Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AGprotect Malware.Trace Recurring


  • Please log in to reply
11 replies to this topic

#1 David Billo

David Billo

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 22 September 2009 - 09:24 PM

Today, Internet Explorer connections became very sluggish, almost to the point of no Internet access, however other things, like Teamspeak and Hyperlobby work fine. Also, other computers on the network work fine.

When I open TaskManager, and have a single IE window open, there are two iexplore processes running.

I ran MalwareBytes quick scan, which found and deleted a number of entries, including a registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect

Vendor listed as Malware.Trace

I have used MalwareBytes (quick scan) to remove this entry several times, but it keeps returning, along with the sluggish Internet Explorer.

HijackThis found a BHO with no name, and something called icadabexobedite.dll in startup as well.

Using my wife's laptop to access the forum here.

Thanks

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:49 PM

Posted 23 September 2009 - 08:45 PM

icadabexobedite.dll suggests a rootkit infection


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 23 September 2009 - 11:08 PM

I had trouble getting it to run...kept locking up the instant the scan starts. Finally got it to run by using keyboard instead of mouse to push the scan button. I don't think it did everything that was checked:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/23 23:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: F:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xA6F93000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_nvgts.sys
Image Path: F:\WINDOWS\System32\Drivers\dump_nvgts.sys
Address: 0xA687F000 Size: 151552 File Visible: No Signed: -
Status: -

Name: tatertots.scr.sys
Image Path: F:\WINDOWS\system32\drivers\tatertots.scr.sys
Address: 0xA4F5E000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x890eccc0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x890ec1c0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x890ec480

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x890edb20

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x890ed240

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x890ed500

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x890edcc0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x890ec740

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x890ecf80

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x890eca00

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x890ed980

Stealth Objects
-------------------
Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 4040) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 4048) Address: 0x01000000 Size: 20480

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x890ee320

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x890ee140

==EOF==

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:49 PM

Posted 24 September 2009 - 06:02 PM

1. Download Win32kDiag from any of the following locations and save it to your Desktop
You might as well rename this one too

http://ad13.geekstogo.com/Win32kDiag.exe

http://download.bleepingcomputer.com/rootr.../Win32kDiag.exe

2. Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
3. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
4. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

Edited by garmanma, 24 September 2009 - 06:04 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 24 September 2009 - 06:44 PM

First one, with Trend Micro enabled:

Running from: F:\Documents and Settings\David Billo\Desktop\Win32kDiag.exe

Log file at : F:\Documents and Settings\David Billo\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'F:\WINDOWS'...



Cannot access: F:\WINDOWS\system32\drivers\tmactmon.sys

[1] 2009-04-02 19:08:54 50192 F:\WINDOWS\system32\drivers\tmactmon.sys (Trend Micro Inc.)





Finished!


Then another one with Trend Micro shut down:

Running from: F:\Documents and Settings\David Billo\Desktop\Doodlebug.scr

Log file at : F:\Documents and Settings\David Billo\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'F:\WINDOWS'...





Finished!

Edited by David Billo, 24 September 2009 - 06:48 PM.


#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:49 PM

Posted 25 September 2009 - 06:27 PM

Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

Edited by garmanma, 25 September 2009 - 06:27 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 25 September 2009 - 08:04 PM

Volume in drive F has no label.
Volume Serial Number is 9842-0AB8

Directory of F:\WINDOWS\$NtServicePackUninstall$

04/08/2004 08:00 AM 180,224 scecli.dll

Directory of F:\WINDOWS\$NtServicePackUninstall$

04/08/2004 08:00 AM 407,040 netlogon.dll

Directory of F:\WINDOWS\$NtServicePackUninstall$

04/08/2004 08:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of F:\WINDOWS\ServicePackFiles\i386

14/04/2008 05:42 AM 181,248 scecli.dll

Directory of F:\WINDOWS\ServicePackFiles\i386

14/04/2008 05:42 AM 407,040 netlogon.dll

Directory of F:\WINDOWS\ServicePackFiles\i386

14/04/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of F:\WINDOWS\system32

14/04/2008 05:42 AM 181,248 scecli.dll

Directory of F:\WINDOWS\system32

14/04/2008 05:42 AM 407,040 netlogon.dll

Directory of F:\WINDOWS\system32

14/04/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 22,432,313,344 bytes free

The computer is otherwise working fine, with the exception of slow to nonexistent web browser function. Teamspeak, FTP, Hyperlobby, email, work fine, except that email login takes much longer than usual. Same for VNC, which I use to access my server, the login takes longer to come up, but once connected it seems normal.

Do you need to know what MWB deleted when I ran it? Also forgot to mention that there were two files in Windows\system32\ which I deleted manually:

Fpimepinukoneji.dat
Vzefa.bin


Thanks!

Edited by David Billo, 26 September 2009 - 02:15 PM.


#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:49 PM

Posted 26 September 2009 - 05:16 PM

F:\WINDOWS\system32\drivers\tmactmon.sys
icadabexobedite.dll
Fpimepinukoneji.dat
Vzefa.bin
All point to a rootkit



We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 26 September 2009 - 06:01 PM

I thought tmactmon.sys was the Trend Micro Activity Monitor, no?

