text C:\WINDOWS\Explorer.EXE[2204] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 5 Bytes JMP 1000E53B C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[2944] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00450771 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000169B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00016960 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!VirtualFree 7C809B84 5 Bytes JMP 00016990 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 1000E3DF C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 1000E387 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 1000E4C6 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 1000E451 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 5 Bytes JMP 1000E53B C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10011C05 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ws2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 10011B2C C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ws2_32.dll!bind 71AB4480 5 Bytes JMP 10011AB6 C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10011B8F C:\WINDOWS\System32\deploytk32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ws2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 10011BC4 C:\WINDOWS\System32\deploytk32.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[512] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 83084CA8
Device \Driver\Tcpip \Device\Tcp 83084CA8
Device \Driver\Tcpip \Device\Udp 83084CA8
Device \Driver\Tcpip \Device\RawIp 83084CA8
Device \Driver\Tcpip \Device\IPMULTICAST 83084CA8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 38
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 35

---- EOF - GMER 1.0.15 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 30 August 2009 - 10:49 AM

That doesn't look too bad.


Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKLM..\Run: [KernelFaultCheck] File not found
    O4 - HKLM..\Run: [UserFaultCheck] File not found
    O4 - HKU\S-1-5-21-602162358-1770027372-839522115-1003..\Run: [A00F3B42E.exe] C:\Documents and Settings\Thom\Local Settings\Temp\_A00F3B42E.exe ()
    O20 - AppInit_DLLs: (C:\WINDOWS\System32\deploytk32.dll) - C:\WINDOWS\System32\deploytk32.dll ()
    O20 - Winlogon\Notify\__c00DCCB5: DllName - C:\WINDOWS\system32\__c00DCCB5.dat - C:\WINDOWS\System32\__c00DCCB5.dat ()
    O20 - Winlogon\Notify\24e9012e658: DllName - C:\WINDOWS\System32\deploytk32.dll - C:\WINDOWS\System32\deploytk32.dll ()
    
    
    :Files
    C:\WINDOWS\System32\__c002ABB1.dat
    C:\WINDOWS\System32\__c004F906.dat
    C:\WINDOWS\System32\__c005A909.dat
    C:\WINDOWS\System32\__c00DCCB5.dat
    
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

=====================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 mot1thom

mot1thom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 31 August 2009 - 10:50 PM

OTL Results Log
All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{40D41A8B-D79B-43D7-99A7-9EE0F344C385} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{40D41A8B-D79B-43D7-99A7-9EE0F344C385}\ not found.
Registry value HKEY_USERS\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A}\ not found.
Registry value HKEY_USERS\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}\ not found.
Registry value HKEY_USERS\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{724D43A0-0D85-11D4-9908-00400523E39A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{724D43A0-0D85-11D4-9908-00400523E39A}\ not found.
Registry value HKEY_USERS\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck deleted successfully.
Registry value HKEY_USERS\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\\A00F3B42E.exe not found.
File C:\Documents and Settings\Thom\Local Settings\Temp\_A00F3B42E.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\System32\deploytk32.dll deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\deploytk32.dll
C:\WINDOWS\System32\deploytk32.dll NOT unregistered.
C:\WINDOWS\System32\deploytk32.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00DCCB5\ not found.
File C:\WINDOWS\System32\__c00DCCB5.dat not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\24e9012e658\ deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\deploytk32.dll
C:\WINDOWS\System32\deploytk32.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\deploytk32.dll scheduled to be moved on reboot.
========== FILES ==========
File\Folder C:\WINDOWS\System32\__c002ABB1.dat not found.
File\Folder C:\WINDOWS\System32\__c004F906.dat not found.
File\Folder C:\WINDOWS\System32\__c005A909.dat not found.
File\Folder C:\WINDOWS\System32\__c00DCCB5.dat not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator.MISCOMPUTER
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Kat
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kat.MISCOMPUTER
->Temp folder emptied: 35816782 bytes
->Temporary Internet Files folder emptied: 5787099 bytes
->Java cache emptied: 19424495 bytes
->Apple Safari cache emptied: 161575723 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: Thom
->Temp folder emptied: 118474032 bytes
File delete failed. C:\Documents and Settings\Thom\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 39068061 bytes
->Java cache emptied: 24741683 bytes
->Apple Safari cache emptied: 107632166 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119359 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 11185087 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 500.61 mb


OTL by OldTimer - Version 3.0.10.7 log created on 08312009_195922

Files\Folders moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\System32\deploytk32.dll
C:\WINDOWS\System32\deploytk32.dll NOT unregistered.
C:\WINDOWS\System32\deploytk32.dll moved successfully.

Registry entries deleted on Reboot...


