Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 Royal Thirteen

Royal Thirteen

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 25 November 2009 - 05:09 PM

I have more experience removing viruses than the average end user, and I've vanquished things such as Virtumundo, Agent, and many other Trojans, but i'm suffering extreme difficulty in dealing with this rootkit.

I will wait for the customary reply message, then download/run any and all fixes instructed.

Waiting with bated breath,
William.


DDS LOG
_________

DDS (Ver_09-11-24.02) - NTFSx86
Run by Stephanie's Movie at 16:14:08.74 on Wed 11/25/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.85 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stephanie's Movie\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\stepha~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\stepha~1\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\stephanie's movie\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {AA9CEF7B-E262-49DA-AF97-00169B25016F} = 24.93.41.127,24.93.41.128
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stepha~1\applic~1\mozilla\firefox\profiles\79dgpf2s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\stephanie's movie\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\stephanie's movie\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\stephanie's movie\application data\mozilla\firefox\profiles\79dgpf2s.default\extensions\openxmlviewer@codeplex.com\plugins\npDocX.dll
FF - plugin: c:\documents and settings\stephanie's movie\application data\mozilla\firefox\profiles\79dgpf2s.default\extensions\openxmlviewer@codeplex.com\plugins\npnul32.dll
FF - plugin: c:\documents and settings\stephanie's movie\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-26 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-25 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-2 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-2 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-2 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-2 285392]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-4-6 23064]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-4-28 38224]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;c:\windows\system32\drivers\NetWlan5.sys [2007-4-17 132695]
S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [2004-1-12 1252474]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-25 348752]
S3 XDva020;XDva020;\??\c:\windows\system32\xdva020.sys --> c:\windows\system32\XDva020.sys [?]

=============== Created Last 30 ================

2009-11-25 21:28:21 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2009-11-25 20:40:13 77312 ----a-w- c:\windows\MBR.exe
2009-11-25 20:40:13 260608 ----a-w- c:\windows\PEV.exe
2009-11-25 20:40:13 161792 ----a-w- c:\windows\SWREG.exe
2009-11-25 20:40:12 98816 ----a-w- c:\windows\sed.exe
2009-11-25 19:41:26 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-25 19:41:05 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-25 19:41:05 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-25 19:41:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-25 19:40:48 0 d-----w- c:\program files\common files\PC Tools
2009-11-25 19:40:47 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-25 19:40:39 0 d-----w- c:\program files\Spyware Doctor
2009-11-25 19:40:39 0 d-----w- c:\docume~1\stepha~1\applic~1\PC Tools
2009-11-25 19:40:39 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-11 19:30:48 0 d-----w- c:\program files\Safer Networking
2009-11-10 09:05:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-10 09:05:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-10 09:02:47 0 d-----w- c:\windows\ie8updates
2009-11-09 12:14:07 0 d-----w- c:\windows\system32\scripting
2009-11-09 12:14:06 0 d-----w- c:\windows\l2schemas
2009-11-09 12:14:05 0 d-----w- c:\windows\system32\en
2009-11-09 12:14:05 0 d-----w- c:\windows\system32\bits
2009-11-09 12:03:27 0 d-sh--w- c:\documents and settings\stephanie's movie\PrivacIE
2009-11-09 11:44:33 0 d-sh--w- c:\documents and settings\stephanie's movie\IETldCache
2009-11-09 11:33:08 0 dc-h--w- c:\windows\ie8
2009-11-03 08:43:36 0 d-----w- c:\windows\Performance
2009-11-03 08:37:31 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-03 03:23:27 0 dc----w- C:\lulz
2009-11-03 02:30:50 0 dc----w- C:\$AVG
2009-11-03 02:30:32 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-03 02:30:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 02:30:25 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 02:30:13 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-03 02:30:10 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-11-03 02:29:33 0 d-----w- c:\program files\AVG
2009-11-03 02:29:24 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-02 23:51:03 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-02 22:51:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Screaming Bee
2009-11-02 22:51:03 0 d-----w- c:\program files\common files\Screaming Bee
2009-11-02 22:33:52 0 d-----w- c:\docume~1\stepha~1\applic~1\Screaming Bee
2009-11-02 22:32:35 0 d-----w- c:\program files\Screaming Bee
2009-11-02 22:24:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-02 22:21:25 0 d-----r- c:\program files\Skype
2009-11-02 21:11:11 0 dc----w- C:\vcs5BGEffects
2009-10-29 00:23:19 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-10-12 22:07:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-24 10:25:19 249856 ------w- c:\windows\Setup1.exe
2009-09-24 10:25:14 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll

============= FINISH: 16:15:54.05 ===============














ROOT REPEAL LOG
---------------------
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/25 16:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: aqiweaa5.SYS
Image Path: C:\WINDOWS\System32\Drivers\aqiweaa5.SYS
Address: 0xF6AF0000 Size: 417792 File Visible: No Signed: -
Status: -

Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xF78CB000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF75DB000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE38F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A93000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP5568
Image Path: \Driver\PCI_NTPNP5568
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7C73000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF6FC3000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\$avg\$chjw\a50626f3-30f6-415c-a455-14119eda2b1a
Status: Size mismatch (API: 3555268, Raw: 3454660)

Path: c:\$avg\$chjw\d9661204-7f8a-4784-be49-6f5e9f1f8785
Status: Size mismatch (API: 2951376, Raw: 2901072)

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\addins\addins
Status: Locked to the Windows API!

Path: C:\WINDOWS\aolshare\aolshare
Status: Locked to the Windows API!

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\NeverwinterNights\NWN\screenshots\Amia: Islands_0007.tga
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB904706\KB904706
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB912812\KB912812
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB912945\KB912945
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB916281\KB916281
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB918899\KB918899
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB928090\KB928090
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB931768\KB931768
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB931784\KB931784
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB932168\KB932168
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933729\KB933729
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB941568\KB941568
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB943460\KB943460
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB951748\KB951748
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\I386\SPR\SPR
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\inf\ASM\ASM
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\security\logs\logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\batch\batch
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP245.tmp\ZAP245.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43C.tmp\ZAP43C.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP530.tmp\ZAP530.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5DB.tmp\ZAP5DB.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6C2.tmp\ZAP6C2.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\0eaed8d713d78954a90c813a5e2c5934\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\News\News
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\root\root
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee543e60

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee540820

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf70e3d72

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee5441f0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee54a480

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee54a6b0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee54dce0

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee5442d0

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee540ea0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf70e4568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf70e4820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee54a1f0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf72f8e2c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf72f91ba

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee54c9e0

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee540cf0

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf70e2a80

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee549f40

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee549d60

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf72f9292

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf72f9112

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf70e4c8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee54ccd0

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee543b00

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee54cf80

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee544010

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee541010

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf70e4036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee54a8e0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x857421e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8504b7a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_CREATE]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_CLOSE]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_READ]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_WRITE]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_CLEANUP]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Udfsࠅ౨瑎晦܂ੈ, IRP_MJ_PNP]
Process: System Address: 0x850337a0 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CREATE]
Process: System Address: 0x857571e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_CLOSE]
Process: System Address: 0x857571e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857571e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857571e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_POWER]
Process: System Address: 0x857571e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857571e8 Size: 121

Object: Hidden Code [Driver: Ql10wnt, IRP_MJ_PNP]
Process: System Address: 0x857571e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_CREATE]
Process: System Address: 0x857481e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_CLOSE]
Process: System Address: 0x857481e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857481e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857481e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_POWER]
Process: System Address: 0x857481e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857481e8 Size: 121

Object: Hidden Code [Driver: perc2, IRP_MJ_PNP]
Process: System Address: 0x857481e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_CREATE]
Process: System Address: 0x857451e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_CLOSE]
Process: System Address: 0x857451e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857451e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857451e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_POWER]
Process: System Address: 0x857451e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857451e8 Size: 121

Object: Hidden Code [Driver: cbidf, IRP_MJ_PNP]
Process: System Address: 0x857451e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_CREATE]
Process: System Address: 0x857c61e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_CLOSE]
Process: System Address: 0x857c61e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857c61e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857c61e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_POWER]
Process: System Address: 0x857c61e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857c61e8 Size: 121

Object: Hidden Code [Driver: ini910u, IRP_MJ_PNP]
Process: System Address: 0x857c61e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_CREATE]
Process: System Address: 0x857561e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_CLOSE]
Process: System Address: 0x857561e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857561e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857561e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_POWER]
Process: System Address: 0x857561e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857561e8 Size: 121

Object: Hidden Code [Driver: asc, IRP_MJ_PNP]
Process: System Address: 0x857561e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_CREATE]
Process: System Address: 0x8574a1e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_CLOSE]
Process: System Address: 0x8574a1e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8574a1e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8574a1e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_POWER]
Process: System Address: 0x8574a1e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8574a1e8 Size: 121