OTL.txt:
OTL logfile created on: 26/09/2009 6:49:10 PM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = F:\Documents and Settings\David Billo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.66% Memory free
3.85 Gb Paging File | 3.41 Gb Available in Paging File | 88.70% Paging File free
Paging file location(s): F:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\WINDOWS | %ProgramFiles% = F:\Program Files
Drive C: | 39.06 Gb Total Space | 26.25 Gb Free Space | 67.21% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 24.42 Gb Free Space | 16.39% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 147.24 Gb Total Space | 20.39 Gb Free Space | 13.85% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 74.50 Gb Total Space | 66.51 Gb Free Space | 89.27% Space Free | Partition Type: NTFS
Drive Y: | 9.52 Gb Total Space | 6.17 Gb Free Space | 64.77% Space Free | Partition Type: NTFS
Drive Z: | 6.04 Gb Total Space | 4.02 Gb Free Space | 66.64% Space Free | Partition Type: NTFS

Computer Name: CHENMING
Current User Name: David Billo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- F:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2007/09/04 19:25:44 | 00,131,072 | ---- | M] (NVIDIA) -- F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
PRC - [2007/11/06 19:00:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- F:\WINDOWS\System32\nvsvc32.exe
PRC - [2008/09/08 12:10:20 | 00,450,560 | ---- | M] () -- F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
PRC - [2008/09/08 12:09:40 | 00,184,320 | ---- | M] () -- F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
PRC - [2008/04/14 05:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\Explorer.EXE
PRC - [2007/10/24 23:57:56 | 16,855,552 | R--- | M] (Realtek Semiconductor Corp.) -- F:\WINDOWS\RTHDCPL.EXE
PRC - [2004/01/08 09:50:00 | 00,037,888 | ---- | M] (Logitech Inc.) -- F:\Program Files\Logitech\MouseWare\system\em_exec.exe
PRC - [2006/06/13 05:20:00 | 00,127,036 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\DLA\DLACTRLW.EXE
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- F:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2006/09/28 11:16:52 | 00,151,552 | ---- | M] (Saitek) -- F:\Program Files\Saitek\DirectOutput\DirectOutputManager.exe
PRC - [2006/09/05 09:12:58 | 00,184,320 | ---- | M] (Saitek) -- F:\Program Files\Saitek\Software\ProfilerU.exe
PRC - [2006/09/28 11:19:34 | 00,126,976 | ---- | M] (Saitek) -- F:\Program Files\Saitek\Software\SaiMfd.exe
PRC - [2008/12/19 13:17:24 | 00,333,088 | ---- | M] (Sony Corporation) -- F:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
PRC - [2008/04/14 05:42:30 | 01,695,232 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Messenger\msmsgs.exe
PRC - [2008/04/14 05:42:30 | 00,060,416 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Outlook Express\msimn.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/09/26 18:48:27 | 00,514,560 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\David Billo\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/09/08 12:10:20 | 00,450,560 | ---- | M] () -- F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe -- (ForceWare Intelligent Application Manager (IAM) [Auto | Running])
SRV - [2008/04/14 05:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- F:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/09/08 12:09:40 | 00,184,320 | ---- | M] () -- F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe -- (nSvcIp [Auto | Running])
SRV - [2007/09/04 19:25:44 | 00,131,072 | ---- | M] (NVIDIA) -- F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService [Auto | Running])
SRV - [2007/11/06 19:00:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- F:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2009/03/31 23:25:42 | 00,711,248 | ---- | M] (Trend Micro Inc.) -- F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe -- (SfCtlCom [Auto | Stopped])
SRV - [2009/06/13 14:29:11 | 00,341,256 | ---- | M] (Trend Micro Inc.) -- F:\Program Files\Trend Micro\BM\TMBMSRV.exe -- (TMBMServer [Auto | Stopped])
SRV - [2009/03/31 23:26:02 | 00,497,008 | ---- | M] (Trend Micro Inc.) -- F:\Program Files\Trend Micro\Internet Security\TmPfw.exe -- (TmPfw [Auto | Stopped])
SRV - [2009/03/31 23:26:06 | 00,677,128 | ---- | M] (Trend Micro Inc.) -- F:\Program Files\Trend Micro\Internet Security\TmProxy.exe -- (TmProxy [Auto | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- F:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/11/29 00:46:24 | 00,028,224 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- F:\WINDOWS\System32\Drivers\APLMp50.sys -- (APLMp50 [On_Demand | Stopped])