New OTL Scan Log
OTL logfile created on: 8/31/2009 8:12:23 PM - Run 2
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Thom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 151.21 Mb Available Physical Memory | 29.56% Memory free
1.44 Gb Paging File | 1.05 Gb Available in Paging File | 73.03% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.00 Gb Total Space | 2.76 Gb Free Space | 17.26% Space Free | Partition Type: NTFS
Drive D: | 41.25 Gb Total Space | 25.24 Gb Free Space | 61.18% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MISCOMPUTER
Current User Name: Thom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/07/16 13:38:10 | 01,205,760 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2004/07/15 12:42:00 | 00,114,755 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2000/06/26 05:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2003/02/17 15:25:16 | 00,053,248 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
PRC - [2009/02/24 17:00:26 | 00,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/13 15:40:08 | 06,345,840 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/08/29 15:15:42 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [1999/12/12 23:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Disabled | Stopped])
SRV - [2009/04/22 17:58:50 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2005/07/25 12:25:18 | 00,491,520 | ---- | M] ( ) -- C:\WINDOWS\System32\lxcfcoms.exe -- (lxcf_device [On_Demand | Stopped])
SRV - [2002/12/17 18:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR [On_Demand | Stopped])
SRV - File not found -- -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2004/07/15 12:42:00 | 00,114,755 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2001/07/31 18:39:44 | 00,065,536 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV [On_Demand | Stopped])
SRV - [2002/12/17 18:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR [On_Demand | Stopped])
SRV - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])
SRV - [2000/06/26 05:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2009/07/16 13:38:10 | 01,205,760 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2008/04/13 11:46:20 | 00,048,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\61883.sys -- (61883 [On_Demand | Stopped])
DRV - [2001/08/17 05:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Running])
DRV - [2002/07/17 08:53:02 | 00,016,877 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\Aspi32.sys -- (ASPI32 [System | Running])
DRV - [2008/04/13 11:46:20 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\avc.sys -- (Avc [On_Demand | Stopped])
DRV - [2000/12/05 14:18:02 | 00,003,952 | R--- | M] (Sony Corporation) -- C:\WINDOWS\System32\DRIVERS\DMICall.sys -- (DMICall [System | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2003/12/07 23:53:06 | 00,009,728 | R--- | M] (Western Digital) -- C:\WINDOWS\System32\DRIVERS\inibtmgr.sys -- (inibtmgr [On_Demand | Stopped])
DRV - [2001/11/28 15:40:26 | 00,441,441 | ---- | M] (LT) -- C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys -- (ltmodem5 [On_Demand | Running])
DRV - [2008/04/13 11:46:09 | 00,051,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\msdv.sys -- (MSDV [On_Demand | Stopped])
DRV - [2004/07/15 12:42:00 | 02,459,712 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2003/03/05 10:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\PfModNT.sys -- (PfModNT [Auto | Running])
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/05/19 09:33:44 | 00,020,016 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2009/03/09 05:03:24 | 00,121,984 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 22:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2003/03/24 23:27:00 | 00,632,576 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\DRIVERS\sbusb.sys -- (sbusb [On_Demand | Running])
DRV - [2008/04/13 11:45:33 | 00,011,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\scsiscan.sys -- (scsiscan [On_Demand | Stopped])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/04/21 18:27:02 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV [Boot | Running])
DRV - [2008/01/04 21:34:36 | 00,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\System32\Drivers\sskbfd.sys -- (SSKBFD [On_Demand | Stopped])
DRV - [2008/02/18 11:16:24 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2005/05/26 11:01:18 | 00,021,344 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbbus.sys -- (usbbus [On_Demand | Stopped])
DRV - [2005/05/26 11:01:36 | 00,038,144 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys -- (UsbDiag [On_Demand | Stopped])
DRV - [2005/06/24 18:36:16 | 00,039,036 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys -- (USBModem [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/.../search/ie.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/23 16:18:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/27 20:25:00 | 00,000,000 | ---D | M]


O1 HOSTS File: (777 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LXCFCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.DLL ()
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\system32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\system32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Thom\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1238559437578 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\deploytk32.dll) - C:\WINDOWS\System32\deploytk32.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\24e9012e658: DllName - c:\windows\system32\deploytk32.dll - C:\WINDOWS\System32\deploytk32.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {67CB4C62-16CA-45E3-9BA6-E81277C0F0FE} - Reg Error: Key error. File not found
O30 - LSA: Authentication Packages - (C:\\WINDOWS\\system32\\awtsr) - File not found
O30 - LSA: Authentication Packages - (l\v1.0\Providers) - File not found
O30 - LSA: Authentication Packages - (settings...) - File not found
O30 - LSA: Authentication Packages - (tings) - File not found
O30 - LSA: Security Packages - (EM\) - File not found
O30 - LSA: Security Packages - (\80\Tools\Binn\ecurity) - File not found
O30 - LSA: Security Packages - (Pack) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/28 22:07:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell - "" = AutoRun
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\Documents and Settings\Thom\My Documents\*.tmp files]
[2009/08/31 20:16:19 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/31 20:16:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/31 20:15:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/31 20:14:37 | 03,942,048 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Thom\Desktop\mbam-setup.exe
[2009/08/31 19:59:22 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/08/31 07:45:27 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\LocalService
[2009/08/29 23:36:36 | 00,349,195 | ---- | C] () -- C:\Documents and Settings\Thom\Desktop\virus scan.jpg
[2009/08/29 15:16:47 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Thom\Desktop\qpivyml2.exe
[2009/08/29 15:15:25 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe
[2009/08/20 10:43:35 | 00,359,932 | ---- | C] () -- C:\Documents and Settings\Thom\Desktop\dds.scr
[2009/08/19 09:26:26 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/08/18 13:32:18 | 00,017,692 | ---- | C] () -- C:\WINDOWS\GnuHashes.ini
[2009/08/18 13:24:18 | 00,000,504 | -HS- | C] () -- C:\WINDOWS\System32\GroupPolicy000.dat
[2009/08/17 20:52:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Thom\My Documents\TOFencing
[2009/08/17 20:08:19 | 00,057,344 | ---- | C] (Ahead Software AG) -- C:\WINDOWS\System32\ImageDrive.cpl
[2009/08/17 20:08:18 | 00,089,184 | ---- | C] (Ahead Software AG and its licensors) -- C:\WINDOWS\System32\drivers\imagedrv.sys
[2009/08/17 20:07:13 | 00,038,912 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\picn20.dll
[2009/08/17 20:07:05 | 00,569,344 | ---- | C] (Pegasus Software,LLC) -- C:\WINDOWS\System32\imagr5.dll
[2009/08/17 20:07:05 | 00,544,768 | ---- | C] (Pegasus Software, LLC) -- C:\WINDOWS\System32\imagx5.dll
[2009/08/17 20:07:04 | 00,283,920 | ---- | C] (Pegasus Software, LLC) -- C:\WINDOWS\System32\ImagXpr5.dll
[2009/08/17 20:06:54 | 00,155,648 | ---- | C] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe
[2009/08/17 20:06:54 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead
[2009/08/17 20:06:50 | 00,000,000 | ---D | C] -- C:\Program Files\Ahead
[2009/08/17 17:24:25 | 00,005,556 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658C.manifest
[2009/08/17 17:24:25 | 00,002,469 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658P.manifest
[2009/08/17 17:24:25 | 00,001,111 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658O.manifest
[2009/08/17 17:24:25 | 00,000,011 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658S.manifest
[2009/08/17 17:24:21 | 00,122,368 | ---- | C] () -- C:\WINDOWS\System32\deploytk32.dll
[2009/08/17 16:46:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Thom\Application Data\InfraRecorder
[2009/08/12 16:23:59 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/08/12 16:23:24 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2009/08/08 17:08:00 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/08/08 17:07:59 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/08/08 17:07:59 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/08/08 17:07:59 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/08/05 02:01:48 | 00,204,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/04/22 23:29:30 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/04/21 18:26:56 | 00,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2009/04/21 15:11:36 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/04/21 15:10:09 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/04/21 15:10:08 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2009/04/21 14:54:43 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\virport.dll
[2009/03/03 12:18:04 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009/02/22 18:29:37 | 00,000,128 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2008/05/22 21:19:33 | 00,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2008/05/03 14:38:32 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcfvs.dll
[2008/05/03 14:38:31 | 01,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfserv.dll
[2008/05/03 14:38:31 | 01,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfusb1.dll
[2008/05/03 14:38:30 | 00,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfprox.dll
[2008/05/03 14:38:29 | 00,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfpplc.dll
[2008/05/03 14:38:26 | 00,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomc.dll
[2008/05/03 14:38:26 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomm.dll
[2008/05/03 14:38:25 | 00,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcflmpm.dll
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/24 19:56:35 | 00,693,832 | -HS- | C] () -- C:\WINDOWS\System32\ixbtdiau.ini
[2007/09/23 16:42:00 | 00,693,541 | -HS- | C] () -- C:\WINDOWS\System32\rdfmnpgj.ini
[2007/09/21 20:37:47 | 00,693,832 | -HS- | C] () -- C:\WINDOWS\System32\uywedsim.ini
[2007/09/19 22:22:14 | 00,693,485 | -HS- | C] () -- C:\WINDOWS\System32\ygqfkvoj.ini
[2007/09/18 21:03:38 | 00,693,485 | -HS- | C] () -- C:\WINDOWS\System32\lfhhbhtw.ini
[2007/09/17 18:35:55 | 00,693,484 | -HS- | C] () -- C:\WINDOWS\System32\nkksbmrs.ini
[2007/09/16 12:50:36 | 00,000,377 | ---- | C] () -- C:\WINDOWS\cookies.ini
[2007/09/16 12:49:50 | 00,693,494 | -HS- | C] () -- C:\WINDOWS\System32\whxktapd.ini
[2007/09/15 10:46:40 | 02,101,718 | -HS- | C] () -- C:\WINDOWS\System32\rstwa.ini
[2007/09/15 09:52:37 | 00,693,905 | -HS- | C] () -- C:\WINDOWS\System32\rxrxwqsq.ini
[2007/09/14 19:55:40 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2007/06/18 23:43:04 | 00,000,173 | ---- | C] () -- C:\WINDOWS\dbgmsg32.INI
[2006/04/12 09:48:15 | 00,000,050 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2005/07/11 18:04:27 | 00,000,134 | ---- | C] () -- C:\WINDOWS\AoADVDRipper.INI
[2005/06/22 21:32:39 | 00,000,126 | ---- | C] () -- C:\WINDOWS\srxAdmin.INI
[2005/03/04 23:37:10 | 00,003,784 | ---- | C] () -- C:\WINDOWS\System32\b5ob130g.ini
[2005/02/20 13:34:04 | 00,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2004/11/16 01:22:09 | 00,000,004 | ---- | C] () -- C:\WINDOWS\info147.sys
[2004/06/04 21:31:46 | 00,000,054 | ---- | C] () -- C:\WINDOWS\Weather.Ini
[2004/05/15 00:14:17 | 00,000,227 | ---- | C] () -- C:\WINDOWS\CTWave32.ini
[2004/04/16 17:21:39 | 00,000,093 | ---- | C] () -- C:\WINDOWS\System32\MSrev41.dll
[2004/04/09 17:55:14 | 00,027,105 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/03/08 13:14:17 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\libmySQL.dll
[2004/03/08 13:14:16 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\TrackerNET.dll
[2004/02/22 21:00:13 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS38.DLL
[2004/02/09 19:11:14 | 01,213,440 | ---- | C] () -- C:\WINDOWS\System32\opengl.dll
[2004/02/09 19:11:13 | 00,315,904 | ---- | C] () -- C:\WINDOWS\System32\glu.dll
[2004/02/09 19:11:13 | 00,154,624 | ---- | C] () -- C:\WINDOWS\System32\glut.dll
[2004/02/01 11:56:33 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/02/01 11:50:54 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/01/28 23:49:29 | 00,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2004/01/28 23:49:27 | 00,262,416 | ---- | C] () -- C:\WINDOWS\System32\Asfv2.dll
[2004/01/28 23:17:12 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2004/01/28 23:16:31 | 00,064,000 | ---- | C] () -- C:\WINDOWS\System32\sbusbdll.dll
[2004/01/28 23:16:29 | 00,059,392 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2004/01/28 23:16:27 | 00,005,244 | ---- | C] () -- C:\WINDOWS\System32\SBUSB.INI
[2004/01/28 23:14:37 | 00,000,072 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2004/01/28 22:28:40 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/28 22:16:28 | 00,001,065 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2001/08/23 05:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 05:00:00 | 00,000,274 | ---- | C] () -- C:\WINDOWS\system.ini
[2000/11/29 09:50:40 | 00,471,040 | ---- | C] () -- C:\WINDOWS\System32\QTExporter.dll