Object: Hidden Code [Driver: ql1280, IRP_MJ_PNP]
Process: System Address: 0x8574a1e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_CREATE]
Process: System Address: 0x857501e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_CLOSE]
Process: System Address: 0x857501e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857501e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857501e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_POWER]
Process: System Address: 0x857501e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857501e8 Size: 121

Object: Hidden Code [Driver: asc3350p, IRP_MJ_PNP]
Process: System Address: 0x857501e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x855677a0 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_CREATE]
Process: System Address: 0x857551e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_CLOSE]
Process: System Address: 0x857551e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857551e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857551e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_POWER]
Process: System Address: 0x857551e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857551e8 Size: 121

Object: Hidden Code [Driver: mraid35x, IRP_MJ_PNP]
Process: System Address: 0x857551e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CREATE]
Process: System Address: 0x8574f1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_CLOSE]
Process: System Address: 0x8574f1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8574f1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8574f1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_POWER]
Process: System Address: 0x8574f1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8574f1e8 Size: 121

Object: Hidden Code [Driver: cd20xrnt, IRP_MJ_PNP]
Process: System Address: 0x8574f1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x857ce1e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_CREATE]
Process: System Address: 0x857541e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_CLOSE]
Process: System Address: 0x857541e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857541e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857541e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_POWER]
Process: System Address: 0x857541e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857541e8 Size: 121

Object: Hidden Code [Driver: symc8xx, IRP_MJ_PNP]
Process: System Address: 0x857541e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8556b7a0 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8556b7a0 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8556b7a0 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8556b7a0 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8556b7a0 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8556b7a0 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8556b7a0 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_CREATE]
Process: System Address: 0x8574e1e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_CLOSE]
Process: System Address: 0x8574e1e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8574e1e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8574e1e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_POWER]
Process: System Address: 0x8574e1e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8574e1e8 Size: 121

Object: Hidden Code [Driver: ultra, IRP_MJ_PNP]
Process: System Address: 0x8574e1e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CREATE]
Process: System Address: 0x857cd1e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_CLOSE]
Process: System Address: 0x857cd1e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x857cd1e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x857cd1e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_POWER]
Process: System Address: 0x857cd1e8 Size: 121

Object: Hidden Code [Driver: iaStor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x857cd1e8 Size: 121

Object: HidShadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee542150

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee5421e0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee542260

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee542420

==EOF==

Attached Files


Edited by Royal Thirteen, 25 November 2009 - 05:37 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:55 AM

Posted 25 November 2009 - 08:13 PM

Hi, Royal Thirteen :(

Welcome.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

"%userprofile%\desktop\win32kdiag.exe" -f -r

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Royal Thirteen

Royal Thirteen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 26 November 2009 - 03:16 AM

THANK YOU very much for your time, I really hope to get somewhere with these beasts. :(

[WIN32KDIAG LOG]



Running from: C:\Documents and Settings\Stephanie's Movie\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Stephanie's Movie\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB951748\KB951748

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB951748\KB951748

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\aolshare\aolshare

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\aolshare\aolshare

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP245.tmp\ZAP245.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP245.tmp\ZAP245.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43C.tmp\ZAP43C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43C.tmp\ZAP43C.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP530.tmp\ZAP530.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP530.tmp\ZAP530.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5DB.tmp\ZAP5DB.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5DB.tmp\ZAP5DB.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6C2.tmp\ZAP6C2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6C2.tmp\ZAP6C2.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\I386\SPR\SPR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\I386\SPR\SPR

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\inf\ASM\ASM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\inf\ASM\ASM

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0eaed8d713d78954a90c813a5e2c5934\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0eaed8d713d78954a90c813a5e2c5934\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\root\root

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\backup\root\root

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

Edited by Royal Thirteen, 26 November 2009 - 03:51 AM.


#4 Royal Thirteen

Royal Thirteen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 26 November 2009 - 03:50 AM

[C-COMBO FIX! ]

ComboFix 09-11-24.02 - Stephanie's Movie 11/26/2009 2:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.358 [GMT -6:00]
Running from: c:\documents and settings\Stephanie's Movie\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-25 20:27 . 2009-11-25 20:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-25 20:04 . 2009-11-25 20:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-25 19:41 . 2008-12-11 14:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-25 19:41 . 2009-08-24 20:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-25 19:41 . 2009-08-19 17:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-25 19:40 . 2009-11-25 19:43 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-25 19:40 . 2008-12-10 17:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-25 19:40 . 2009-11-25 19:44 -------- d-----w- c:\program files\Spyware Doctor
2009-11-25 19:40 . 2009-11-25 19:40 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\PC Tools
2009-11-25 19:40 . 2009-11-25 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-20 15:21 . 2009-11-03 02:29 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-16 03:54 . 2009-11-17 00:57 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-12 15:26 . 2009-11-10 18:37 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 15:26 . 2009-11-10 18:37 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 15:26 . 2009-11-10 18:37 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 15:26 . 2009-11-03 02:29 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 15:26 . 2009-11-12 15:25 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 15:26 . 2009-11-12 15:25 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-12 02:22 . 2009-11-12 02:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-12 02:08 . 2009-11-12 02:08 -------- d-----w- c:\documents and settings\J J\Application Data\MySpace
2009-11-12 01:44 . 2009-11-12 01:45 -------- d-----w- c:\documents and settings\J J\Local Settings\Application Data\Apple Computer
2009-11-12 01:44 . 2009-11-12 01:44 -------- d-sh--w- c:\documents and settings\J J\IETldCache
2009-11-11 19:30 . 2009-11-11 19:30 -------- d-----w- c:\program files\Safer Networking
2009-11-10 18:38 . 2009-11-03 02:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 18:35 . 2009-11-10 18:35 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-10 18:35 . 2009-11-03 02:29 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 09:05 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-10 09:05 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-10 09:02 . 2009-11-12 00:10 -------- d-----w- c:\windows\ie8updates
2009-11-09 17:22 . 2009-11-09 17:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\scripting
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\l2schemas
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\en
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\bits
2009-11-09 12:03 . 2009-11-09 12:03 -------- d-sh--w- c:\documents and settings\Stephanie's Movie\PrivacIE
2009-11-09 11:44 . 2009-11-09 11:44 -------- d-sh--w- c:\documents and settings\Stephanie's Movie\IETldCache
2009-11-09 11:33 . 2009-11-09 11:36 -------- dc-h--w- c:\windows\ie8
2009-11-08 07:38 . 2009-11-08 07:38 1408800 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-07 02:58 . 2009-11-07 02:58 -------- d-----w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\AVG Security Toolbar
2009-11-03 08:43 . 2009-11-03 08:43 -------- d-----w- c:\windows\Performance
2009-11-03 08:43 . 2009-11-03 08:43 -------- d-----w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\Microsoft Corporation
2009-11-03 08:37 . 2009-11-03 08:37 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-03 03:50 . 2009-10-16 18:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 03:23 . 2009-11-03 03:23 -------- dc----w- C:\lulz
2009-11-03 02:30 . 2009-11-03 02:52 -------- dc----w- C:\$AVG
2009-11-03 02:30 . 2009-11-10 18:37 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-03 02:30 . 2009-11-03 02:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 02:30 . 2009-11-03 02:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 02:30 . 2009-11-03 02:30 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-03 02:30 . 2009-11-26 00:38 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-03 02:30 . 2009-11-03 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-03 02:29 . 2009-11-03 02:29 -------- d-----w- c:\program files\AVG
2009-11-03 02:29 . 2009-11-04 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-02 23:51 . 2009-11-03 02:11 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-02 22:51 . 2009-11-03 06:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee
2009-11-02 22:51 . 2009-11-25 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 22:51 . 2009-11-02 22:51 -------- d-----w- c:\program files\Common Files\Screaming Bee
2009-11-02 22:33 . 2009-11-03 06:17 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Screaming Bee
2009-11-02 22:32 . 2009-11-03 06:51 -------- d-----w- c:\program files\Screaming Bee
2009-11-02 22:24 . 2009-11-02 22:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-02 22:24 . 2009-11-13 20:03 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\skypePM
2009-11-02 22:21 . 2009-11-13 20:12 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----w- c:\program files\Common Files\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----r- c:\program files\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-02 21:11 . 2009-11-02 22:33 -------- dc----w- C:\vcs5BGEffects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 20:32 . 2009-10-13 03:32 1 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-21 08:40 . 2008-01-26 16:50 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\uTorrent
2009-11-20 01:52 . 2009-11-20 01:59 2592768 ----a-w- c:\windows\Internet Logs\xDB32.tmp
2009-11-20 01:52 . 2009-11-20 01:59 2480640 ----a-w- c:\windows\Internet Logs\xDB33.tmp
2009-11-12 02:09 . 2006-06-19 04:25 84448 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 02:04 . 2009-11-12 02:05 2717184 ----a-w- c:\windows\Internet Logs\xDB31.tmp
2009-11-12 00:13 . 2007-04-13 14:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 19:37 . 2007-04-13 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-09 18:04 . 2007-12-28 23:55 84448 ----a-w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 12:20 . 2006-06-17 09:39 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-08 07:38 . 2009-09-22 17:22 127325 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\uninstall.exe
2009-11-08 07:38 . 2008-02-06 04:45 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks
2009-11-08 07:38 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-04 05:38 . 2009-11-04 05:42 2445312 ----a-w- c:\windows\Internet Logs\xDB30.tmp
2009-11-03 06:59 . 2009-04-28 05:19 -------- d-----w- c:\program files\Exterminate It!
2009-11-03 00:35 . 2007-04-11 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2009-11-03 00:35 . 2009-09-01 03:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG7
2009-11-03 00:35 . 2007-12-28 23:55 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\AVG7
2009-11-03 00:35 . 2007-12-17 02:00 -------- d-----w- c:\documents and settings\J J\Application Data\AVG7
2009-11-02 20:49 . 2009-11-02 20:50 4062208 ----a-w- c:\windows\Internet Logs\xDB2F.tmp
2009-10-28 23:52 . 2007-04-25 11:23 40042441 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-10-19 08:12 . 2009-10-19 08:12 -------- d-----w- c:\program files\MSBuild
2009-10-19 08:11 . 2009-10-19 08:11 -------- d-----w- c:\program files\Reference Assemblies
2009-10-19 08:02 . 2009-10-19 08:02 -------- d-----w- c:\program files\MSXML 6.0
2009-10-19 03:05 . 2008-05-07 03:55 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\dvdcss
2009-10-18 09:32 . 2009-04-29 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 09:31 . 2009-10-18 09:31 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-13 03:19 . 2009-10-13 03:19 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org
2009-10-12 22:14 . 2009-10-12 22:14 -------- d-----w- c:\program files\JRE
2009-10-12 22:14 . 2009-10-12 22:13 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-12 22:12 . 2007-07-10 07:20 -------- d-----w- c:\program files\OpenOffice.org 2.2
2009-10-12 22:07 . 2009-10-12 22:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-12 22:07 . 2007-04-11 02:47 -------- d-----w- c:\program files\Java
2009-10-06 17:42 . 2008-01-27 02:47 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org2
2009-10-04 23:03 . 2008-10-08 04:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-24 10:25 . 2007-04-14 22:23 249856 ------w- c:\windows\Setup1.exe
2009-09-24 10:25 . 2007-04-14 22:23 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-22 17:22 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-11 14:18 . 2007-04-11 01:48 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 20:54 . 2009-04-29 02:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2009-04-29 02:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2007-04-11 01:48 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:06 . 2009-09-01 03:59 2761216 ----a-w- c:\windows\Internet Logs\xDB2E.tmp
2009-08-29 08:08 . 2006-06-17 09:23 916480 ------w- c:\windows\system32\wininet.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-11-25_21.17.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-26 08:21 . 2009-11-26 08:21 16384 c:\windows\Temp\Perflib_Perfdata_5f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 18:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay" [X]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Stephanie's Movie\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-03 02:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\1176459244\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\aol\\1176459244\\ee\\AOLDesktop.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [4/26/2009 11:03 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/25/2009 1:41 PM 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/2/2009 8:30 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/2/2009 8:30 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/2/2009 8:29 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/2/2009 8:29 PM 285392]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/18/2007 9:03 PM 682232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/28/2009 8:32 PM 38224]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;c:\windows\system32\drivers\NetWlan5.sys [4/17/2007 6:31 AM 132695]
S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [1/12/2004 3:51 PM 1252474]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/25/2009 1:40 PM 348752]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2009-11-02 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2009-04-13 14:17]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Stephanie's Movie\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {AA9CEF7B-E262-49DA-AF97-00169B25016F} = 24.93.41.127,24.93.41.128
FF - ProfilePath - c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions\OpenXMLViewer@Codeplex.com\plugins\npDocX.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions\OpenXMLViewer@Codeplex.com\plugins\npnul32.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 02:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-11-26 02:44
ComboFix-quarantined-files.txt 2009-11-26 08:44
ComboFix2.txt 2009-11-25 21:28