DRV - [2006/10/18 15:12:16 | 00,012,664 | R--- | M] () -- F:\WINDOWS\System32\drivers\AsIO.sys -- (AsIO [System | Running])
DRV - [2006/06/13 05:20:00 | 00,025,724 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
DRV - [2006/03/17 08:35:24 | 00,005,660 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
DRV - [2006/06/13 05:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\DLA\DLADResN.SYS -- (DLADResN [Auto | Running])
DRV - [2006/06/13 05:20:00 | 00,086,844 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
DRV - [2006/06/13 05:20:00 | 00,014,716 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
DRV - [2006/06/13 05:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
DRV - [2006/03/17 08:34:46 | 00,022,684 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\Drivers\DLARTL_N.SYS -- (DLARTL_N [System | Running])
DRV - [2006/06/13 05:20:00 | 00,094,460 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
DRV - [2006/06/13 05:20:00 | 00,088,476 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
DRV - [2006/06/12 03:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2006/03/17 05:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
DRV - [2004/07/14 12:54:42 | 00,676,864 | ---- | M] (Aladdin Knowledge Systems) -- F:\WINDOWS\System32\drivers\hardlock.sys -- (Hardlock [Auto | Running])
DRV - [2008/04/13 22:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- F:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/11/01 02:38:56 | 04,620,288 | R--- | M] (Realtek Semiconductor Corp.) -- F:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2003/12/17 09:50:00 | 00,051,729 | ---- | M] (Logitech, Inc.) -- F:\WINDOWS\System32\DRIVERS\L8042pr2.Sys -- (L8042pr2 [On_Demand | Running])
DRV - [2003/12/17 09:50:00 | 00,070,801 | ---- | M] (Logitech, Inc.) -- F:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys -- (LMouFlt2 [On_Demand | Running])
DRV - [2004/08/12 22:56:20 | 00,005,810 | R--- | M] () -- F:\WINDOWS\System32\DRIVERS\ASACPI.sys -- (MTsensor [On_Demand | Running])
DRV - [2009/08/28 11:26:42 | 00,024,820 | ---- | M] (MusicMatch, Inc.) -- F:\WINDOWS\System32\drivers\MxlW2k.sys -- (MxlW2k [Auto | Running])
DRV - [2008/04/14 00:23:10 | 00,040,320 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\System32\DRIVERS\NMnt.sys -- (nm [On_Demand | Stopped])
DRV - [2007/03/23 18:51:20 | 00,022,816 | ---- | M] (NaturalPoint) -- F:\WINDOWS\System32\DRIVERS\npusb.sys -- (NPUSB [On_Demand | Stopped])
DRV - [2008/01/11 20:21:08 | 00,036,384 | ---- | M] (Thesycon GmbH, Germany) -- F:\WINDOWS\System32\Drivers\npusbio.sys -- (npusbio [On_Demand | Running])
DRV - [2007/11/06 19:00:00 | 07,429,088 | ---- | M] (NVIDIA Corporation) -- F:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2008/08/01 12:36:00 | 00,054,784 | ---- | M] (NVIDIA Corporation) -- F:\WINDOWS\System32\DRIVERS\NVENETFD.sys -- (NVENETFD [On_Demand | Running])
DRV - [2008/08/18 19:54:00 | 00,145,952 | ---- | M] (NVIDIA Corporation) -- F:\WINDOWS\system32\DRIVERS\nvgts.sys -- (nvgts [Boot | Running])
DRV - [2008/08/01 12:36:00 | 00,022,016 | ---- | M] (NVIDIA Corporation) -- F:\WINDOWS\System32\DRIVERS\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
DRV - [2007/09/04 19:26:32 | 00,029,696 | ---- | M] (NVidia Corp.) -- F:\WINDOWS\nvoclock.sys -- (NVR0Dev [On_Demand | Running])
DRV - [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- F:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/07/04 11:22:36 | 00,044,944 | ---- | M] (Sonic Solutions) -- F:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2007/05/01 16:11:28 | 00,132,232 | ---- | M] (Saitek) -- F:\WINDOWS\System32\DRIVERS\SaiH0255.sys -- (SaiH0255 [On_Demand | Stopped])
DRV - [2007/05/01 16:37:40 | 00,132,232 | ---- | M] (Saitek) -- F:\WINDOWS\System32\DRIVERS\SaiH0464.sys -- (SaiH0464 [On_Demand | Stopped])
DRV - [2006/09/13 07:31:50 | 00,192,000 | R--- | M] (Saitek) -- F:\WINDOWS\System32\DRIVERS\SaiH0762.sys -- (SaiH0762 [On_Demand | Running])
DRV - [2007/10/05 10:19:26 | 00,014,080 | ---- | M] (Saitek) -- F:\WINDOWS\System32\DRIVERS\SaiMini.sys -- (SaiMini [On_Demand | Running])
DRV - [2007/10/05 10:19:26 | 00,035,200 | ---- | M] (Saitek) -- F:\WINDOWS\System32\drivers\SaiBus.sys -- (SaiNtBus [On_Demand | Running])