========== Files - Modified Within 30 Days ==========

[2 C:\Documents and Settings\Thom\My Documents\*.tmp files]
[2009/08/31 20:16:19 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/31 20:14:37 | 03,942,048 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Thom\Desktop\mbam-setup.exe
[2009/08/31 20:14:28 | 00,002,469 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658P.manifest
[2009/08/31 20:05:33 | 00,005,556 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658C.manifest
[2009/08/31 20:05:05 | 00,004,452 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/08/31 20:05:02 | 00,001,111 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658O.manifest
[2009/08/31 20:05:02 | 00,000,011 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658S.manifest
[2009/08/31 20:05:01 | 00,122,368 | ---- | M] () -- C:\WINDOWS\System32\deploytk32.dll
[2009/08/31 20:04:28 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/31 20:03:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/31 20:03:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/31 20:03:49 | 53,644,9024 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/31 07:45:28 | 00,000,504 | -HS- | M] () -- C:\WINDOWS\System32\GroupPolicy000.dat
[2009/08/29 23:53:29 | 08,032,656 | -H-- | M] () -- C:\Documents and Settings\Thom\Local Settings\Application Data\IconCache.db
[2009/08/29 23:35:45 | 00,349,195 | ---- | M] () -- C:\Documents and Settings\Thom\Desktop\virus scan.jpg
[2009/08/29 15:16:48 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Thom\Desktop\qpivyml2.exe
[2009/08/29 15:15:42 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe
[2009/08/24 22:39:14 | 00,001,744 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/08/24 22:34:43 | 50,302,976 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2009/08/23 23:15:10 | 00,017,692 | ---- | M] () -- C:\WINDOWS\GnuHashes.ini
[2009/08/23 22:27:39 | 00,000,020 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/08/20 10:46:55 | 00,106,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ATL71.DLL
[2009/08/20 10:43:42 | 00,359,932 | ---- | M] () -- C:\Documents and Settings\Thom\Desktop\dds.scr
[2009/08/20 09:10:00 | 00,000,128 | ---- | M] () -- C:\WINDOWS\ViewNX.INI
[2009/08/19 00:00:00 | 00,001,638 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_L4DE8B1406C60400A89680257A4DF047A.job
[2009/08/18 20:53:22 | 00,503,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/17 21:02:35 | 00,122,648 | ---- | M] () -- C:\Documents and Settings\Thom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/12 17:32:57 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/05 02:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mswebdvd.dll
[2009/08/05 02:01:48 | 00,204,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mswebdvd.dll
[2009/08/03 13:36:28 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/03 13:36:06 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/01 22:26:07 | 00,001,632 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009/08/01 22:05:59 | 00,000,072 | ---- | M] () -- C:\WINDOWS\SBWIN.INI