Pre-Run: 50,509,537,280 bytes free
Post-Run: 50,476,654,592 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 8F5420104C4CD2361BA5A3584D7A9A44

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:55 AM

Posted 26 November 2009 - 10:11 AM

Hi, Royal Thirteen

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\System32\eventlog.dll

Driver::
XDva020


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Royal Thirteen

Royal Thirteen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 26 November 2009 - 08:56 PM

ComboFix 09-11-24.02 - Stephanie's Movie 11/26/2009 19:18.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.453 [GMT -6:00]
Running from: c:\documents and settings\Stephanie's Movie\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Stephanie's Movie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\System32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA020
-------\Service_XDva020


((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-27 01:18 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-27 01:18 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-25 20:27 . 2009-11-25 20:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-25 20:04 . 2009-11-25 20:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-25 19:41 . 2008-12-11 14:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-25 19:41 . 2009-08-24 20:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-25 19:41 . 2009-08-19 17:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-25 19:40 . 2009-11-25 19:43 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-25 19:40 . 2008-12-10 17:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-25 19:40 . 2009-11-25 19:44 -------- d-----w- c:\program files\Spyware Doctor
2009-11-25 19:40 . 2009-11-25 19:40 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\PC Tools
2009-11-25 19:40 . 2009-11-25 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-20 15:21 . 2009-11-03 02:29 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-16 03:54 . 2009-11-17 00:57 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-12 15:26 . 2009-11-10 18:37 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 15:26 . 2009-11-10 18:37 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 15:26 . 2009-11-10 18:37 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 15:26 . 2009-11-03 02:29 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 15:26 . 2009-11-12 15:25 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 15:26 . 2009-11-12 15:25 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-12 02:22 . 2009-11-12 02:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-12 02:08 . 2009-11-12 02:08 -------- d-----w- c:\documents and settings\J J\Application Data\MySpace
2009-11-12 01:44 . 2009-11-12 01:45 -------- d-----w- c:\documents and settings\J J\Local Settings\Application Data\Apple Computer
2009-11-12 01:44 . 2009-11-12 01:44 -------- d-sh--w- c:\documents and settings\J J\IETldCache
2009-11-11 19:30 . 2009-11-11 19:30 -------- d-----w- c:\program files\Safer Networking
2009-11-10 18:38 . 2009-11-03 02:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 18:35 . 2009-11-10 18:35 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-10 18:35 . 2009-11-03 02:29 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 09:05 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-10 09:05 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-10 09:02 . 2009-11-12 00:10 -------- d-----w- c:\windows\ie8updates
2009-11-09 17:22 . 2009-11-09 17:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\scripting
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\l2schemas
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\en
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\bits
2009-11-09 12:03 . 2009-11-09 12:03 -------- d-sh--w- c:\documents and settings\Stephanie's Movie\PrivacIE
2009-11-09 11:44 . 2009-11-09 11:44 -------- d-sh--w- c:\documents and settings\Stephanie's Movie\IETldCache
2009-11-09 11:33 . 2009-11-09 11:36 -------- dc-h--w- c:\windows\ie8
2009-11-08 07:38 . 2009-11-08 07:38 1408800 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-07 02:58 . 2009-11-07 02:58 -------- d-----w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\AVG Security Toolbar
2009-11-03 08:43 . 2009-11-03 08:43 -------- d-----w- c:\windows\Performance
2009-11-03 08:43 . 2009-11-03 08:43 -------- d-----w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\Microsoft Corporation
2009-11-03 08:37 . 2009-11-03 08:37 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-03 03:50 . 2009-10-16 18:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 03:23 . 2009-11-03 03:23 -------- dc----w- C:\lulz
2009-11-03 02:30 . 2009-11-03 02:52 -------- dc----w- C:\$AVG
2009-11-03 02:30 . 2009-11-10 18:37 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-03 02:30 . 2009-11-03 02:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 02:30 . 2009-11-03 02:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 02:30 . 2009-11-03 02:30 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-03 02:30 . 2009-11-27 00:05 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-03 02:30 . 2009-11-03 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-03 02:29 . 2009-11-03 02:29 -------- d-----w- c:\program files\AVG
2009-11-03 02:29 . 2009-11-04 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-02 23:51 . 2009-11-03 02:11 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-02 22:51 . 2009-11-03 06:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee
2009-11-02 22:51 . 2009-11-25 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 22:51 . 2009-11-02 22:51 -------- d-----w- c:\program files\Common Files\Screaming Bee
2009-11-02 22:33 . 2009-11-03 06:17 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Screaming Bee
2009-11-02 22:32 . 2009-11-03 06:51 -------- d-----w- c:\program files\Screaming Bee
2009-11-02 22:24 . 2009-11-02 22:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-02 22:24 . 2009-11-13 20:03 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\skypePM
2009-11-02 22:21 . 2009-11-13 20:12 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----w- c:\program files\Common Files\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----r- c:\program files\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-02 21:11 . 2009-11-02 22:33 -------- dc----w- C:\vcs5BGEffects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 01:04 . 2009-11-27 01:06 2825728 ----a-w- c:\windows\Internet Logs\xDB34.tmp
2009-11-27 01:01 . 2008-01-26 16:50 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\uTorrent
2009-11-22 20:32 . 2009-10-13 03:32 1 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-20 01:52 . 2009-11-20 01:59 2592768 ----a-w- c:\windows\Internet Logs\xDB32.tmp
2009-11-20 01:52 . 2009-11-20 01:59 2480640 ----a-w- c:\windows\Internet Logs\xDB33.tmp
2009-11-12 02:09 . 2006-06-19 04:25 84448 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 02:04 . 2009-11-12 02:05 2717184 ----a-w- c:\windows\Internet Logs\xDB31.tmp
2009-11-12 00:13 . 2007-04-13 14:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 19:37 . 2007-04-13 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-09 18:04 . 2007-12-28 23:55 84448 ----a-w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 12:20 . 2006-06-17 09:39 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-08 07:38 . 2009-09-22 17:22 127325 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\uninstall.exe
2009-11-08 07:38 . 2008-02-06 04:45 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks
2009-11-08 07:38 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-04 05:38 . 2009-11-04 05:42 2445312 ----a-w- c:\windows\Internet Logs\xDB30.tmp
2009-11-03 06:59 . 2009-04-28 05:19 -------- d-----w- c:\program files\Exterminate It!
2009-11-03 00:35 . 2007-04-11 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2009-11-03 00:35 . 2009-09-01 03:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG7
2009-11-03 00:35 . 2007-12-28 23:55 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\AVG7
2009-11-03 00:35 . 2007-12-17 02:00 -------- d-----w- c:\documents and settings\J J\Application Data\AVG7
2009-11-02 20:49 . 2009-11-02 20:50 4062208 ----a-w- c:\windows\Internet Logs\xDB2F.tmp
2009-10-28 23:52 . 2007-04-25 11:23 40042441 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-10-19 08:12 . 2009-10-19 08:12 -------- d-----w- c:\program files\MSBuild
2009-10-19 08:11 . 2009-10-19 08:11 -------- d-----w- c:\program files\Reference Assemblies
2009-10-19 08:02 . 2009-10-19 08:02 -------- d-----w- c:\program files\MSXML 6.0
2009-10-19 03:05 . 2008-05-07 03:55 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\dvdcss
2009-10-18 09:32 . 2009-04-29 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 09:31 . 2009-10-18 09:31 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-13 03:19 . 2009-10-13 03:19 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org
2009-10-12 22:14 . 2009-10-12 22:14 -------- d-----w- c:\program files\JRE
2009-10-12 22:14 . 2009-10-12 22:13 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-12 22:12 . 2007-07-10 07:20 -------- d-----w- c:\program files\OpenOffice.org 2.2
2009-10-12 22:07 . 2009-10-12 22:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-12 22:07 . 2007-04-11 02:47 -------- d-----w- c:\program files\Java