DRV - [2009/09/15 11:42:46 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- F:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/09/15 11:42:48 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- F:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/09/15 11:42:44 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- F:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2008/04/13 22:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- F:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/04/02 19:08:54 | 00,050,192 | ---- | M] (Trend Micro Inc.) -- F:\WINDOWS\System32\drivers\tmactmon.sys -- (tmactmon [Auto | Stopped])
DRV - [2009/06/13 14:29:16 | 00,335,376 | ---- | M] (Trend Micro Inc.) -- F:\WINDOWS\System32\DRIVERS\TM_CFW.sys -- (tmcfw [On_Demand | Running])
DRV - [2009/04/02 19:08:48 | 00,153,104 | ---- | M] (Trend Micro Inc.) -- F:\WINDOWS\System32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])
DRV - [2009/04/02 19:08:52 | 00,050,192 | ---- | M] (Trend Micro Inc.) -- F:\WINDOWS\System32\drivers\tmevtmgr.sys -- (tmevtmgr [Auto | Stopped])
DRV - [2009/05/22 04:00:40 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- F:\WINDOWS\System32\DRIVERS\tmpreflt.sys -- (tmpreflt [Auto | Running])
DRV - [2009/06/13 14:29:16 | 00,080,400 | ---- | M] (Trend Micro Inc.) -- F:\WINDOWS\System32\DRIVERS\tmtdi.sys -- (tmtdi [System | Running])
DRV - [2009/05/22 04:02:26 | 00,225,296 | ---- | M] (Trend Micro Inc.) -- F:\WINDOWS\System32\DRIVERS\tmxpflt.sys -- (tmxpflt [Auto | Running])
DRV - [2008/04/14 00:15:14 | 00,060,032 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])
DRV - [2009/05/22 03:45:58 | 01,220,120 | ---- | M] (Trend Micro Inc.) -- F:\WINDOWS\System32\DRIVERS\vsapint.sys -- (vsapint [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = F:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1220945662-329068152-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = F:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1220945662-329068152-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1220945662-329068152-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1220945662-329068152-839522115-1003\S-1-5-21-1220945662-329068152-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: F:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 00:14:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: F:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/10 12:32:37 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{262CDA81-93B5-43DE-B0DF-1628E8265DC2}: F:\Documents and Settings\David Billo\Local Settings\Application Data\{262CDA81-93B5-43DE-B0DF-1628E8265DC2} [2009/09/22 09:21:12 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - F:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - F:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [DirectOutput] F:\Program Files\Saitek\DirectOutput\DirectOutputManager.exe (Saitek)
O4 - HKLM..\Run: [DLA] F:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [Logitech Utility] F:\WINDOWS\Logi_MwX.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] F:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] F:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [nwiz] F:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Profiler] F:\Program Files\Saitek\Software\ProfilerU.exe (Saitek)
O4 - HKLM..\Run: [RTHDCPL] F:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SaiMfd] F:\Program Files\Saitek\Software\SaiMfd.exe (Saitek)
O4 - HKLM..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [UpdateManager] F:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKU\S-1-5-21-1220945662-329068152-839522115-1003..\Run: [NVIDIA nTune] F:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)
O4 - Startup: F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: F:\Documents and Settings\David Billo\Start Menu\Programs\Startup\PMB Media Check Tool.lnk = F:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1220945662-329068152-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - F:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - F:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - F:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1220945662-329068152-839522115-1003\..Trusted Domains: microsoft.com ([*.update] http in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-329068152-839522115-1003\..Trusted Domains: microsoft.com ([*.update] https in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-329068152-839522115-1003\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O15 - HKU\S-1-5-21-1220945662-329068152-839522115-1003\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1218855998531 (MUWebControl Class)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - F:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - F:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - F:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - F:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - F:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - F:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - F:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (F:\WINDOWS\system32\ssqQgddA) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/22 11:21:32 | 00,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/02/26 12:57:26 | 00,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/01/06 16:16:20 | 00,000,000 | -H-- | M] () - Y:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0759b324-80dd-11de-ac62-001fc6d70feb}\Shell - "" = AutoRun