========== Files - Unicode (All) ==========
[2003/09/14 20:16:11 | 00,000,000 | ---D | M](C:\WINDOWS\?ssembly) -- C:\WINDOWS\аssembly
[2007/09/14 20:16:00 | 00,000,000 | ---D | C](C:\WINDOWS\?ssembly) -- C:\WINDOWS\аssembly
< End of report >


MBAM Log
Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 5.1.2600 Service Pack 3

8/31/2009 8:33:52 PM
mbam-log-2009-08-31 (20-33-43).txt

Scan type: Quick Scan
Objects scanned: 115421
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 21
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 2
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\deploytk32.dll (Trojan.Tracur) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\24e9012e658 (Trojan.Tracur) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{21b4acc4-8874-4aec-aeac-f567a249b4d4} (Adware.180Solutions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf18e7c6-7ea4-4afa-bb60-6811359b3c8c} (Adware.Deewoo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{386a771c-e96a-421f-8ba7-32f1b706892f} (Adware.ISTBar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227d9c-0efe-4f8a-aa55-30386a3f5686} (Adware.ISTBar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6f7d-442c-93e3-4a4827c2e4c8} (Adware.NetOptimizer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} (Adware.NetOptimizer) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{000006b1-19b5-414a-849f-2a3c64ae6939} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3fdd654-a057-4971-9844-4ed8e67dbbb8} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e055c02e-6258-40ff-80a7-3bda52facad7} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{67cb4c62-16ca-45e3-9ba6-e81277c0f0fe} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{67cb4c62-16ca-45e3-9ba6-e81277c0f0fe} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\deploytk32.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\deploytk32.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\WINDOWS\Drivers\Aud32 (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\LocalService (Worm.Archive) -> No action taken.

Files Infected:
c:\WINDOWS\system32\deploytk32.dll (Trojan.Tracur) -> No action taken.
C:\WINDOWS\system32\LocalService\269.crack.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\269.crack.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\270.keygen.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\270.keygen.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\271.serial.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\271.serial.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\272.setup.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\272.setup.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\273.music.au (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\273.music.au.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\274.music2.au (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\274.music2.au.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\275.MUSIC3.AU (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\275.music3.au.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\276.music.snd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService\276.music.snd.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\ClickToFindandFixErrors_2.ico (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\Drivers\phuninst.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\Drivers\pub.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\Drivers\readme.html (Trojan.BHO) -> No action taken.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> No action taken.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> No action taken.


MBAM Log Removal pre-Reboot
Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 5.1.2600 Service Pack 3

8/31/2009 8:34:57 PM
mbam-log-2009-08-31 (20-34-57).txt

Scan type: Quick Scan
Objects scanned: 115421
Time elapsed: 9 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 21
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 2
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\deploytk32.dll (Trojan.Tracur) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\24e9012e658 (Trojan.Tracur) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{21b4acc4-8874-4aec-aeac-f567a249b4d4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf18e7c6-7ea4-4afa-bb60-6811359b3c8c} (Adware.Deewoo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{386a771c-e96a-421f-8ba7-32f1b706892f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227d9c-0efe-4f8a-aa55-30386a3f5686} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6f7d-442c-93e3-4a4827c2e4c8} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{000006b1-19b5-414a-849f-2a3c64ae6939} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3fdd654-a057-4971-9844-4ed8e67dbbb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e055c02e-6258-40ff-80a7-3bda52facad7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{67cb4c62-16ca-45e3-9ba6-e81277c0f0fe} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{67cb4c62-16ca-45e3-9ba6-e81277c0f0fe} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\deploytk32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\deploytk32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\Drivers\Aud32 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\deploytk32.dll (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\system32\LocalService\269.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\269.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\270.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\270.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\271.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\271.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\272.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\272.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\273.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\273.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\274.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\274.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\275.MUSIC3.AU (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\275.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\276.music.snd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LocalService\276.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Drivers\phuninst.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Drivers\pub.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Drivers\readme.html (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 01 September 2009 - 12:35 PM

Looks like we may have a stubborn one.

Files Infected:
c:\WINDOWS\system32\deploytk32.dll (Trojan.Tracur) -> Delete on reboot.


Please check to see if Malwarebytes was able to successfully remove this file or does it still up in the scan.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 mot1thom

mot1thom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 05 September 2009 - 04:13 PM

Ran a new scan of malwarebytes and it came up clean; no more forwarding going on either! Thank you so much!

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 06 September 2009 - 10:16 AM

Sounds good!

It's time to clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTL.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


================




Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 mot1thom

mot1thom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 26 September 2009 - 01:29 PM

Sorry to bother you again Sam, but it looks like my wife downloaded something and it's back, and a little more vicious this time, it pops up on every page change. I tried to fix it by running both quick and full scans of MBAMR, which while finding a lot of other stuff, didn' catch the problem. I went aheadand ran new OTL& GMER scans below. Thank you for your time!
~Thom