2009-10-06 17:42 . 2008-01-27 02:47 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org2
2009-10-04 23:03 . 2008-10-08 04:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-24 10:25 . 2007-04-14 22:23 249856 ------w- c:\windows\Setup1.exe
2009-09-24 10:25 . 2007-04-14 22:23 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-22 17:22 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-11 14:18 . 2007-04-11 01:48 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 20:54 . 2009-04-29 02:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2009-04-29 02:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2007-04-11 01:48 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:06 . 2009-09-01 03:59 2761216 ----a-w- c:\windows\Internet Logs\xDB2E.tmp
2009-08-29 08:08 . 2006-06-17 09:23 916480 ------w- c:\windows\system32\wininet.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_21.17.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-27 01:36 . 2009-11-27 01:36 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 18:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay" [X]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Stephanie's Movie\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-03 02:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\1176459244\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\aol\\1176459244\\ee\\AOLDesktop.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [4/26/2009 11:03 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/25/2009 1:41 PM 206256]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/18/2007 9:03 PM 682232]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/2/2009 8:30 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/2/2009 8:30 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/2/2009 8:29 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/2/2009 8:29 PM 285392]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/28/2009 8:32 PM 38224]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;c:\windows\system32\drivers\NetWlan5.sys [4/17/2007 6:31 AM 132695]
S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [1/12/2004 3:51 PM 1252474]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/25/2009 1:40 PM 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2009-11-02 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2009-04-13 14:17]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Stephanie's Movie\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {AA9CEF7B-E262-49DA-AF97-00169B25016F} = 24.93.41.127,24.93.41.128
FF - ProfilePath - c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions\OpenXMLViewer@Codeplex.com\plugins\npDocX.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions\OpenXMLViewer@Codeplex.com\plugins\npnul32.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-26 19:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8577D8A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75bff28
\Driver\ACPI -> ACPI.sys @ 0xf72b2cb8
\Driver\atapi -> atapi.sys @ 0xf7172b40
\Driver\iaStor -> 0x857cd1e8
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3492)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2009-11-26 19:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-27 01:51
ComboFix2.txt 2009-11-26 08:44
ComboFix3.txt 2009-11-25 21:28

Pre-Run: 50,391,908,352 bytes free
Post-Run: 50,353,152,000 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - BADFE232A49D9488D63CBC7BB3E05EF4

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:55 AM

Posted 27 November 2009 - 09:14 AM

Hi, Royal Thirteen :(

There seems to be some rootkit activity in the Master Boot Record. You have elected not to install the Recovery Console, thus Combofix wont attempt a fix. Do you have a Drive Emulation software such as Alcohol or Daemons Tools?

Download OTL.exe to your Desktop.
  • Close any open browsers.
  • Double-click on OTL.exe to start the program.
  • Leave all settings as they appear as default, except for the following:
    • ->Under the Custom Scan box paste this in

      netsvcs
      %SYSTEMDRIVE%\*.exe
      %SYSTEMDRIVE%\eventlog.dll /s /md5
      %SYSTEMDRIVE%\scecli.dll /s /md5
      %SYSTEMDRIVE%\netlogon.dll /s /md5
      %SYSTEMDRIVE%\cngaudit.dll /s /md5
      %SYSTEMDRIVE%\sceclt.dll /s /md5
      %SYSTEMDRIVE%\ntelogon.dll /s /md5
      %SYSTEMDRIVE%\logevent.dll /s /md5
      %SYSTEMDRIVE%\iaStor.sys /s /md5
      %SYSTEMDRIVE%\nvstor*.sys /s /md5
      %SYSTEMDRIVE%\atapi* /s /md5
      %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
      %SYSTEMDRIVE%\viasraid.sys /s /md5
      %SYSTEMDRIVE%\AGP440.sys /s /md5
      %SYSTEMDRIVE%\vaxscsi.sys /s /md5
      %SYSTEMDRIVE%\nvatabus.sys /s /md5
      %SYSTEMDRIVE%\viamraid.sys /s /md5
      %SYSTEMDRIVE%\nvata.sys /s /md5
      %SYSTEMDRIVE%\nvgts.sys /s /md5
      %SYSTEMDRIVE%\iastorv.sys /s /md5
      %SYSTEMDRIVE%\ViPrt.sys /s /md5
      %SYSTEMDRIVE%\eNetHook.dll /s /md5


  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Post the contents of that Notepad document in your next reply.

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it where you can easily find it, such as your desktop and post its contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Edited by JSntgRvr, 27 November 2009 - 09:15 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Royal Thirteen

Royal Thirteen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 27 November 2009 - 11:00 AM

ComboFix often reboots my PC, and Im unaware of what the Recovery Console is.

When combofix offers to install it, my puter will not connect to the web.

I do in fact have Daemon Tools installed on my computer, with one virtual drive running. Logs will be posted within the hour/however long it takes for the scanners to complete

[OTL LOG]

OTL logfile created on: 11/27/2009 9:59:04 AM - Run 1
OTL by OldTimer - Version 3.1.11.0 Folder = C:\Documents and Settings\Stephanie's Movie\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.04 Mb Total Physical Memory | 165.44 Mb Available Physical Memory | 18.50% Memory free
1.78 Gb Paging File | 0.83 Gb Available in Paging File | 46.69% Paging File free
Paging file location(s): C:\pagefile.sys 1000 10000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 104.94 Gb Total Space | 46.52 Gb Free Space | 44.33% Space Free | Partition Type: NTFS
Drive D: | 6.83 Gb Total Space | 3.41 Gb Free Space | 50.00% Space Free | Partition Type: FAT32
Drive E: | 7.51 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IRON_MAN
Current User Name: Stephanie's Movie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/27 09:58:07 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stephanie's Movie\My Documents\Downloads\OTL.exe
PRC - [2009/11/12 09:25:48 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/11/12 09:25:44 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/11/06 20:57:49 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/02 20:29:55 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/11/02 20:29:54 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/11/02 20:29:53 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/02 20:29:53 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/11/02 20:29:42 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/11/02 20:29:41 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/10/12 16:07:58 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/19 09:23:24 | 07,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 09:23:22 | 07,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2009/07/26 15:44:34 | 03,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/02/06 16:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/07/10 09:51:26 | 20,246,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2008/07/10 09:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/07/10 08:47:42 | 00,015,376 | ---- | M] () -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
PRC - [2008/07/10 08:47:22 | 00,149,488 | ---- | M] () -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
PRC - [2008/07/10 08:47:18 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/05/27 09:50:30 | 00,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2008/04/13 18:12:37 | 00,135,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\taskmgr.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/08 23:02:00 | 00,919,280 | ---- | M] (Zone Labs, LLC) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2007/03/08 23:01:58 | 00,075,568 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2006/10/23 06:50:35 | 00,046,640 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\aol\acs\AOLacsd.exe
PRC - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
PRC - [2006/10/12 15:28:48 | 01,134,592 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2006/10/09 15:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehrecvr.exe
PRC - [2006/04/04 20:52:38 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2006/04/04 20:52:38 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2006/01/02 16:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2006/01/02 16:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2006/01/02 16:41:22 | 00,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
PRC - [2005/08/05 21:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe
PRC - [2005/08/05 21:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe


========== Modules (SafeList) ==========

MOD - [2009/11/27 09:58:07 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stephanie's Movie\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (PrismXL)
SRV - [2009/11/02 20:29:42 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/11/02 20:29:41 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/10/12 16:07:58 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/22 22:44:48 | 01,097,096 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/01/07 12:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2008/07/10 09:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/07/10 08:47:18 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/04/13 18:11:48 | 00,100,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\6to4svc.dll -- (6to4)
SRV - [2007/04/21 22:12:13 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2007/03/08 23:01:58 | 00,075,568 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2006/10/23 06:50:35 | 00,046,640 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/10/12 15:28:56 | 00,020,480 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2006/10/09 15:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehrecvr.exe -- (ehRecvr)
SRV - [2006/04/04 20:52:38 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/08/05 21:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe -- (ehSched)
SRV - [2005/08/05 21:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc)


========== Driver Services (SafeList) ==========

DRV - File not found -- -- (catchme)
DRV - [2009/11/10 12:37:16 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2009/11/02 20:30:25 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/11/02 20:30:25 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/08/24 14:05:06 | 00,206,256 | ---- | M] (PC Tools) -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/04/15 14:25:42 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2009/04/06 13:19:46 | 00,023,064 | ---- | M] (Screaming Bee LLC) -- C:\WINDOWS\system32\drivers\ScreamingBAudio.sys -- (SCREAMINGBDRIVER)
DRV - [2008/07/10 08:35:22 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2008/06/19 15:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/05/29 11:33:10 | 00,027,672 | R--- | M] (EnTech Taiwan) -- C:\WINDOWS\system32\drivers\Entech.sys -- (ENTECH)
DRV - [2008/04/13 13:00:02 | 00,225,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2008/04/13 12:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 12:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 12:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 10:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2007/11/13 04:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/06/29 13:47:34 | 00,034,304 | ---- | M] (AMD, Inc.) -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007/04/18 21:03:38 | 00,682,232 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2007/04/16 15:46:34 | 00,033,792 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2007/03/08 23:02:10 | 00,394,192 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/01/18 04:39:20 | 00,050,416 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2006/10/12 15:28:42 | 00,604,928 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/07/06 07:59:42 | 00,246,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)
DRV - [2006/07/01 21:39:40 | 00,036,864 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/06/15 14:28:04 | 01,179,784 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/05/23 09:56:00 | 00,245,248 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/04/04 20:58:44 | 01,536,000 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/20 22:30:56 | 00,162,432 | ---- | M] (Texas Instruments) -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2004/11/05 08:47:00 | 00,185,824 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2004/08/10 13:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/10 13:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/10 13:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/10 13:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/10 13:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/10 13:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/10 13:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/10 13:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/10 13:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/10 13:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/10 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/10 13:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/10 13:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/10 13:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/10 13:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/10 13:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/03 21:31:42 | 00,132,695 | ---- | M] (802.11b) -- C:\WINDOWS\system32\drivers\NetWlan5.sys -- (NetWlan5)
DRV - [2004/02/04 09:27:56 | 00,049,536 | ---- | M] (Texas Instruments Incorporated) -- C:\WINDOWS\system32\drivers\tiehdusb.sys -- (TIEHDUSB)
DRV - [2004/01/12 15:51:44 | 01,252,474 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\P1120Vid.sys -- (P1120VID)
DRV - [2003/01/10 15:13:04 | 00,033,588 | R--- | M] (America Online, Inc.) -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2001/08/17 07:46:40 | 00,006,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\enum1394.sys -- (ENUM1394)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E8 34 D6 4D 66 69 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.701
FF - prefs.js..extensions.enabledItems: avg@igeared:2.710.016.005
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}:6.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: OpenXMLViewer@Codeplex.com:1.0.1
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/10/12 16:08:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/10/30 13:44:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/11/11 18:13:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2009/11/02 20:30:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 20:57:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/09 05:44:49 | 00,000,000 | ---D | M]

[2009/05/18 00:48:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Stephanie's Movie\Application Data\Mozilla\Extensions
[2008/10/16 14:29:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Stephanie's Movie\Application Data\Mozilla\Extensions\home2@tomtom.com
[2009/11/26 20:30:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions
[2009/10/31 13:15:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/26 13:35:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions\OpenXMLViewer@Codeplex.com
[2009/11/26 20:20:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/02 16:21:45 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
[2007/07/10 01:20:10 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
[2009/10/12 16:08:20 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2007/04/10 16:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
[2007/06/06 11:55:22 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2007/06/06 11:55:35 | 00,024,576 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
[2007/06/06 11:55:17 | 00,081,920 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2007/08/21 18:42:32 | 00,057,344 | ---- | M] (America Online, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npunagi2.dll
[2009/11/06 20:58:47 | 00,002,273 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (AOL Toolbar Launcher) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
O4 - HKCU..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Stephanie's Movie\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Stephanie's Movie\Start Menu\Programs\Startup\Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowLegacyWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: AllowUnhashedWebView = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll (AOL LLC)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Stephanie's Movie\Start Menu\Programs\IMVU\Run IMVU.lnk File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKLM\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: 102 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab (FilePlanet Download Control Class)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1005.cab (MySpace Uploader Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoftware.com/activescan/as5free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.93.41.127 24.93.41.128
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/17 03:41:16 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/13 17:11:22 | 00,000,073 | R--- | M] () - E:\AUTORUN.INF -- [ UDF ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - C:\WINDOWS\system32\6to4svc.dll (Microsoft Corporation)
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/04/10 20:25:28 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/26 19:36:24 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/11/26 19:18:31 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\eventlog.dll
[2009/11/26 19:18:31 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\eventlog.dll
[2009/11/25 14:40:13 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/11/25 14:40:13 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/11/25 14:40:12 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/11/25 14:40:12 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/11/25 14:39:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/25 13:47:39 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/25 13:41:26 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2009/11/25 13:41:05 | 00,206,256 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/11/25 13:41:05 | 00,086,888 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2009/11/25 13:40:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/11/25 13:40:47 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2009/11/25 13:40:39 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/11/25 13:40:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stephanie's Movie\Application Data\PC Tools
[2009/11/25 13:40:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/11/15 21:54:15 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2009/11/11 13:30:48 | 00,000,000 | ---D | C] -- C:\Program Files\Safer Networking
[2009/11/10 03:02:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/11/09 06:14:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/11/09 06:14:06 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/11/09 06:14:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/11/09 06:14:05 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2009/11/09 06:03:27 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Stephanie's Movie\PrivacIE
[2009/11/09 05:58:06 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/11/09 05:44:33 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Stephanie's Movie\IETldCache
[2009/11/09 05:33:08 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/11/06 20:58:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stephanie's Movie\Local Settings\Application Data\AVG Security Toolbar
[2009/11/03 02:43:36 | 00,000,000 | ---D | C] -- C:\WINDOWS\Performance
[2009/11/03 02:43:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stephanie's Movie\Local Settings\Application Data\Microsoft Corporation
[2009/11/03 02:37:31 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Windows 7 Upgrade Advisor
[2009/11/02 21:23:27 | 00,000,000 | ---D | C] -- C:\lulz
[2009/11/02 21:13:56 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Stephanie's Movie\Recent
[2009/11/02 20:30:50 | 00,000,000 | ---D | C] -- C:\$AVG
[2009/11/02 20:30:32 | 00,360,584 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/02 20:30:32 | 00,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/11/02 20:30:25 | 00,333,192 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/11/02 20:30:25 | 00,028,424 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/11/02 20:30:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/11/02 20:30:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/11/02 20:29:33 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/11/02 20:29:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/11/02 17:51:03 | 00,160,272 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/11/02 16:51:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Screaming Bee
[2009/11/02 16:51:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/02 16:51:03 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Screaming Bee
[2009/11/02 16:33:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stephanie's Movie\Application Data\Screaming Bee
[2009/11/02 16:32:35 | 00,000,000 | ---D | C] -- C:\Program Files\Screaming Bee
[2009/11/02 16:24:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stephanie's Movie\Application Data\skypePM
[2009/11/02 16:21:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Stephanie's Movie\Application Data\Skype
[2009/11/02 16:21:29 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2009/11/02 16:21:25 | 00,000,000 | R--D | C] -- C:\Program Files\Skype
[2009/11/02 16:21:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/11/02 15:11:11 | 00,000,000 | ---D | C] -- C:\vcs5BGEffects