O33 - MountPoints2\{0759b324-80dd-11de-ac62-001fc6d70feb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0759b324-80dd-11de-ac62-001fc6d70feb}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - F:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (MACHINE) - File not found
O34 - HKLM BootExecute: (BootExecut) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2 F:\WINDOWS\System32\*.tmp files]
[2009/09/26 18:48:26 | 00,514,560 | ---- | C] (OldTimer Tools) -- F:\Documents and Settings\David Billo\Desktop\OTL.exe
[2009/09/26 15:25:27 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Desktop\New Jets
[2009/09/26 15:08:26 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Desktop\Cleanup
[2009/09/23 14:15:35 | 00,000,000 | ---- | C] () -- F:\WINDOWS\nsreg.dat
[2009/09/23 14:15:24 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Local Settings\Application Data\Mozilla
[2009/09/23 13:22:42 | 00,000,000 | -H-D | C] -- F:\WINDOWS\System32\GroupPolicy
[2009/09/23 09:54:19 | 00,000,000 | ---D | C] -- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/09/23 09:54:09 | 00,000,000 | ---D | C] -- F:\Program Files\SUPERAntiSpyware
[2009/09/23 09:54:09 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Application Data\SUPERAntiSpyware.com
[2009/09/23 00:50:32 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- F:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/23 00:50:31 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- F:\WINDOWS\System32\drivers\mbam.sys
[2009/09/23 00:50:30 | 00,000,000 | ---D | C] -- F:\Program Files\Malwarebytes' Anti-Malware
[2009/09/22 09:21:45 | 00,182,656 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\ndis.sys
[2009/09/22 09:21:12 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Local Settings\Application Data\{262CDA81-93B5-43DE-B0DF-1628E8265DC2}
[2009/09/17 10:03:22 | 00,419,744 | ---- | C] () -- F:\Documents and Settings\David Billo\Desktop\20081231_Questions.pdf
[2009/09/13 12:30:37 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Desktop\Dell Manual
[2009/09/09 11:31:24 | 00,153,088 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\triedit.dll
[2009/09/09 10:42:09 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Desktop\Saved1946
[2009/09/06 14:25:14 | 00,000,835 | ---- | C] () -- F:\Documents and Settings\All Users\Desktop\No FS.lnk
[2009/09/06 14:25:14 | 00,000,823 | ---- | C] () -- F:\Documents and Settings\All Users\Desktop\FS mods.lnk
[2009/08/30 18:24:26 | 00,060,032 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\drivers\USBAUDIO.sys
[2009/08/30 18:24:26 | 00,060,032 | ---- | C] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\usbaudio.sys
[2009/08/30 18:15:01 | 00,155,648 | ---- | C] () -- F:\WINDOWS\System32\nY.exe
[2009/08/30 18:15:01 | 00,057,344 | ---- | C] (Saitek) -- F:\WINDOWS\System32\SAIGON.dll
[2009/08/30 18:15:01 | 00,045,056 | ---- | C] (Saitek) -- F:\WINDOWS\System32\SAIKICK.dll
[2009/08/30 18:14:07 | 00,004,668 | ---- | C] () -- F:\WINDOWS\System32\SaiC0762-6553A72A-2DD4-44DB-8706-E9E82C888159.pr0
[2009/08/30 18:11:54 | 00,921,600 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762.Dll
[2009/08/30 18:11:54 | 00,192,000 | R--- | C] (Saitek) -- F:\WINDOWS\System32\drivers\SaiH0762.sys
[2009/08/30 18:11:54 | 00,018,342 | R--- | C] () -- F:\WINDOWS\System32\SaiD0762.pr0
[2009/08/30 18:11:54 | 00,008,192 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762_0C.dll
[2009/08/30 18:11:54 | 00,007,680 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762_10.dll
[2009/08/30 18:11:54 | 00,007,680 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762_0A.dll
[2009/08/30 18:11:54 | 00,007,680 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762_07.dll
[2009/08/30 18:11:54 | 00,007,168 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762_09.dll
[2009/08/30 18:11:54 | 00,007,168 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762_0402.dll
[2009/08/30 18:11:54 | 00,005,120 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762_11.dll