OTL Report:
OTL logfile created on: 9/26/2009 10:21:18 AM - Run 3
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\Thom\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.53 Mb Total Physical Memory | 92.00 Mb Available Physical Memory | 17.98% Memory free
1.44 Gb Paging File | 0.98 Gb Available in Paging File | 67.79% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.00 Gb Total Space | 2.51 Gb Free Space | 15.68% Space Free | Partition Type: NTFS
Drive D: | 41.25 Gb Total Space | 25.21 Gb Free Space | 61.11% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MISCOMPUTER
Current User Name: Thom
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/07/16 13:38:10 | 01,205,760 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2003/02/17 15:25:16 | 00,053,248 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
PRC - [2009/02/24 17:00:26 | 00,479,232 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/13 15:40:08 | 06,345,840 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
PRC - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2004/07/15 12:42:00 | 00,114,755 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
PRC - [2000/06/26 05:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe
PRC - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/04/21 18:26:50 | 00,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/09/26 10:20:05 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/03/26 15:31:20 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/12/12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [1999/12/12 23:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\System32\CTsvcCDA.exe -- (Creative Service for CDROM Access [Disabled | Stopped])
SRV - [2009/04/22 17:58:50 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/04/02 16:10:56 | 00,656,168 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2005/07/25 12:25:18 | 00,491,520 | ---- | M] ( ) -- C:\WINDOWS\System32\lxcfcoms.exe -- (lxcf_device [On_Demand | Stopped])
SRV - [2002/12/17 18:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR [On_Demand | Stopped])
SRV - File not found -- -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2004/07/15 12:42:00 | 00,114,755 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2001/07/31 18:39:44 | 00,065,536 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV [On_Demand | Stopped])
SRV - [2002/12/17 18:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR [On_Demand | Stopped])
SRV - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Running])
SRV - [2000/06/26 05:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2009/07/16 13:38:10 | 01,205,760 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe -- (WRConsumerService [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2008/04/13 11:46:20 | 00,048,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\61883.sys -- (61883 [On_Demand | Stopped])
DRV - [2001/08/17 05:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\ac97intc.sys -- (ac97intc [On_Demand | Running])
DRV - [2002/07/17 08:53:02 | 00,016,877 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\Aspi32.sys -- (ASPI32 [System | Running])
DRV - [2008/04/13 11:46:20 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\avc.sys -- (Avc [On_Demand | Stopped])
DRV - [2000/12/05 14:18:02 | 00,003,952 | R--- | M] (Sony Corporation) -- C:\WINDOWS\System32\DRIVERS\DMICall.sys -- (DMICall [System | Running])
DRV - [2009/03/19 16:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2003/12/07 23:53:06 | 00,009,728 | R--- | M] (Western Digital) -- C:\WINDOWS\System32\DRIVERS\inibtmgr.sys -- (inibtmgr [On_Demand | Stopped])
DRV - [2001/11/28 15:40:26 | 00,441,441 | ---- | M] (LT) -- C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys -- (ltmodem5 [On_Demand | Running])
DRV - [2008/04/13 11:46:09 | 00,051,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\msdv.sys -- (MSDV [On_Demand | Stopped])
DRV - [2004/07/15 12:42:00 | 02,459,712 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2003/03/05 10:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\PfModNT.sys -- (PfModNT [Auto | Running])
DRV - [2001/08/23 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/05/19 09:33:44 | 00,020,016 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2009/03/09 05:03:24 | 00,121,984 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 22:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2003/03/24 23:27:00 | 00,632,576 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\DRIVERS\sbusb.sys -- (sbusb [On_Demand | Running])
DRV - [2008/04/13 11:45:33 | 00,011,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\scsiscan.sys -- (scsiscan [On_Demand | Stopped])
DRV - [2007/11/13 03:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/04/21 18:27:02 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV [Boot | Running])
DRV - [2008/01/04 21:34:36 | 00,023,920 | ---- | M] (Webroot Software Inc (www.webroot.com)) -- C:\WINDOWS\System32\Drivers\sskbfd.sys -- (SSKBFD [On_Demand | Stopped])
DRV - [2008/02/18 11:16:24 | 00,030,464 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/04/13 11:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2005/05/26 11:01:18 | 00,021,344 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbbus.sys -- (usbbus [On_Demand | Stopped])
DRV - [2005/05/26 11:01:36 | 00,038,144 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys -- (UsbDiag [On_Demand | Stopped])
DRV - [2005/06/24 18:36:16 | 00,039,036 | ---- | M] (LG Electronics Inc.) -- C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys -- (USBModem [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/.../search/ie.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTe...-8&fr=b1ie7
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-602162358-1770027372-839522115-1003\S-1-5-21-602162358-1770027372-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/23 16:18:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/27 20:25:00 | 00,000,000 | ---D | M]