========== Files - Modified Within 30 Days ==========

[2009/11/27 09:50:32 | 00,000,437 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2009/11/27 08:25:40 | 00,000,306 | ---- | M] () -- C:\WINDOWS\tasks\Defraggler Volume C Task.job
[2009/11/27 08:19:13 | 45,814,706 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/27 08:17:48 | 00,105,755 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/26 19:41:41 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/26 19:41:19 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/26 19:41:08 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/26 19:37:18 | 00,049,617 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/11/26 19:36:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/26 19:35:43 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/26 19:35:32 | 93,753,7536 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/26 19:33:49 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Stephanie's Movie\ntuser.ini
[2009/11/26 19:33:48 | 08,912,896 | -H-- | M] () -- C:\Documents and Settings\Stephanie's Movie\NTUSER.DAT
[2009/11/26 09:31:05 | 14,424,350 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Drake-Forever__Feat_Lil_Wayne_Kanye_West__Eminem_-_Official_-2dope.mp3
[2009/11/26 09:24:02 | 02,988,983 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\the-game-my-life.mp3
[2009/11/26 09:12:10 | 05,447,680 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Rick Ross Everyday Hustling.mp3
[2009/11/26 02:14:53 | 03,575,028 | R--- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Combo-Fix.exe
[2009/11/26 02:13:10 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Win32kDiag.exe
[2009/11/25 16:12:52 | 00,001,007 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Shortcut to RootRepeal.lnk
[2009/11/25 16:11:57 | 00,000,966 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Shortcut to dds.lnk
[2009/11/25 14:34:56 | 02,359,350 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\untitled.bmp
[2009/11/25 14:27:19 | 00,000,255 | RHS- | M] () -- C:\boot.ini
[2009/11/22 16:29:12 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\Unit 3 Assignment 3- Fundamentals.doc
[2009/11/22 16:28:57 | 00,022,016 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\Unit 3 Assignment 3- Intro.doc
[2009/11/22 14:56:30 | 00,028,672 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\Unit 2 Assignment 2- Fundamentals.doc
[2009/11/22 14:30:36 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/11/20 21:26:34 | 00,815,644 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\potm-map-barovia-small.jpg
[2009/11/17 16:09:52 | 00,025,109 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Sales Data.odb
[2009/11/17 16:08:06 | 00,003,938 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\Sales Data.odb
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/11 18:14:04 | 00,325,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/11 13:34:12 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Spybot - Search & Destroy.lnk
[2009/11/10 12:37:16 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/09 12:06:46 | 00,525,770 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/09 12:06:46 | 00,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/09 12:06:46 | 00,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/09 12:04:14 | 00,084,448 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/09 06:06:18 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/11/06 16:38:08 | 00,225,280 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/03 00:14:54 | 00,010,752 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll
[2009/11/02 20:30:33 | 00,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/11/02 20:30:32 | 00,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/11/02 20:30:25 | 00,333,192 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/11/02 20:30:25 | 00,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/11/02 20:30:25 | 00,028,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/11/02 20:30:13 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/11/02 20:30:13 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/11/02 20:11:10 | 00,160,272 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/11/02 18:12:54 | 00,000,892 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/02 17:50:04 | 00,000,036 | ---- | M] () -- C:\Documents and Settings\Stephanie's Movie\Local Settings\Application Data\housecall.guid.cache
[2009/11/02 16:24:11 | 00,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/10/28 14:32:04 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

========== Files Created - No Company Name ==========

[2009/11/26 09:29:48 | 14,424,350 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Drake-Forever__Feat_Lil_Wayne_Kanye_West__Eminem_-_Official_-2dope.mp3
[2009/11/26 09:23:48 | 02,988,983 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\the-game-my-life.mp3
[2009/11/26 09:11:49 | 05,447,680 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Rick Ross Everyday Hustling.mp3
[2009/11/26 02:14:39 | 03,575,028 | R--- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Combo-Fix.exe
[2009/11/26 02:13:09 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Win32kDiag.exe
[2009/11/25 16:12:52 | 00,001,007 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Shortcut to RootRepeal.lnk
[2009/11/25 16:11:57 | 00,000,966 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Shortcut to dds.lnk
[2009/11/25 14:40:13 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/25 14:40:13 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/25 14:40:12 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/25 14:40:12 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/25 14:40:12 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/25 14:38:14 | 93,753,7536 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/25 14:34:53 | 02,359,350 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\untitled.bmp
[2009/11/25 13:41:05 | 00,007,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2009/11/22 16:29:11 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\Unit 3 Assignment 3- Fundamentals.doc
[2009/11/22 14:56:55 | 00,022,016 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\Unit 3 Assignment 3- Intro.doc
[2009/11/20 21:26:19 | 00,815,644 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\potm-map-barovia-small.jpg
[2009/11/17 16:08:06 | 00,025,109 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Sales Data.odb
[2009/11/17 15:25:48 | 00,003,938 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\My Documents\Sales Data.odb
[2009/11/11 13:34:12 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Desktop\Spybot - Search & Destroy.lnk
[2009/11/03 00:14:54 | 00,010,752 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2009/11/02 20:30:33 | 00,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2009/11/02 20:30:22 | 00,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2009/11/02 20:30:13 | 45,814,706 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/02 20:30:13 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/11/02 20:30:13 | 00,492,629 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/11/02 20:30:13 | 00,105,755 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/02 17:50:04 | 00,000,036 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Local Settings\Application Data\housecall.guid.cache
[2009/11/02 16:24:11 | 00,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/01/03 19:57:56 | 01,228,854 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\OrbError.bmp
[2008/10/02 12:44:53 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/01/21 11:08:36 | 00,000,292 | ---- | C] () -- C:\WINDOWS\vtmb.ini
[2008/01/07 12:16:28 | 00,225,280 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/28 17:55:47 | 00,000,140 | ---- | C] () -- C:\Documents and Settings\Stephanie's Movie\Local Settings\Application Data\fusioncache.dat
[2007/11/02 13:27:27 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/06/19 07:59:36 | 00,070,400 | ---- | C] () -- C:\WINDOWS\System32\PhysXLoader.dll
[2007/05/14 16:29:08 | 00,002,187 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/04/20 06:57:30 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2007/04/20 06:57:28 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2007/04/20 06:57:28 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2007/04/20 06:57:28 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2007/04/20 06:57:28 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2007/04/20 06:57:28 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2007/04/20 06:57:28 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2007/04/20 06:57:28 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2007/04/20 06:57:28 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2007/04/18 21:03:37 | 00,682,232 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2007/04/16 23:08:26 | 00,796,312 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2007/04/16 19:14:15 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/04/15 01:07:06 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2007/04/13 11:12:21 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/04/13 11:12:20 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/04/10 22:46:05 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/04/10 22:46:02 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/04/10 20:47:17 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/21 03:48:15 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/06/17 03:24:58 | 00,000,580 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2006/06/17 03:24:57 | 00,000,469 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/08/05 22:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

========== Custom Scans ==========


< >

< %SYSTEMDRIVE%\*.exe >
[2007/04/26 23:08:31 | 00,010,920 | ---- | M] () -- C:\aolconnfix.exe

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2004/08/10 13:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2004/08/10 13:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >
[2004/08/10 13:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\logevent.dll

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
[2006/07/06 07:59:42 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\I386\DRV\SCS\iastor.sys
[2006/07/06 07:59:42 | 00,246,784 | ---- | M] (Intel Corporation) MD5=019CF5F31C67030841233C545A0E217A -- C:\WINDOWS\system32\drivers\iastor.sys

< %SYSTEMDRIVE%\nvstor*.sys /s /md5 >

< %SYSTEMDRIVE%\atapi* /s /md5 >
[2004/08/10 13:00:00 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/10 13:00:00 | 00,049,558 | ---- | M] () MD5=28541D14647BB58502D09D1CEAEE6684 -- C:\WINDOWS\I386\ATAPI.SY_
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2004/08/03 17:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >

< %SYSTEMDRIVE%\viamraid.sys /s /md5 >

< %SYSTEMDRIVE%\nvata.sys /s /md5 >

< %SYSTEMDRIVE%\nvgts.sys /s /md5 >

< %SYSTEMDRIVE%\iastorv.sys /s /md5 >

< %SYSTEMDRIVE%\ViPrt.sys /s /md5 >

< %SYSTEMDRIVE%\eNetHook.dll /s /md5 >

========== Alternate Data Streams ==========

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:663565B1
< End of report >

Edited by Royal Thirteen, 27 November 2009 - 11:14 AM.