[2009/08/30 18:11:54 | 00,000,306 | R--- | C] () -- F:\WINDOWS\System32\SaiC0762.pr0
[2009/08/30 14:07:13 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Application Data\dvdcss
[2009/08/28 23:36:27 | 00,000,142 | ---- | C] () -- F:\WINDOWS\temp.rcl
[2009/08/28 23:35:58 | 00,001,787 | ---- | C] () -- F:\WINDOWS\tabled32.ini
[2009/08/28 23:35:04 | 00,000,000 | ---D | C] -- F:\Program Files\TablEdit32
[2009/08/28 12:22:37 | 00,000,000 | ---D | C] -- F:\Documents and Settings\David Billo\Application Data\Roni Music
[2009/08/28 12:22:30 | 00,001,783 | ---- | C] () -- F:\Documents and Settings\David Billo\Desktop\Amazing Slow Downer.lnk
[2009/08/28 12:22:29 | 00,000,000 | ---D | C] -- F:\Program Files\Roni Music
[2009/08/28 11:50:33 | 00,000,000 | ---D | C] -- F:\Program Files\CCleaner
[2009/08/28 11:12:57 | 00,024,820 | ---- | C] (MusicMatch, Inc.) -- F:\WINDOWS\System32\drivers\MxlW2k.sys
[2009/06/27 22:06:59 | 00,000,175 | ---- | C] () -- F:\WINDOWS\wininit.ini
[2009/02/14 16:44:53 | 00,015,498 | ---- | C] () -- F:\WINDOWS\Ascd_tmp.ini
[2008/08/30 14:54:54 | 00,007,680 | ---- | C] () -- F:\WINDOWS\System32\ff_vfw.dll
[2008/08/30 14:54:54 | 00,000,547 | ---- | C] () -- F:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/08/21 14:51:28 | 00,000,116 | ---- | C] () -- F:\WINDOWS\NeroDigital.ini
[2008/07/24 13:33:27 | 00,000,048 | ---- | C] () -- F:\WINDOWS\wpd99.drv
[2008/07/23 14:45:02 | 00,024,576 | R--- | C] () -- F:\WINDOWS\System32\AsIO.dll
[2008/07/23 14:45:02 | 00,012,664 | R--- | C] () -- F:\WINDOWS\System32\drivers\AsIO.sys
[2008/07/23 14:44:59 | 00,010,304 | ---- | C] () -- F:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2008/07/23 14:44:58 | 00,012,096 | ---- | C] () -- F:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2008/07/23 10:58:14 | 00,001,793 | ---- | C] () -- F:\WINDOWS\System32\fxsperf.ini
[2008/07/22 15:05:29 | 00,127,026 | ---- | C] () -- F:\WINDOWS\System32\pdfmona.dll
[2008/07/22 15:05:29 | 00,048,936 | ---- | C] () -- F:\WINDOWS\System32\pdf995mon.dll
[2008/07/22 14:49:43 | 00,002,108 | ---- | C] () -- F:\WINDOWS\DCADWin.Ini
[2008/07/22 13:01:43 | 00,015,739 | ---- | C] () -- F:\WINDOWS\Ascd_log.ini
[2008/07/22 13:00:43 | 00,005,810 | R--- | C] () -- F:\WINDOWS\System32\drivers\ASACPI.sys
[2008/07/22 13:00:30 | 00,012,536 | ---- | C] () -- F:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/11/06 19:00:00 | 01,703,936 | ---- | C] () -- F:\WINDOWS\System32\nvwdmcpl.dll
[2007/11/06 19:00:00 | 01,474,560 | ---- | C] () -- F:\WINDOWS\System32\nview.dll
[2007/11/06 19:00:00 | 01,019,904 | ---- | C] () -- F:\WINDOWS\System32\nvwimg.dll
[2007/11/06 19:00:00 | 00,466,944 | ---- | C] () -- F:\WINDOWS\System32\nvshell.dll
[2007/11/06 19:00:00 | 00,286,720 | ---- | C] () -- F:\WINDOWS\System32\nvnt4cpl.dll
[2007/05/01 16:11:28 | 00,008,704 | ---- | C] () -- F:\WINDOWS\System32\SaiC0255_0C.dll
[2007/05/01 16:11:28 | 00,008,192 | ---- | C] () -- F:\WINDOWS\System32\SaiC0255_10.dll
[2007/05/01 16:11:28 | 00,008,192 | ---- | C] () -- F:\WINDOWS\System32\SaiC0255_0A.dll
[2007/05/01 16:11:28 | 00,007,680 | ---- | C] () -- F:\WINDOWS\System32\SaiC0255_09.dll
[2007/05/01 16:11:28 | 00,005,632 | ---- | C] () -- F:\WINDOWS\System32\SaiC0255_11.dll
[2007/05/01 16:11:26 | 00,847,872 | ---- | C] () -- F:\WINDOWS\System32\SaiC0255.Dll
[2007/05/01 16:11:26 | 00,008,192 | ---- | C] () -- F:\WINDOWS\System32\SaiC0255_07.dll
[2007/05/01 16:11:26 | 00,007,168 | ---- | C] () -- F:\WINDOWS\System32\SaiC0255_0402.dll
[2007/05/01 15:37:40 | 01,970,176 | ---- | C] () -- F:\WINDOWS\System32\SaiC0464.Dll
[2007/05/01 15:37:40 | 00,008,704 | ---- | C] () -- F:\WINDOWS\System32\SaiC0464_0C.dll
[2007/05/01 15:37:40 | 00,008,192 | ---- | C] () -- F:\WINDOWS\System32\SaiC0464_10.dll
[2007/05/01 15:37:40 | 00,008,192 | ---- | C] () -- F:\WINDOWS\System32\SaiC0464_0A.dll
[2007/05/01 15:37:40 | 00,008,192 | ---- | C] () -- F:\WINDOWS\System32\SaiC0464_07.dll
[2007/05/01 15:37:40 | 00,007,680 | ---- | C] () -- F:\WINDOWS\System32\SaiC0464_09.dll
[2007/05/01 15:37:40 | 00,007,168 | ---- | C] () -- F:\WINDOWS\System32\SaiC0464_0402.dll
[2007/05/01 15:37:40 | 00,005,632 | ---- | C] () -- F:\WINDOWS\System32\SaiC0464_11.dll
[2007/03/12 12:01:30 | 00,217,088 | ---- | C] () -- F:\WINDOWS\NVGfxOgl.dll
[2004/09/22 14:47:00 | 00,000,000 | ---- | C] () -- F:\WINDOWS\System32\px.ini
[2004/08/04 08:00:00 | 00,000,604 | ---- | C] () -- F:\WINDOWS\win.ini
[2004/08/04 08:00:00 | 00,000,227 | ---- | C] () -- F:\WINDOWS\system.ini
[1997/08/04 00:00:00 | 00,116,736 | ---- | C] () -- F:\WINDOWS\System32\PCDLIB32.DLL