O1 HOSTS File: (777 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LXCFCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.DLL ()
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\system32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\system32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Thom\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKU\S-1-5-21-602162358-1770027372-839522115-1003\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1238559437578 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\System32\HAL32.dll) - C:\WINDOWS\System32\HAL32.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\__c00956A: DllName - C:\WINDOWS\system32\__c00956A.dat - C:\WINDOWS\System32\__c00956A.dat ()
O20 - Winlogon\Notify\24e9012e670: DllName - C:\WINDOWS\System32\HAL32.dll - C:\WINDOWS\System32\HAL32.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (C:\\WINDOWS\\system32\\awtsr) - File not found
O30 - LSA: Authentication Packages - (entication) - File not found
O30 - LSA: Authentication Packages - (Packages) - File not found
O30 - LSA: Authentication Packages - (settings...) - File not found
O30 - LSA: Authentication Packages - ()) - File not found
O30 - LSA: Security Packages - (EM\) - File not found
O30 - LSA: Security Packages - (\80\Tools\Binn\ecurity) - File not found
O30 - LSA: Security Packages - (Pack) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/01/28 22:07:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell - "" = AutoRun
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{10ecbcb3-dfb0-11db-ba74-00e01847564d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/09/26 10:20:30 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Thom\Desktop\mu31zjuj.exe
[2009/09/26 10:19:53 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe
[2009/09/26 10:10:06 | 00,000,000 | -HSD | C] -- C:\WINDOWS\System32\LocalService
[2009/09/23 13:23:41 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\__c00956A.dat
[2009/09/20 16:42:00 | 00,017,851 | ---- | C] () -- C:\WINDOWS\GnuHashes.ini
[2009/09/20 16:34:00 | 00,001,468 | -HS- | C] () -- C:\WINDOWS\System32\GroupPolicy000.dat
[2009/09/20 11:49:30 | 00,000,652 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Finale PrintMusic 2009.lnk
[2009/09/20 11:44:52 | 00,005,556 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a670C.manifest
[2009/09/20 11:44:52 | 00,000,565 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a670O.manifest
[2009/09/20 11:44:52 | 00,000,011 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a670S.manifest
[2009/09/20 11:44:51 | 00,003,011 | -HS- | C] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a670P.manifest
[2009/09/20 11:44:50 | 00,119,808 | ---- | C] () -- C:\WINDOWS\System32\HAL32.dll
[2009/09/12 15:44:53 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
[2009/08/31 20:35:52 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\mhuvgwce.sys
[2009/08/31 20:16:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Thom\Application Data\Malwarebytes
[2009/08/31 20:16:10 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/31 20:16:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/31 20:16:03 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/31 20:15:56 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/31 19:59:22 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/04/22 23:29:30 | 02,463,976 | ---- | C] () -- C:\WINDOWS\System32\NPSWF32.dll
[2009/04/21 18:26:56 | 00,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2009/04/21 15:11:36 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/04/21 15:10:09 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/04/21 15:10:08 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2009/04/21 14:54:43 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\virport.dll
[2009/03/03 12:18:04 | 00,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2009/02/22 18:29:37 | 00,000,128 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2008/05/22 21:19:33 | 00,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2008/05/03 14:38:32 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcfvs.dll
[2008/05/03 14:38:31 | 01,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfserv.dll
[2008/05/03 14:38:31 | 01,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfusb1.dll
[2008/05/03 14:38:30 | 00,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfprox.dll
[2008/05/03 14:38:29 | 00,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfpplc.dll
[2008/05/03 14:38:26 | 00,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomc.dll
[2008/05/03 14:38:26 | 00,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomm.dll
[2008/05/03 14:38:25 | 00,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcflmpm.dll
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/09/24 19:56:35 | 00,693,832 | -HS- | C] () -- C:\WINDOWS\System32\ixbtdiau.ini
[2007/09/23 16:42:00 | 00,693,541 | -HS- | C] () -- C:\WINDOWS\System32\rdfmnpgj.ini
[2007/09/21 20:37:47 | 00,693,832 | -HS- | C] () -- C:\WINDOWS\System32\uywedsim.ini
[2007/09/19 22:22:14 | 00,693,485 | -HS- | C] () -- C:\WINDOWS\System32\ygqfkvoj.ini
[2007/09/18 21:03:38 | 00,693,485 | -HS- | C] () -- C:\WINDOWS\System32\lfhhbhtw.ini
[2007/09/17 18:35:55 | 00,693,484 | -HS- | C] () -- C:\WINDOWS\System32\nkksbmrs.ini
[2007/09/16 12:49:50 | 00,693,494 | -HS- | C] () -- C:\WINDOWS\System32\whxktapd.ini
[2007/09/15 10:46:40 | 02,101,718 | -HS- | C] () -- C:\WINDOWS\System32\rstwa.ini
[2007/09/15 09:52:37 | 00,693,905 | -HS- | C] () -- C:\WINDOWS\System32\rxrxwqsq.ini
[2007/09/14 19:55:40 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2007/06/18 23:43:04 | 00,000,173 | ---- | C] () -- C:\WINDOWS\dbgmsg32.INI
[2006/04/12 09:48:15 | 00,000,050 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2005/07/11 18:04:27 | 00,000,134 | ---- | C] () -- C:\WINDOWS\AoADVDRipper.INI
[2005/06/22 21:32:39 | 00,000,126 | ---- | C] () -- C:\WINDOWS\srxAdmin.INI
[2005/03/04 23:37:10 | 00,003,784 | ---- | C] () -- C:\WINDOWS\System32\b5ob130g.ini
[2005/02/20 13:34:04 | 00,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2004/11/16 01:22:09 | 00,000,004 | ---- | C] () -- C:\WINDOWS\info147.sys
[2004/06/04 21:31:46 | 00,000,054 | ---- | C] () -- C:\WINDOWS\Weather.Ini
[2004/05/15 00:14:17 | 00,000,227 | ---- | C] () -- C:\WINDOWS\CTWave32.ini
[2004/04/16 17:21:39 | 00,000,093 | ---- | C] () -- C:\WINDOWS\System32\MSrev41.dll
[2004/04/09 17:55:14 | 00,027,105 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2004/03/08 13:14:17 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\libmySQL.dll
[2004/03/08 13:14:16 | 00,102,400 | ---- | C] () -- C:\WINDOWS\System32\TrackerNET.dll
[2004/02/22 21:00:13 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS38.DLL
[2004/02/09 19:11:14 | 01,213,440 | ---- | C] () -- C:\WINDOWS\System32\opengl.dll
[2004/02/09 19:11:13 | 00,315,904 | ---- | C] () -- C:\WINDOWS\System32\glu.dll
[2004/02/09 19:11:13 | 00,154,624 | ---- | C] () -- C:\WINDOWS\System32\glut.dll
[2004/02/01 11:56:33 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/02/01 11:50:54 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/01/28 23:49:29 | 00,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2004/01/28 23:49:27 | 00,262,416 | ---- | C] () -- C:\WINDOWS\System32\Asfv2.dll
[2004/01/28 23:17:12 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2004/01/28 23:16:31 | 00,064,000 | ---- | C] () -- C:\WINDOWS\System32\sbusbdll.dll
[2004/01/28 23:16:29 | 00,059,392 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2004/01/28 23:16:27 | 00,005,244 | ---- | C] () -- C:\WINDOWS\System32\SBUSB.INI
[2004/01/28 23:14:37 | 00,000,072 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2004/01/28 22:28:40 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/01/28 22:16:28 | 00,001,065 | ---- | C] () -- C:\WINDOWS\winamp.ini
[2001/08/23 05:00:00 | 00,001,024 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 05:00:00 | 00,000,274 | ---- | C] () -- C:\WINDOWS\system.ini
[2000/11/29 09:50:40 | 00,471,040 | ---- | C] () -- C:\WINDOWS\System32\QTExporter.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/09/26 10:20:31 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Thom\Desktop\mu31zjuj.exe
[2009/09/26 10:20:10 | 00,003,011 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a670P.manifest
[2009/09/26 10:20:05 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Thom\Desktop\OTL.exe
[2009/09/26 10:12:51 | 00,005,556 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a670C.manifest
[2009/09/26 10:10:06 | 00,001,468 | -HS- | M] () -- C:\WINDOWS\System32\GroupPolicy000.dat
[2009/09/26 10:09:57 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/26 10:09:13 | 00,004,452 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/26 10:09:10 | 00,000,011 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a670S.manifest
[2009/09/26 10:09:09 | 00,000,565 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a670O.manifest
[2009/09/26 10:09:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/26 10:08:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/26 10:08:53 | 53,644,9024 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/20 16:42:00 | 00,017,851 | ---- | M] () -- C:\WINDOWS\GnuHashes.ini
[2009/09/20 16:30:47 | 06,291,456 | -H-- | M] () -- C:\Documents and Settings\Thom\Local Settings\Application Data\IconCache.db
[2009/09/20 12:33:36 | 00,000,777 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/09/20 11:57:42 | 00,001,744 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/09/20 11:49:30 | 00,000,652 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Finale PrintMusic 2009.lnk
[2009/09/20 11:44:50 | 00,119,808 | ---- | M] () -- C:\WINDOWS\System32\HAL32.dll
[2009/09/12 17:25:50 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Thom\My Documents\TAXES.xls
[2009/09/12 16:13:57 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/31 20:35:52 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\mhuvgwce.sys
[2009/08/31 20:14:28 | 00,002,469 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658P.manifest
[2009/08/31 20:05:33 | 00,005,556 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658C.manifest
[2009/08/31 20:05:02 | 00,001,111 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658O.manifest
[2009/08/31 20:05:02 | 00,000,011 | -HS- | M] () -- C:\Documents and Settings\Thom\Application Data\02000000b16fd16a658S.manifest
[2009/08/28 14:38:20 | 24,689,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Files - Unicode (All) ==========
[2003/09/14 20:16:11 | 00,000,000 | ---D | M](C:\WINDOWS\?ssembly) -- C:\WINDOWS\аssembly
[2007/09/14 20:16:00 | 00,000,000 | ---D | C](C:\WINDOWS\?ssembly) -- C:\WINDOWS\аssembly
< End of report >