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:55 AM

Posted 27 November 2009 - 11:38 AM

Hi, Royal Thirteen :(

Daemon Tools could be the reason the MBR is being hooked. It will intervene with the detection of a rootkit that is now affecting a great number of computers.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

Edited by JSntgRvr, 27 November 2009 - 11:38 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Royal Thirteen

Royal Thirteen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 27 November 2009 - 12:14 PM

Good to know. I've unmounted my virtual drives, and I will be posting my GMER report, and my combo fix report, ASAP.


!!!! Blue screen of death encountered while running GMER. Rebooted Laptop, installed recover console, ran combo fix. PC rebooted properly, to execute combofix. !!!!
!! Combo fix disabled the virtual drive drivers so maybe it's not interefering afterall? !!

Re-attempt GMER?

[COMBO FIX]

ComboFix 09-11-24.02 - Stephanie's Movie 11/27/2009 11:33.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.439 [GMT -6:00]
Running from: c:\documents and settings\Stephanie's Movie\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Stephanie's Movie\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-27 01:18 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-27 01:18 . 2008-04-14 00:11 56320 ------w- c:\windows\system32\eventlog.dll
2009-11-25 20:27 . 2009-11-25 20:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-25 20:04 . 2009-11-25 20:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-25 19:41 . 2008-12-11 14:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-25 19:41 . 2009-08-24 20:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-25 19:41 . 2009-08-19 17:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-25 19:40 . 2009-11-25 19:43 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-25 19:40 . 2008-12-10 17:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-25 19:40 . 2009-11-25 19:44 -------- d-----w- c:\program files\Spyware Doctor
2009-11-25 19:40 . 2009-11-25 19:40 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\PC Tools
2009-11-25 19:40 . 2009-11-25 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-20 15:21 . 2009-11-03 02:29 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-16 03:54 . 2009-11-17 00:57 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-12 15:26 . 2009-11-10 18:37 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 15:26 . 2009-11-10 18:37 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 15:26 . 2009-11-10 18:37 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 15:26 . 2009-11-03 02:29 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 15:26 . 2009-11-12 15:25 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 15:26 . 2009-11-12 15:25 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-12 02:22 . 2009-11-12 02:22 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-11-12 02:08 . 2009-11-12 02:08 -------- d-----w- c:\documents and settings\J J\Application Data\MySpace
2009-11-12 01:44 . 2009-11-12 01:45 -------- d-----w- c:\documents and settings\J J\Local Settings\Application Data\Apple Computer
2009-11-12 01:44 . 2009-11-12 01:44 -------- d-sh--w- c:\documents and settings\J J\IETldCache
2009-11-11 19:30 . 2009-11-11 19:30 -------- d-----w- c:\program files\Safer Networking
2009-11-10 18:38 . 2009-11-03 02:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 18:35 . 2009-11-10 18:35 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-10 18:35 . 2009-11-03 02:29 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 09:05 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-10 09:05 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-10 09:02 . 2009-11-12 00:10 -------- d-----w- c:\windows\ie8updates
2009-11-09 17:22 . 2009-11-09 17:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\scripting
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\l2schemas
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\en
2009-11-09 12:14 . 2009-11-09 12:14 -------- d-----w- c:\windows\system32\bits
2009-11-09 12:03 . 2009-11-09 12:03 -------- d-sh--w- c:\documents and settings\Stephanie's Movie\PrivacIE
2009-11-09 11:44 . 2009-11-09 11:44 -------- d-sh--w- c:\documents and settings\Stephanie's Movie\IETldCache
2009-11-09 11:33 . 2009-11-09 11:36 -------- dc-h--w- c:\windows\ie8
2009-11-08 07:38 . 2009-11-08 07:38 1408800 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-07 02:58 . 2009-11-07 02:58 -------- d-----w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\AVG Security Toolbar
2009-11-03 08:43 . 2009-11-03 08:43 -------- d-----w- c:\windows\Performance
2009-11-03 08:43 . 2009-11-03 08:43 -------- d-----w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\Microsoft Corporation
2009-11-03 08:37 . 2009-11-03 08:37 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-03 03:50 . 2009-10-16 18:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 03:23 . 2009-11-03 03:23 -------- dc----w- C:\lulz
2009-11-03 02:30 . 2009-11-03 02:52 -------- dc----w- C:\$AVG
2009-11-03 02:30 . 2009-11-10 18:37 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-03 02:30 . 2009-11-03 02:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-03 02:30 . 2009-11-03 02:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 02:30 . 2009-11-03 02:30 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-03 02:30 . 2009-11-27 14:20 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-03 02:30 . 2009-11-03 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-03 02:29 . 2009-11-03 02:29 -------- d-----w- c:\program files\AVG
2009-11-03 02:29 . 2009-11-04 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-02 23:51 . 2009-11-03 02:11 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-02 22:51 . 2009-11-03 06:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Screaming Bee
2009-11-02 22:51 . 2009-11-25 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 22:51 . 2009-11-02 22:51 -------- d-----w- c:\program files\Common Files\Screaming Bee
2009-11-02 22:33 . 2009-11-03 06:17 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Screaming Bee
2009-11-02 22:32 . 2009-11-03 06:51 -------- d-----w- c:\program files\Screaming Bee
2009-11-02 22:24 . 2009-11-02 22:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-02 22:24 . 2009-11-13 20:03 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\skypePM
2009-11-02 22:21 . 2009-11-13 20:12 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----w- c:\program files\Common Files\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----r- c:\program files\Skype
2009-11-02 22:21 . 2009-11-02 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-02 21:11 . 2009-11-02 22:33 -------- dc----w- C:\vcs5BGEffects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 17:12 . 2009-10-13 03:32 1 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-27 01:04 . 2009-11-27 01:06 2825728 ----a-w- c:\windows\Internet Logs\xDB34.tmp
2009-11-27 01:01 . 2008-01-26 16:50 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\uTorrent
2009-11-20 01:52 . 2009-11-20 01:59 2592768 ----a-w- c:\windows\Internet Logs\xDB32.tmp
2009-11-20 01:52 . 2009-11-20 01:59 2480640 ----a-w- c:\windows\Internet Logs\xDB33.tmp
2009-11-12 02:09 . 2006-06-19 04:25 84448 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-12 02:04 . 2009-11-12 02:05 2717184 ----a-w- c:\windows\Internet Logs\xDB31.tmp
2009-11-12 00:13 . 2007-04-13 14:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-11 19:37 . 2007-04-13 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-09 18:04 . 2007-12-28 23:55 84448 ----a-w- c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-09 12:20 . 2006-06-17 09:39 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-08 07:38 . 2009-09-22 17:22 127325 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\uninstall.exe
2009-11-08 07:38 . 2008-02-06 04:45 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks
2009-11-08 07:38 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-04 05:38 . 2009-11-04 05:42 2445312 ----a-w- c:\windows\Internet Logs\xDB30.tmp
2009-11-03 06:59 . 2009-04-28 05:19 -------- d-----w- c:\program files\Exterminate It!
2009-11-03 00:35 . 2007-04-11 06:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
2009-11-03 00:35 . 2009-09-01 03:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG7
2009-11-03 00:35 . 2007-12-28 23:55 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\AVG7
2009-11-03 00:35 . 2007-12-17 02:00 -------- d-----w- c:\documents and settings\J J\Application Data\AVG7
2009-11-02 20:49 . 2009-11-02 20:50 4062208 ----a-w- c:\windows\Internet Logs\xDB2F.tmp
2009-10-28 23:52 . 2007-04-25 11:23 40042441 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-10-19 08:12 . 2009-10-19 08:12 -------- d-----w- c:\program files\MSBuild
2009-10-19 08:11 . 2009-10-19 08:11 -------- d-----w- c:\program files\Reference Assemblies
2009-10-19 08:02 . 2009-10-19 08:02 -------- d-----w- c:\program files\MSXML 6.0
2009-10-19 03:05 . 2008-05-07 03:55 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\dvdcss
2009-10-18 09:32 . 2009-04-29 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 09:31 . 2009-10-18 09:31 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-13 03:19 . 2009-10-13 03:19 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org
2009-10-12 22:14 . 2009-10-12 22:14 -------- d-----w- c:\program files\JRE
2009-10-12 22:14 . 2009-10-12 22:13 -------- d-----w- c:\program files\OpenOffice.org 3
2009-10-12 22:12 . 2007-07-10 07:20 -------- d-----w- c:\program files\OpenOffice.org 2.2
2009-10-12 22:07 . 2009-10-12 22:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-12 22:07 . 2007-04-11 02:47 -------- d-----w- c:\program files\Java
2009-10-06 17:42 . 2008-01-27 02:47 -------- d-----w- c:\documents and settings\Stephanie's Movie\Application Data\OpenOffice.org2
2009-10-04 23:03 . 2008-10-08 04:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-24 10:25 . 2007-04-14 22:23 249856 ------w- c:\windows\Setup1.exe
2009-09-24 10:25 . 2007-04-14 22:23 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-22 17:22 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-11 14:18 . 2007-04-11 01:48 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 20:54 . 2009-04-29 02:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2009-04-29 02:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2007-04-11 01:48 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 03:06 . 2009-09-01 03:59 2761216 ----a-w- c:\windows\Internet Logs\xDB2E.tmp
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-25_21.17.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-27 17:26 . 2009-11-27 17:26 16384 c:\windows\Temp\Perflib_Perfdata_6e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 18:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 4670968]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay" [X]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\Stephanie's Movie\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-03 02:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\1176459244\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\aol\\1176459244\\ee\\AOLDesktop.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [4/26/2009 11:03 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/25/2009 1:41 PM 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/2/2009 8:30 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/2/2009 8:30 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/2/2009 8:29 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/2/2009 8:29 PM 285392]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [4/6/2009 1:19 PM 23064]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/18/2007 9:03 PM 682232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/28/2009 8:32 PM 38224]
S3 NetWlan5;Symbol Based 802.11b Wireless LAN Card Driver;c:\windows\system32\drivers\NetWlan5.sys [4/17/2007 6:31 AM 132695]
S3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [1/12/2004 3:51 PM 1252474]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/25/2009 1:40 PM 348752]
.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]