========== Files - Modified Within 30 Days ==========

[2 F:\WINDOWS\System32\*.tmp files]
[6 F:\WINDOWS\*.tmp files]
[2009/09/26 18:48:27 | 00,514,560 | ---- | M] (OldTimer Tools) -- F:\Documents and Settings\David Billo\Desktop\OTL.exe
[2009/09/26 12:31:49 | 00,168,448 | ---- | M] () -- F:\Documents and Settings\David Billo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/26 08:53:35 | 00,013,646 | ---- | M] () -- F:\WINDOWS\System32\wpa.dbl
[2009/09/26 08:50:31 | 00,000,006 | -H-- | M] () -- F:\WINDOWS\tasks\SA.DAT
[2009/09/26 08:50:29 | 00,002,048 | --S- | M] () -- F:\WINDOWS\bootstat.dat
[2009/09/23 14:15:35 | 00,000,000 | ---- | M] () -- F:\WINDOWS\nsreg.dat
[2009/09/22 09:21:46 | 00,182,656 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\System32\drivers\ndis.sys
[2009/09/22 09:21:45 | 00,182,656 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\System32\dllcache\ndis.sys
[2009/09/19 11:48:54 | 00,000,116 | ---- | M] () -- F:\WINDOWS\NeroDigital.ini
[2009/09/17 10:03:22 | 00,419,744 | ---- | M] () -- F:\Documents and Settings\David Billo\Desktop\20081231_Questions.pdf
[2009/09/13 20:36:47 | 00,002,108 | ---- | M] () -- F:\WINDOWS\DCADWin.Ini
[2009/09/13 19:58:56 | 00,000,835 | ---- | M] () -- F:\Documents and Settings\All Users\Desktop\No FS.lnk
[2009/09/13 19:58:56 | 00,000,823 | ---- | M] () -- F:\Documents and Settings\All Users\Desktop\FS mods.lnk
[2009/09/11 18:41:20 | 00,000,048 | ---- | M] () -- F:\WINDOWS\wpd99.drv
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- F:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- F:\WINDOWS\System32\drivers\mbam.sys
[2009/09/01 11:23:15 | 00,001,787 | ---- | M] () -- F:\WINDOWS\tabled32.ini
[2009/09/01 11:21:32 | 00,000,142 | ---- | M] () -- F:\WINDOWS\temp.rcl
[2009/08/30 23:28:21 | 02,107,242 | -H-- | M] () -- F:\Documents and Settings\David Billo\Local Settings\Application Data\IconCache.db
[2009/08/30 18:14:07 | 00,004,668 | ---- | M] () -- F:\WINDOWS\System32\SaiC0762-6553A72A-2DD4-44DB-8706-E9E82C888159.pr0
[2009/08/28 21:13:54 | 00,035,256 | ---- | M] () -- F:\Documents and Settings\David Billo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/28 18:01:06 | 00,165,120 | ---- | M] () -- F:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/28 17:38:20 | 24,689,600 | ---- | M] (Microsoft Corporation) -- F:\WINDOWS\System32\MRT.exe
[2009/08/28 12:22:30 | 00,001,783 | ---- | M] () -- F:\Documents and Settings\David Billo\Desktop\Amazing Slow Downer.lnk
[2009/08/28 11:26:42 | 00,024,820 | ---- | M] (MusicMatch, Inc.) -- F:\WINDOWS\System32\drivers\MxlW2k.sys
< End of report >

Extras.Txt
OTL Extras logfile created on: 26/09/2009 6:49:10 PM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = F:\Documents and Settings\David Billo\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.43 Gb Available Physical Memory | 71.66% Memory free
3.85 Gb Paging File | 3.41 Gb Available in Paging File | 88.70% Paging File free
Paging file location(s): F:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\WINDOWS | %ProgramFiles% = F:\Program Files
Drive C: | 39.06 Gb Total Space | 26.25 Gb Free Space | 67.21% Space Free | Partition Type: NTFS
Drive D: | 149.04 Gb Total Space | 24.42 Gb Free Space | 16.39% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 147.24 Gb Total Space | 20.39 Gb Free Space | 13.85% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 74.50 Gb Total Space | 66.51 Gb Free Space | 89.27% Space Free | Partition Type: NTFS
Drive Y: | 9.52 Gb Total Space | 6.17 Gb Free Space | 64.77% Space Free | Partition Type: NTFS
Drive Z: | 6.04 Gb Total Space | 4.02 Gb Free Space | 66.64% Space Free | Partition Type: NTFS