GMER Report:

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 27 September 2009 - 12:03 PM

I see the OTL report, but not the Gmer log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 mot1thom

mot1thom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 27 September 2009 - 01:37 PM

so sorry, running new report now, i don't know what happened there!
~T

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 28 September 2009 - 06:48 AM

No problem. Just post it when you have it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 mot1thom

mot1thom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 28 September 2009 - 11:59 AM

Here it is. Sorry it took so long; i had to run it like 5 times, every time it would eventually finish, when i clicked to save the log it would say i had inadequate system resources, nthing would show up, start menu couldn't even load!

GMER Log:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-28 09:48:44
Windows 5.1.2600 Service Pack 3
Running: mu31zjuj.exe; Driver: C:\DOCUME~1\Thom\LOCALS~1\Temp\ugdciaob.sys


---- System - GMER 1.0.15 ----

SSDT 8335FA80 ZwAllocateVirtualMemory
SSDT 833B03D0 ZwCreateKey
SSDT 8335FFA8 ZwCreateProcess
SSDT 8335FF30 ZwCreateProcessEx
SSDT 8335FD50 ZwCreateThread
SSDT 833CBC58 ZwDeleteKey
SSDT 83386150 ZwDeleteValueKey
SSDT 8335FAF8 ZwQueueApcThread
SSDT 8335F990 ZwReadVirtualMemory
SSDT 833A10A8 ZwRenameKey
SSDT 8335FBE8 ZwSetContextThread
SSDT 83386240 ZwSetInformationKey
SSDT 8335FE40 ZwSetInformationProcess
SSDT 8335FC60 ZwSetInformationThread
SSDT 833861C8 ZwSetValueKey
SSDT 8335FDC8 ZwSuspendProcess
SSDT 8335FB70 ZwSuspendThread
SSDT 8335FEB8 ZwTerminateProcess
SSDT 8335FCD8 ZwTerminateThread
SSDT 8335FA08 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 3A0 804E29FC 4 Bytes CALL 56D15FFC

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[928] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[2864] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 00450771 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe (Spy Sweeper Client Executable/Webroot Software, Inc.)
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] ntdll.dll!KiUserExceptionDispatcher + 9 7C90E485 5 Bytes JMP 00017DB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000169B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00016000 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 00016960 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3980] kernel32.dll!VirtualFree 7C809B84 5 Bytes JMP 00016990 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (www.webroot.com))

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8335F918
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 83385FA8

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 833566E0
Device \Driver\Tcpip \Device\Ip 832FEAF8
Device \Driver\Tcpip \Device\Ip 83199438
Device \Driver\Tcpip \Device\Ip 830FDCB8
Device \Driver\Tcpip \Device\Tcp 833566E0
Device \Driver\Tcpip \Device\Tcp 832FEAF8
Device \Driver\Tcpip \Device\Tcp 83199438
Device \Driver\Tcpip \Device\Tcp 830FDCB8
Device \Driver\Tcpip \Device\Udp 833566E0
Device \Driver\Tcpip \Device\Udp 832FEAF8
Device \Driver\Tcpip \Device\Udp 83199438
Device \Driver\Tcpip \Device\Udp 830FDCB8
Device \Driver\Tcpip \Device\RawIp 833566E0
Device \Driver\Tcpip \Device\RawIp 832FEAF8
Device \Driver\Tcpip \Device\RawIp 83199438
Device \Driver\Tcpip \Device\RawIp 830FDCB8
Device \Driver\Tcpip \Device\IPMULTICAST 833566E0
Device \Driver\Tcpip \Device\IPMULTICAST 832FEAF8
Device \Driver\Tcpip \Device\IPMULTICAST 83199438
Device \Driver\Tcpip \Device\IPMULTICAST 830FDCB8

---- EOF - GMER 1.0.15 ----

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:36 AM

Posted 28 September 2009 - 07:08 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 mot1thom

mot1thom
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 30 September 2009 - 12:43 AM

Combofix log, didn't know whether you wanted it attached or posted, so i'm doing both, thanks again for all your help,
~Thom