2009-11-27 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2009-04-13 14:17]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Stephanie's Movie\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {AA9CEF7B-E262-49DA-AF97-00169B25016F} = 24.93.41.127,24.93.41.128
FF - ProfilePath - c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions\OpenXMLViewer@Codeplex.com\plugins\npDocX.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Application Data\Mozilla\Firefox\Profiles\79dgpf2s.default\extensions\OpenXMLViewer@Codeplex.com\plugins\npnul32.dll
FF - plugin: c:\documents and settings\Stephanie's Movie\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-11-27 11:52
ComboFix-quarantined-files.txt 2009-11-27 17:52
ComboFix2.txt 2009-11-27 01:51
ComboFix3.txt 2009-11-26 08:44
ComboFix4.txt 2009-11-25 21:28

Pre-Run: 49,831,391,232 bytes free
Post-Run: 49,786,114,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
timeout=2
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
[spybotsd]
timeout.old=30

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - C4EAACA338E6544D2122F897F76FCDF8

Edited by Royal Thirteen, 27 November 2009 - 12:58 PM.


#11 Royal Thirteen

Royal Thirteen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 27 November 2009 - 03:07 PM

GMER Attempt 2 successfull.

[GMER LOG]

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-27 14:05:33
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\pgrcrpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xEDC9F820]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF71C2D72]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xEDCA9480]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xEDCA96B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xEDCACCE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xEDC9FEA0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF71C3568]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF71C3820]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xEDCA91F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xEDCAB9E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xEDC9FCF0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF71C1A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xEDCA8F40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xEDCA8D60]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF71C3C8A]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xEDCABCD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xEDCABF80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xEDCA3010]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xEDCA0010]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF71C3036]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xEDCA98E0]

Code \??\C:\DOCUME~1\STEPHA~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode@imagepath \systemroot\system32\drivers\ovfsthvrnyuyabdbowblhtxrdltpbpitudjyne.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode@inst 0
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main@ver sni060409
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main@cid 01
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main@bid 617915282-58503940-741588640-2487457409
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main@aid 998
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main@sid 3
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main@cmddelay 28801
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main\ff (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{6EB7228E-1433-4BBD-87AA-373F95CC3317}
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthvrnyuyabdbowblhtxrdltpbpitudjyne.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\modules@ovfsth.dll \systemroot\system32\ovfsthhtxxcifttyxiprrjlqultxbqqwxqrcwa.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\modules@ovfsthlog.dat \systemroot\system32\ovfsthdscsqttqlrvklnaomuklpugywkmmqogr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\modules@ovfsthwi.dll \systemroot\system32\ovfsthaeiraimuukbublcnsaidrkhxxjuwqpcq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\modules@ovfsthff.dll \systemroot\system32\ovfsthquwbplcfudqfixhcigiftotokuuwujqe.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode\modules@ovfsth.dat \systemroot\system32\ovfsthynlqxihxpbwrafvsnoyhqfkdndxdkyjg.dat
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xC6 0x45 0xAD ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF5 0x12 0x6E 0xBC ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC0 0xA8 0xE0 0x02 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x3D 0xE3 0x48 0xCA ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x0A 0x9C 0x00 0x5A ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x22 0xE3 0x67 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xC6 0x45 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF5 0x12 0x6E 0xBC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x42 0xD2 0xD6 0xAE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x3D 0xE3 0x48 0xCA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x0A 0x9C 0x00 0x5A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x22 0xE3 0x67 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACnuglbgdnjn.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacav
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xC6 0x45 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF5 0x12 0x6E 0xBC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x27 0x44 0x55 0x24 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x3D 0xE3 0x48 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x0A 0x9C 0x00 0x5A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x22 0xE3 0x67 0xF9 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xC6 0x45 0xAD ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF5 0x12 0x6E 0xBC ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x27 0x44 0x55 0x24 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x3D 0xE3 0x48 0xCA ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x0A 0x9C 0x00 0x5A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x22 0xE3 0x67 0xF9 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xC6 0x45 0xAD ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF5 0x12 0x6E 0xBC ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x27 0x44 0x55 0x24 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x3D 0xE3 0x48 0xCA ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x0A 0x9C 0x00 0x5A ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x22 0xE3 0x67 0xF9 ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner\My Documents\My Games\Morrowind\The Elder Scrolls III Morrowind Game of the Year Edition\Morrowind System Files\mcpatch\ecb347304134f63cabf1ab38f0728dcff5fbfb11e7ac2b87a03c8639936ab094\23c36ef153f5b183fc13d06ef339d9356c0da6b30a90aa7359baedce2135f036\patch 34 bytes
File C:\Documents and Settings\Owner\My Documents\My Games\Morrowind\The Elder Scrolls III Morrowind Game of the Year Edition\Morrowind System Files\mcpatch\ecb347304134f63cabf1ab38f0728dcff5fbfb11e7ac2b87a03c8639936ab094\f027a20356e788cf1a48d6f89f8b11eb61b34dda2fecb6fab59a74e3dae3f83a\patch 34 bytes

---- EOF - GMER 1.0.15 ----

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:55 AM

Posted 27 November 2009 - 03:41 PM

Hi, Royal Thirteen :(

That is what I was expecting from Combofix. There are non active Controlsets in your computer containing the code of the rootkits. Although it may not represent a threat, I would like to remove them.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as fix.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the fix.bat file.The MSDOS window will be displayed. That is normal.

@ECHO OFF
ECHO Working ......
cd /d %~dp0
SWREG ACL "HKLM\SYSTEM\ControlSet002\Services\UACd.sys" /RE-SET /Q
SWREG ACL "HKLM\SYSTEM\ControlSet002\UACd.sys" /P /GE:F /Q
SWREG DELETE "HKLM\SYSTEM\ControlSet002\Services\UACd.sys"
SWREG ACL "HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode" /RE-SET /Q
SWREG ACL "HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode" /P /GE:F /Q
SWREG DELETE "HKLM\SYSTEM\ControlSet001\Services\ovfsthewqxypkmkvrnxfmloakjbfrjhovtoode"
Exit


Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 17.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u17-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u17-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Royal Thirteen

Royal Thirteen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 27 November 2009 - 04:45 PM

Received the error UACD.sys does not exist, then the fix.bat killed itself. ??
Noticable improvement in desktop/explorer boot speed.

System(the process) used to run at less than a mb of RAM, now it uses 80 MB. Is this normal, or have i remembered incorrectly??

Edited by Royal Thirteen, 27 November 2009 - 05:37 PM.


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:55 AM

Posted 27 November 2009 - 07:11 PM

Received the error UACD.sys does not exist, then the fix.bat killed itself. ??
Noticable improvement in desktop/explorer boot speed.


It opened and closed. That was expected. It was a non active ControlSet. Don't worry about it. Did you perform the Kaspersky scan?

Let me see a Screenshot of your concern about the System's memory used.
  • You can do this by pressing the PrintScreen key.
  • Then go to Start > All Programs > Accessories > Paint
  • In Paint, go up to Edit > Paste
  • Then Go up to File > Save As. Click the drop-down box to change the "Save As Type" to "JPEG", name as you wish, and save it on the desktop.
  • Then click Add Reply in this topic.
  • Scroll down to Attachments.
  • Click the Browse button.
  • Locate the file you just saved, click on it, then click Open, then Upload.
  • Under "Manage Curent Attachments" click on the green sign.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Royal Thirteen

Royal Thirteen
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 27 November 2009 - 08:01 PM

The scan is still running as we speak, and the System process has been alternating how much memory it uses.

I do not fully understand what the process does, but it varies between 58kb and 82,000 kb of ram usage.

I'll post a screenshot when it acts up again. It's only using 64kb atm.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users