Computer Name: CHENMING
Current User Name: David Billo
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- F:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- F:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "F:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "F:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "F:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "F:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "F:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "F:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "F:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- F:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "F:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "F:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"F:\Program Files\Windows Live\Messenger\wlcsdk.exe" = F:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"F:\Program Files\Windows Live\Messenger\msnmsgr.exe" = F:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"F:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = F:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"F:\Program Files\Messenger\msmsgs.exe" = F:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"F:\Program Files\Windows Live\Messenger\wlcsdk.exe" = F:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"F:\Program Files\Windows Live\Messenger\msnmsgr.exe" = F:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05EB9A67-6A21-4390-A9C8-6165EEE1921A}" = Saitek DirectOutput 5.7.0.24
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic UDF Reader
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 15
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40E12A55-C504-4223-AFAC-7672DBF1ACDE}" = Trend Micro Internet Security
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{50956224-4E46-4B5D-AC55-62C03DD47EED}" = FS MODS
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate
"{718D791F-F4E8-4aa7-98A6-15FDED17BDD0}" = Trend Micro Internet Security
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7363206E-C7BD-45CD-89A0-792B28409811}_is1" = MB-Ruler
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo
"{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{967FB80D-56BD-42EF-A942-9E8C78F984A4}" = Saitek SST Programming Software
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2A227E0-8DEC-11D2-A564-B2890D000000}" = 5D PDF Creator
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BE6E6BF7-6A81-4EC2-AD29-4580025149F1}" = TrackIR4
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Music Transfer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
"{FC18317E-BB91-4502-8909-E5AB70BC1033}" = Nero 7 Essentials
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Amazing Slow Downer" = Amazing Slow Downer (remove only)
"Antarctica Scenery 01.04" = Antarctica Scenery 01.04
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS Video Editor 4_is1" = AVS Video Editor 4 4.2.1.166
"AVS Video Recorder_is1" = AVS Video Recorder 2.4 (Service Version)
"AVS YouTube Uploader 2.1_is1" = AVS YouTube Uploader version 2.1
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"Bombsight Table 2" = Bombsight Table 2
"CCleaner" = CCleaner (remove only)
"Condor: The Competition Soaring Simulator" = Condor: The Competition Soaring Simulator 1.1.2
"DataCAD® for Windows®" = DataCAD® for Windows®
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Driver Cleaner Pro" = DH Driver Cleaner Professional Edition
"EasternAlps Scenery" = EasternAlps Scenery 2.0
"ffdshow_is1" = ffdshow [rev 2033] [2008-07-05]
"File Splitter and Joiner_is1" = File Splitter and Joiner (FFSJ v3.3)
"FLV Player" = FLV Player 2.0 (build 25)
"Fraps" = Fraps
"Hardlock Device Driver" = Hardlock Device Driver
"HASP HL Device Driver" = HASP HL Device Driver
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Hyper Lobby Pro Client version 3.9.111" = Hyper Lobby Pro Client version 3.9.111
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IGC GE Flight_is1" = IGC Flight Replay 0.6
"InstallShield_{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"InstallShield_{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}" = NVIDIA ForceWare Network Access Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Paint Shop Pro 4.12" = Paint Shop Pro 4.12
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"RealVNC_is1" = VNC Personal Edition P4.2.7
"Scenery Hungary v1.0 for Condor Soaring Simulator" = Scenery Hungary v1.0 for Condor Soaring Simulator
"SeeYou_is1" = SeeYou Version 3.9
"ShowCondorIGC" = ShowCondorIGC
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"VLC media player" = VideoLAN VLC media player 0.8.6i
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works" = Microsoft Works 4.5
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1220945662-329068152-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Alsace scenery" = Alsace scenery
"Corse scenery" = Corse scenery
"Grenoble scenery" = Grenoble scenery
"Pyrénées scenery" = Pyrénées scenery
"Scène Massif Central version 1.0" = Scène Massif Central version 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 02/08/2009 4:16:19 PM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

Error - 03/08/2009 7:47:31 AM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

Error - 04/08/2009 5:32:09 AM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

Error - 04/08/2009 2:18:49 PM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application videoconvertersetup.exe, version 15.0.0.498,
faulting module videoconvertersetup.exe, version 15.0.0.498, fault address 0x000319cc.

Error - 05/08/2009 8:09:39 AM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

Error - 06/08/2009 3:42:20 AM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

Error - 08/08/2009 5:18:35 AM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

Error - 16/08/2009 10:57:49 AM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

Error - 17/08/2009 6:55:48 PM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

Error - 20/08/2009 6:15:50 PM | Computer Name = CHENMING | Source = Application Error | ID = 1000
Description = Faulting application profileru.exe, version 6.0.10.7, faulting module
profileru.exe, version 6.0.10.7, fault address 0x000054cf.

[ System Events ]
Error - 24/09/2009 6:44:20 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 24/09/2009 6:44:20 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 24/09/2009 7:24:48 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 24/09/2009 7:24:48 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 24/09/2009 7:40:49 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 24/09/2009 7:40:49 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 24/09/2009 7:45:56 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 24/09/2009 7:45:57 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 25/09/2009 8:47:18 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Kingston DataTraveler
2.0 USB Device.

Error - 25/09/2009 8:47:18 PM | Computer Name = CHENMING | Source = Removable Storage Service | ID = 262162
Description = RSM cannot manage library PhysicalDrive2. The initial inventory of
the library failed.


< End of report >

#10 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:49 PM

Posted 27 September 2009 - 05:54 PM

I thought tmactmon.sys was the Trend Micro Activity Monitor, no?

Hand slipped. Didn't mean to put that one in there


Now that you were successful in creating an OTL log you need to post it in our HJT forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Give a brief description and tell them that this log was all you could get to run successfully
The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 27 September 2009 - 06:33 PM

...The HJT team is extremely busy, so be patient and good luck

Thanks very much for your efforts, garmanma!

I wonder if I would be further ahead to reformat and reinstall? Not that I am impatient, but from what I've read about rootkit infections, they can be almost impossible to clean completely.

#12 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:49 PM

Posted 28 September 2009 - 06:10 PM

they can be almost impossible to clean completely.

This is true

I usually tell people to reformat, but they insist that they just have to have their music and pictures. I just gave up telling them
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users