ComboFix 09-09-29.02 - Thom 09/29/2009 22:08.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.227 [GMT -7:00]
Running from: c:\documents and settings\Thom\Desktop\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kat.MISCOMPUTER\Application Data\02000000b16fd16a658C.manifest
c:\documents and settings\Kat.MISCOMPUTER\Application Data\02000000b16fd16a658O.manifest
c:\documents and settings\Kat.MISCOMPUTER\Application Data\02000000b16fd16a658P.manifest
c:\documents and settings\Kat.MISCOMPUTER\Application Data\02000000b16fd16a658S.manifest
c:\documents and settings\Kat.MISCOMPUTER\Application Data\02000000b16fd16a670C.manifest
c:\documents and settings\Kat.MISCOMPUTER\Application Data\02000000b16fd16a670O.manifest
c:\documents and settings\Kat.MISCOMPUTER\Application Data\02000000b16fd16a670P.manifest
c:\documents and settings\Kat.MISCOMPUTER\Application Data\02000000b16fd16a670S.manifest
c:\documents and settings\Thom\Application Data\02000000b16fd16a658C.manifest
c:\documents and settings\Thom\Application Data\02000000b16fd16a658O.manifest
c:\documents and settings\Thom\Application Data\02000000b16fd16a658P.manifest
c:\documents and settings\Thom\Application Data\02000000b16fd16a658S.manifest
c:\documents and settings\Thom\Application Data\02000000b16fd16a670C.manifest
c:\documents and settings\Thom\Application Data\02000000b16fd16a670O.manifest
c:\documents and settings\Thom\Application Data\02000000b16fd16a670P.manifest
c:\documents and settings\Thom\Application Data\02000000b16fd16a670S.manifest
c:\progra~1\Webroot\SPYSWE~1\Backup\ntSVc.ocx
c:\windows\Fonts\acrsec.fon
c:\windows\GnuHashes.ini
c:\windows\Installer\576a61b.msi
c:\windows\Installer\d090a.msp
c:\windows\jestertb.dll
c:\windows\ssembl~1
c:\windows\ssembl~1\?ssembly\ctxad-561.0001
c:\windows\ssembl~1\?ssembly\ctxad-561.0002
c:\windows\system32\__c00956A.dat
c:\windows\system32\1.tmp
c:\windows\system32\Data
c:\windows\system32\Drivers\mhuvgwce.sys
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\ixbtdiau.ini
c:\windows\system32\lfhhbhtw.ini
c:\windows\system32\LocalService\305.crack.zip
c:\windows\system32\LocalService\305.crack.zip.kwd
c:\windows\system32\LocalService\306.keygen.zip
c:\windows\system32\LocalService\306.keygen.zip.kwd
c:\windows\system32\LocalService\307.serial.zip
c:\windows\system32\LocalService\307.serial.zip.kwd
c:\windows\system32\LocalService\308.setup.zip
c:\windows\system32\LocalService\308.setup.zip.kwd
c:\windows\system32\LocalService\309.music.au
c:\windows\system32\LocalService\309.music.au.kwd
c:\windows\system32\LocalService\310.music2.au
c:\windows\system32\LocalService\310.music2.au.kwd
c:\windows\system32\LocalService\311.music3.au
c:\windows\system32\LocalService\311.music3.au.kwd
c:\windows\system32\LocalService\312.music4.au
c:\windows\system32\LocalService\312.music4.au.kwd
c:\windows\system32\nkksbmrs.ini
c:\windows\system32\rdfmnpgj.ini
c:\windows\system32\rstwa.bak2
c:\windows\system32\rstwa.ini
c:\windows\system32\rxrxwqsq.ini
c:\windows\system32\uywedsim.ini
c:\windows\system32\whxktapd.ini
c:\windows\system32\ygqfkvoj.ini
c:\windows\wpd99.drv

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-27 18:17 . 2009-09-27 18:17 -------- d-----w- c:\program files\Ask.com
2009-09-26 17:10 . 2009-09-30 05:25 -------- d-sh--w- c:\windows\system32\LocalService
2009-09-20 23:33 . 2009-09-20 23:33 -------- d-----w- c:\documents and settings\Kat.MISCOMPUTER\Application Data\Malwarebytes
2009-09-20 18:44 . 2009-09-20 18:44 119808 ----a-w- c:\windows\system32\HAL32.dll
2009-09-12 22:44 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 00:15 . 2009-09-06 00:15 -------- d-----w- c:\documents and settings\Kat.MISCOMPUTER\Application Data\Aim
2009-09-01 03:16 . 2009-09-01 03:16 -------- d-----w- c:\documents and settings\Thom\Application Data\Malwarebytes
2009-09-01 03:16 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 03:16 . 2009-09-01 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-01 03:16 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 03:15 . 2009-09-01 03:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 02:59 . 2009-09-01 02:59 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 18:14 . 2009-04-21 18:06 164 ----a-w- c:\windows\install.dat
2009-09-20 19:19 . 2009-01-10 20:24 -------- d-----w- c:\documents and settings\Thom\Application Data\LimeWire
2009-09-20 18:57 . 2004-09-28 23:01 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-12 23:18 . 2009-04-16 19:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-24 05:27 . 2009-02-22 19:58 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-20 17:49 . 2009-02-22 20:00 -------- d-----w- c:\program files\Common Files\Nikon
2009-08-20 17:46 . 2003-03-19 19:05 106496 ----a-w- c:\windows\system32\ATL71.DLL
2009-08-19 16:26 . 2009-08-19 16:26 -------- d-----w- c:\program files\Trend Micro
2009-08-19 04:27 . 2009-04-01 04:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-19 04:13 . 2007-03-31 19:22 -------- d-----w- c:\documents and settings\Thom\Application Data\U3
2009-08-18 04:02 . 2004-02-02 14:25 122648 ----a-w- c:\documents and settings\Thom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-18 03:07 . 2009-08-18 03:06 -------- d-----w- c:\program files\Ahead
2009-08-18 03:07 . 2009-08-18 03:06 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-18 00:02 . 2009-08-17 23:46 -------- d-----w- c:\documents and settings\Thom\Application Data\InfraRecorder
2009-08-13 22:20 . 2007-09-20 01:41 119360 ----a-w- c:\documents and settings\Kat.MISCOMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 00:07 . 2004-02-23 04:08 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-02-01 18:50 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 05:26 . 2004-09-28 22:54 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-25 12:23 . 2009-03-28 03:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2002-08-29 07:40 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-11 05:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-02-06 22:05 915456 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 22:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-03-06 00:02 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe" [2003-02-17 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"nwiz"="c:\windows\system32\nwiz.exe" [2004-07-15 843776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-02-25 479232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2003-07-13 155648]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

c:\documents and settings\Thom\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2009-2-24 479232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\24e9012e670]
2009-09-20 18:44 119808 ----a-w- c:\windows\system32\HAL32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awos
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\trotsky_kitfox\\team fortress classic\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\trotsky_kitfox\\counter-strike\\hl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfpswx.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [1/31/2009 1:00 PM 1205760]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [1/28/2004 11:16 PM 632576]
S2 Ca533av;Icatch(IV) Video Camera Device;c:\windows\system32\Drivers\Ca533av.sys --> c:\windows\system32\Drivers\Ca533av.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys --> c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys [?]
S3 inibtmgr;WD Bridge Controller Driver;c:\windows\system32\drivers\inibtmgr.sys [8/27/2005 5:55 PM 9728]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [1/24/2008 3:22 PM 11520]
S3 USBCamera;Icatch(IV) Still Camera Device;c:\windows\system32\Drivers\Bulk533.sys --> c:\windows\system32\Drivers\Bulk533.sys [?]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 22:06]

2009-09-28 c:\windows\Tasks\wrSpySweeper_L4DE8B1406C60400A89680257A4DF047A.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-10-08 22:40]

2009-09-28 c:\windows\Tasks\wrSpySweeper_L4DE8B1406C60400A89680257A4DF047A.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2007-10-08 22:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Premiere 6.0 - d:\program files\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 22:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\à*& xò*ù*O*h**«* *\InfFile]
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\System32\HAL32.dll

- - - - - - - > 'explorer.exe'(3036)
c:\windows\system32\WININET.dll
c:\windows\System32\HAL32.dll
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-09-30 22:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-30 05:36

Pre-Run: 2,705,170,432 bytes free
Post-Run: 2,699,182,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

298 --- E O F --- 2009-09-12 23:16

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users